Mobile App Penetration Testing: iOS, Android and the API Behind Them

A mobile app is three attack surfaces in one: the client binary on a device you do not control, the local data it stores, and the API it talks to. Mobile application penetration testing assesses all three against the OWASP Mobile Application Security Verification Standard (MASVS) and Testing Guide (MASTG). Matproof Sentinel tests your iOS and Android apps plus their backend APIs, proves the exploitable findings, and returns an audit-ready report mapped to ISO 27001 and SOC 2. Report from €149.

Run free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why mobile apps fail differently — and why the API is half the test

Mobile penetration testing has to account for a threat model the web does not share: the attacker physically controls the device the client runs on. They can decompile the app, read its local storage, hook its runtime, and inspect every request it makes. That means secrets hard-coded in the binary are not secret, 'hidden' API endpoints are fully visible, and any security control enforced only in the client is no control at all. The OWASP MASVS exists to structure this — insecure data storage, weak cryptography, insecure communication, and reverse-engineering resistance are core categories. But the most important finding in most mobile tests is on the server side: because controls in the client can always be bypassed, the backend API must independently enforce every authorization and validation rule, and frequently doesn't. A mobile pentest that only inspects the binary and skips the API behind it misses where the real data exposure lives. Sentinel tests the client, the on-device storage, and the API together — because an attacker does not respect the boundary between them.

The attacker owns the device: the app binary can be decompiled and instrumented, so hard-coded secrets, API keys and 'hidden' endpoints are fully exposed — never a security control.
Insecure local storage (MASVS-STORAGE): tokens, PII and credentials saved in plaintext, shared preferences, or world-readable files are recoverable from a lost or compromised device.
Client-side controls are bypassable: jailbreak/root detection, certificate pinning and input validation enforced only in the app can be hooked and disabled — the backend must re-enforce everything.
The backend API is half the test: because client controls fail, BOLA, broken authentication and excessive data exposure in the API are usually the highest-impact mobile findings.
App-store presence and enterprise buyers increasingly expect a current mobile pentest; ISO 27001 A.8.25/A.8.26 (secure development, application security requirements) and SOC 2 expect documented mobile application testing.

What Matproof tests in a mobile app penetration test

Insecure data storage (MASVS-STORAGE): plaintext tokens/PII in preferences, SQLite, keychain/keystore misuse, sensitive data in logs and backups
Cryptography (MASVS-CRYPTO): weak or custom algorithms, hard-coded keys, predictable IVs, improper key management
Network communication (MASVS-NETWORK): TLS validation, certificate pinning and its bypassability, cleartext traffic, exposure to man-in-the-middle
Authentication & session handling (MASVS-AUTH): token storage and lifetime, biometric/local-auth bypass, session fixation
Platform interaction (MASVS-PLATFORM): exported components and deep links (Android), URL scheme abuse and pasteboard leakage (iOS), WebView and JavaScript-bridge risks
Reverse engineering & tampering (MASVS-RESILIENCE): secrets recoverable from the binary, root/jailbreak and anti-tamper bypass, runtime hooking exposure
Backend API testing: OWASP API Top 10 (2023) against the app's API — BOLA, broken authentication, excessive data exposure, mass-assignment
Findings risk-rated with CVSS 3.1 and mapped to OWASP MASVS, ISO 27001:2022 A.8.25/A.8.26 and SOC 2 for audit-ready evidence

Sample finding

High

OAuth token stored in plaintext shared preferences, recoverable from device backup

Sentinel found that the Android app persisted the user's long-lived OAuth refresh token in plaintext in SharedPreferences, which is included in standard device backups and readable on a rooted device. An attacker with brief physical access, a malicious backup-restore, or a device-theft scenario could extract the token and impersonate the user indefinitely — the token had no device binding and a multi-month lifetime. This is OWASP MASVS-STORAGE, one of the most common mobile findings, and it cannot be detected by testing the API alone.

Fix: Store sensitive tokens in the platform secure store (Android Keystore / iOS Keychain) with hardware-backed keys where available, and exclude them from backups (android:allowBackup handling / iOS data-protection classes). Shorten refresh-token lifetime and bind tokens to the device. Add server-side anomaly detection for token reuse from new devices. Sentinel re-tests storage after remediation and records the verification for ISO 27001 A.8.26 evidence.

Reference: OWASP MASVS-STORAGE-1 · CWE-312 Cleartext Storage of Sensitive Information · ISO 27001:2022 A.8.26 Application Security Requirements · OWASP Mobile Top 10 M9 Insecure Data Storage

Mobile pentest: free scan vs Matproof Sentinel vs traditional consultancy

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Mobile app penetration testing pricing

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about mobile app penetration testing

What is mobile app penetration testing?

Mobile app penetration testing assesses an iOS or Android application across three surfaces: the client binary (which the attacker can decompile and instrument), the data it stores on-device, and the backend API it communicates with. It is structured around the OWASP Mobile Application Security Verification Standard (MASVS) and Testing Guide (MASTG), and the goal is to find and prove what an attacker who controls the device — or steals it — could actually do.

Why does the mobile pentest include the backend API?

Because any security control enforced only in the mobile client can be bypassed — the attacker controls the device and can hook or patch the app. The only place authorization and validation can be reliably enforced is the server. As a result, the highest-impact mobile findings are usually API-side: broken object-level authorization, weak authentication, and excessive data exposure. Testing the binary without the API leaves the real risk untested.

Do you test both iOS and Android?

Yes. The platforms differ — Keychain vs Keystore, URL schemes vs intents/deep links, data-protection classes vs allowBackup — and Sentinel covers the platform-specific risks for each, plus the shared API backend that serves both.

How much does mobile app penetration testing cost?

Traditional consultancy mobile pentests typically run £5,000–£15,000 per platform depending on app complexity, over several weeks. Matproof Sentinel includes mobile-backend API testing from €149 (single run); deeper client-binary and on-device testing is scoped on the Growth plan. See our penetration testing cost guide for the breakdown.

Go deeper — related blog articles

Test your mobile app and the API behind it

Start with a free scan of your app's backend, or get a full mobile app penetration test — iOS/Android client, storage and API, proof-of-exploit per finding, mapped to OWASP MASVS, ISO 27001 and SOC 2 — from €149.