Mobile Penetration Testing

Your app in expert hands — secure from the UI and local storage to the API

Mobile applications are often at the heart of digital interaction today. Whether e-banking, mobile patient records, electronic door access, or controlling industrial systems: apps process highly sensitive data and communicate through complex interfaces. But this very versatility also makes them an attractive target for attackers.

Standardized web security scans are not sufficient here. Mobile operating systems like iOS and Android have their own security architectures and attack vectors. They are also often exposed to different risks, such as physical access. Redguard helps you identify vulnerabilities before they can be exploited. With our specialized «Mobile Testing Lab» and in-house analysis tools, we take a deep look under the hood of your application.

Request offer

The Redguard «Mobile Testing Lab»

To test mobile apps efficiently and under realistic conditions, we use a dedicated test environment for mobile applications, with specialized equipment:

  • Specialized test devices: A key question is often how well an app is protected against attacks on a compromised device. Because even in that situation, there are protective measures that can reduce the impact. That’s why we maintain various devices that allow us to simulate such attacks. Only this way can we bypass security mechanisms such as sandboxing and verify whether your data remains protected even with physical access to the endpoint.
  • Reverse engineering: Our specialists first decompile your app to uncover insecure libraries, hardcoded secrets, risky API calls, or configuration issues in the source code. This step also gathers key insights needed for the runtime analysis.
  • In-house development «PARIS»: With our in-house tool PARIS (Process-Attached Remote Interception Solution), we make the invisible visible. This tool significantly simplifies runtime analysis (dynamic analysis). Even if your app code is obfuscated, we can visualize and analyze important security-relevant events in real time on a timeline.

Efficient analysis with PARIS and OWASP MAS — our technology edge

Modern apps are often protected through code obfuscation, which makes conventional analyses time-consuming. During a multi-day internal hackathon — known at Redguard as our annual Research Days — we created PARIS (yes, in Paris), a software solution that tames this complexity:

  • Real-time monitoring: PARIS monitors security-relevant functions related to data storage, cryptography, authentication, and networking while the app is running.
  • Risk assessment: These functions are monitored for risk. For example, if an API is called with insecure parameters, a risk is generated, which security testers then verify manually. This increases efficiency and practically eliminates false positives.
  • OWASP MAS as a foundation: Our tools and security testers follow OWASP’s Mobile Application Security Project. This ensures we test all areas of an app properly and identify risks that simple vulnerability scanners often miss.
  • Our commitment: We don’t just use OWASP MAS — we actively contribute to it. We also develop a reference app that implements commonly seen vulnerabilities. This helps ensure the framework stays current and remains a strong foundation for mobile app penetration tests.

Our approach: a systematic methodology

We follow a proven process that goes far beyond simply searching for bugs:

1. Threat modeling

Together, we identify the most critical assets. We then build a threat model and ask questions such as:

  • How is the app architecture structured?
  • How are backend services used?
  • Where and how is the app typically used?
  • What are possible attack vectors?
  • Does the app use security measures provided by Android or iOS?
  • Are there regulatory requirements for the data or availability?
  • What would be the greatest impact in case of compromise?

The answers to these questions form the basis for our further work and guide our security testers during the actual tests.

2. Static & dynamic app analysis

We combine classic reverse engineering with modern runtime analysis.

During static analysis, the app is first “mapped out.” That means we enumerate components, used libraries, operating system features, and initiated network connections. We also examine whether and how the app protects itself against reverse engineering — for example through code obfuscation. The app does not need to be launched for this step.

Afterwards, we start the app. Thanks to PARIS, we can also identify risks that only become visible at runtime — especially in complex app architectures.

3. Server API & backend testing

Mobile apps often communicate with multiple backend servers. That’s why a mobile app penetration test is often performed in combination with a backend penetration test. Only then can we ensure the entire application has been assessed for security risks.

For network testing, we configure our test devices so that we can inspect the network traffic. Then — just as we would for a web application — we test the server API.

4. Findings report & consulting

You won’t receive an automated scan report, but a well-founded analysis including concrete, prioritized recommendations. We don’t only explain the “what,” but also the “how” of sustainable remediation.

If you also need developer trainings specifically for secure mobile apps, we’re happy to advise you as well.

Why Redguard for mobile security?

  • In-house research & development: With tools like PARIS, we go where standard tools reach their limits.
  • Strong commitment to mobile security: We actively contribute to the global IT security community and help ensure the OWASP MAS security framework continues to evolve.
  • Deep testing instead of surface checks: By using prepared hardware, we simulate attacks by skilled actors.
  • Practical relevance: We don’t give you a list of theoretical issues, but tailored recommendations that fit your risk profile.
  • Holistic view: We assess the entire ecosystem — from source code and local databases all the way to cloud interfaces.

Your benefits at a glance

  • Protect your reputation: Prevent data leaks that could permanently damage your customers’ trust.
  • Compliance & standards: Meet regulatory requirements (e.g., nFADP, GDPR) and industry standards (e.g., OWASP MAS projects).
  • Secure release cycles: Identify architectural flaws early to avoid costly rework after an app store release.
  • Direct access to experts: Benefit from the know-how of our pentesters who develop their own tools for the community and our customers.

Do you have a mobile app you’d like to have tested thoroughly? Let’s make sure your application can withstand advanced attacks as well. We look forward to your contact request for a non-binding initial consultation.

Request offer

FAQ – Frequently asked questions about mobile penetration testing

Does Redguard need the app’s source code for the test?

A test is possible both with and without source code («Grey-Box» vs. «Black-Box»). However, we recommend the grey-box approach: if we have the code or documentation of the apps and the server API interfaces, we can test more efficiently and also find hidden logic flaws that are hardly detectable from the surface.

Do you test both Android and iOS versions?

Yes. Because the security architectures (e.g., Keychain on iOS vs. Keystore on Android) differ fundamentally, we assess both platforms individually. We also verify whether security measures have been implemented consistently across both systems.

Can you test apps that use code obfuscation?

Absolutely. We even recommend that you provide us with a version that includes all hardening measures. This allows us to determine the effective risk of the release version. With our tooling, we can also perform parts of the runtime analysis even on hardened apps.

However, there are hardening measures that deliberately prevent certain techniques used by these tools. If you use such measures or obfuscation frameworks, we also recommend providing a non-hardened version so we can additionally assess the app’s business logic efficiently.

What’s the difference compared to a standard web pentest?

A web pentest primarily focuses on the server. In a mobile pentest, the focus is on «local security»:

  • How securely is data stored on the physical device?
  • Are users authenticated locally?
  • Does your app protect customer data as well as possible on a compromised device?
  • Do your apps use the protections provided by the operating systems correctly?
  • Do the app components communicate securely with other applications on the device?

However, because mobile apps often communicate with a server API, a mobile app penetration test is often conducted together with a web application penetration test.

When is the best time for a mobile penetration test?

Ideally, a comprehensive test takes place before the first release or after major architectural changes. However, we recommend running security checks regularly, because both attack methods and operating system security features (iOS/Android) continuously evolve.

How long does a typical test take?

The duration depends heavily on the scope of the apps. Today, mobile apps are often developed with frameworks such as Flutter or React Native. In that case, we often choose a lead platform, such as Android, and then test only the native components on iOS. On average, however, we estimate around 5 person-days per native app. Optionally, a backend analysis can be added, whose scope depends strongly on API complexity (number of endpoints, etc.).

Where can I learn more about mobile app security?

We offer trainings specifically for mobile app developers. These trainings explain how to build secure iOS and Android apps that can withstand our penetration tests.

Request offer

Mobile Application Penetration Testing Blog Posts

MAS Reference App - Implementing Mobile App Vulnerabilities and Defenses Mar 6, 2025

Mobile applications are an integral part of everyday life, often handling sensitive data such as personal messages, financial information, or digital credentials. Ensuring these apps are secure is paramount. At Redguard, we specialize in mobile application penetration testing, identifying vulnerabilities before attackers can exploit them. To conduct thorough assessments, we leverage the OWASP Mobile Application Security (MAS) framework, which provides comprehensive coverage of mobile security topics. While existing «Crackme» apps provide valuable training for security professionals, they are not always aligned with real-world vulnerabilities. To address this gap, we created the MAS Reference App, which implements a broad range of MAS-defined weaknesses and defense-in-depth techniques. Read this blog post to find out more about its key features and how it supports security testing and development.

Read full post

Laufzeitanalyse einer Mobile App in PARIS Oct 25, 2023

Das Testen von Sicherheitsrisiken bei mobilen Anwendungen ist mit einigen Herausforderungen verbunden. So wird der Code der Apps zum Beispiel oft verschleiert, was eine statische Analyse erschwert. In so einem Fall ist eine Analyse der Anwendung zur Laufzeit eine mögliche Alternative. Bei komplexen Anwendungen kann dies jedoch ebenfalls ein aufwendiges Unterfangen sein, da die Security Tester die Anwendung zuerst im Detail verstehen müssen. Typische Fragen, die beim Testen von Apps auftauchen, sind beispielsweise auf welche Art und Weise Daten gespeichert, ver- oder entschlüsselt werden, ob die Anwendung sichere Authentifizierung nutzt oder wie Netzwerkressourcen angesprochen und genutzt werden. Bei einer Laufzeitanalyse versuchen die Security Tester dabei jeweils die relevanten Funktionen zu überwachen, welche beim Verwenden der Anwendung ausgeführt werden (könnten). Je nach Komplexitätsgrad der Anwendung gleicht dies der Suche nach der Nadel im Heuhaufen. Um diese Komplexität zu minimieren und den Einstieg in die Analyse zu vereinfachen, haben sich zwei unserer Security Tester an den Redguard Research Days in Paris diesem Thema angenommen und dabei ein neues Tool entwickelt.

Read full post

Redguards «Mobile Testing Lab» in Aktion – Hack mit uns eine App Jul 28, 2022

Wir nutzen mobile Applikationen für E-Banking, Social Media, Medienkonsum aller Art oder um wichtige Dokumente zu bearbeiten, um sie dann auf dem Gerät zu speichern. Daher sind die Sicherheitsanforderungen an solche Apps stetig gewachsen – weshalb viele Kunden die Sicherheit ihrer mobilen Applikationen von Redguard prüfen lassen. Im Vergleich zu Penetration Tests von Webanwendungen, Netzwerken oder Software genereller Art, gibt es bei Mobile Apps jedoch einige Unterschiede, die beim Testing berücksichtigt werden müssen. Dazu haben wir ein «Mobile Testing Lab» entwickelt. Wie nutzen wir dieses im Alltag? Erhalten Sie hier einen Einblick.

Read full post

Sichere Apps dank unserem «Mobile Testing Lab» Aug 4, 2021

In der Praxis testet Redguard eine sehr breite Sammlung von Web-Anwendungen, Netzwerken oder Softwares genereller Art. Doch was ist mit mobilen Anwendungen? Mobile Apps sind aus keinem Wirtschaftszweig mehr wegzudenken. Oft werden mit ihrer Hilfe sensitive Informationen verarbeitet. Damit wir diese Anwendungen effizient testen können, benötigen wir die entsprechende Ausrüstung. Diese haben wir entwickelt. Erhalten Sie hier einen Einblick in das spannende Testen von mobilen Anwendungen.

Read full post