Pentest of Mobile APP
The test method used by binsec GmbH for mobile applications (Android and iOS) is based on the OWASP Mobile Application Security Testing Guide and the OWASP Mobile TOP 10. The Open Web Application Security Project (OWASP) is currently the world's largest non-profit organisation, the objective of which is to increase the security of applications. The OWASP Mobile Top 10 includes the ten most critical vulnerabilities in mobile applications. According to the current release from 2024, one of the most common vulnerabilities is the insecure storage of sensitive data, such as user passwords in a configuration file. Unless otherwise requested, we also include the APIs of a mobile application in our penetration test.
The methodical test approach of binsec GmbH is roughly divided into the following test phases. Within the test phases, the mobile application is examined for the vulnerabilities of the OWASP Mobile TOP 10. Various analysis tools are used during the pentest, as well as intensive manual testing. The exact course of the penetration test depends heavily on the characteristics of the respective application and is based on the approach a real attacker would take. In order to gain full control over the communication and access to the data storage, we try to circumvent protection mechanisms such as an implemented jailbreak/root detection or HTTP pinning of public keys:
Setting up a test environment
Reverse engineering & manipulation of the source code
Verification of the platform usage
Secure data storage & communication
Checking the server-side protection mechanisms
Example Report
Your advantages with
binsec GmbH
As an owner-managed pentest boutique – staffed by a high-performing team of around 10 experienced senior experts – binsec GmbH has specialized in sophisticated penetration testing for over a decade. We demonstrate our deep roots in the community every day through our own platforms like binsec.tools, binsec.wiki, and binsec.academy. Relevant academic degrees, high-caliber industry certifications, and years of hands-on project experience are what truly matter to us – and how we guarantee a precise, manual analysis for every assessment.
Contact usMore than 10 years of practical experience in penetration testing
No subcontractors or external freelancers
Direct communication with the responsible senior penetration tester
Structured, documented, and reproducible testing methodology based on PTDoc®
Fully controlled in-house pentesting infrastructure, no cloud services used
Identification of technical and business-relevant security risks
Risk-weighted vulnerability assessment or CVSS based scoring
Report including executive summary and detailed technical section
Retesting of identified vulnerabilities included
Your advantages with
binsec GmbH
As an owner-managed pentest boutique – staffed by a high-performing team of around 10 experienced senior experts – binsec GmbH has specialized in sophisticated penetration testing for over a decade. We demonstrate our deep roots in the community every day through our own platforms like binsec.tools, binsec.wiki, and binsec.academy. Relevant academic degrees, high-caliber industry certifications, and years of hands-on project experience are what truly matter to us – and how we guarantee a precise, manual analysis for every assessment.
More than 10 years of practical experience in penetration testing
No subcontractors or external freelancers
Direct communication with the responsible senior penetration tester
Structured, documented, and reproducible testing methodology based on PTDoc®
Fully controlled in-house pentesting infrastructure, no cloud services used
Identification of technical and business-relevant security risks
Risk-weighted vulnerability assessment or CVSS based scoring
Report including executive summary and detailed technical section
Retesting of identified vulnerabilities included
Approach: Standard-Compliant & Reproducible
A penetration test is a structured attack on IT systems or applications to identify potential vulnerabilities. It uses the same tools and techniques that real attackers would use to break into a system. Thus, a penetration test is not an automated vulnerability scan. On the contrary, a penetration test as a service is always a combination of using security tools and conducting manual tests to uncover vulnerabilities. While a real attacker only needs to find and exploit a single vulnerability, a penetration tester checks all relevant attack vectors.
Having a structured approach is one of the most important factors. For this purpose, we use our own platform PTDoc®, a specialized pentest documentation tool that logs all manual testing steps in full compliance with all relevant security standards and translates them into a clear, reproducible report for you. Since this tool significantly reduces the overhead of report generation, it allows us to focus entirely on our core mission as pentesters: identifying and analyzing critical security flaws. This is particularly relevant when conducting a penetration test of a mobile application. Our approach is based on all relevant standards and publications.
How We Work During Mobile Application Penetration Tests
From Planning to Re-Testing
Preparations
We coordinate the technical and organisational framework for the penetration test, communication channels, points of contact and testing windows. Depending on the project, this is done through a kick-off meeting or a brief exchange via e-mail. Where required, the client provides relevant technical documentation and access to the systems within scope.
Conducting
The penetration test is performed using a structured and risk-oriented assessment approach that combines automated analysis techniques with extensive manual testing. The specific test cases and assessment procedures depend on the actual conditions, technologies and attack surface encountered within the target environment.
Reporting
After the assessment, we prepare a detailed report including an executive summary, risk ratings, technical details and remediation recommendations. Findings are documented in a clear and reproducible manner and critical issues are communicated immediately during the engagement if required.
Debriefing
We are happy to review the findings and recommendations together with your team. During the debriefing, we explain technical details, potential impacts and remediation priorities, while answering questions and discussing next steps.
Re-Testing
After remediation, we verify whether the identified findings have been successfully resolved and update the report accordingly. Re-testing is generally included for remote assessments and provides assurance that the implemented measures are effective.
Request a Quote for a Mobile Application Penetration Test
Planning a penetration test always requires a careful balance between the time invested in testing and the financial framework to achieve a reasonable price-performance ratio. Successful pentests are characterized by a precise balance between these factors, as this is the only way to guarantee a reliable review of all relevant attack vectors. The time required depends on the size and complexity of the scope. While analyzing a small web application without complex permission structures often takes just a few days, auditing extensive corporate networks can take several weeks.
To provide a tailored pentest offer, we require initial information regarding the systems and applications to be examined, allowing us to accurately assess the target environment. For web applications, providing test credentials is highly beneficial. Any additional technical details, such as the frameworks and technologies utilized, help us design the ideal testing scenario for you. If you require an infrastructure penetration test, we will need the relevant network addresses in advance. In this case, we will first perform a non-invasive network scan to conduct an initial scoping analysis, which forms the basis for your detailed quote.
binsec GmbH is a German pentest company for professional penetration testing. Contact Us for a Quote for a Mobile Application Penetration Test, get your pentest today!
Contact us
Pentesting
for specific standards and requirements
There are a lot of standards or legal requirements worldwide, that require conducting of a penetration test.
binsec GmbH: Professional Penetration Testing
Mobile Application Penetration Test
As a specialized provider for penetration testing, binsec GmbH focuses specifically on your Mobile Application Penetration Test.
Talk directly to the executing experts instead of sales consultants. Better pentesting. No nonsense. As a dedicated penetration testing firm, we do things differently: We do not sell automated vulnerability scans as a true pentest, focusing instead on manual analysis of complex business logic flaws. Looking for a professionally conducted penetration test? Let's discuss your project.
Contact us
Frequently Asked Questions
It is difficult to give an generalized answer to this question, since the toolset used basically depends on the respective test object. Of course, we use tools such as nmap to check IT infrastructures or the Burp Suite Professional in the case of web applications.
However, we believe that publishing a tool list is mere window dressing, as each target system should be tested individually. However, you are welcome to ask us about the tools we used after the pentest.
Hosting critical business applications on a cloud provider such as Amazon AWS, Microsoft Azure, Google Cloud or Hetzner Cloud is becoming increasingly common.
Of course we perform penetration tests for applications hosted in the cloud. This also applies to penetration testing of cloud-based IT infrastructures, provided that the virtual machines are not managed directly by the cloud provider.
We perform penetration tests for almost any IT environment, system, application or network – right down to protocol fuzzing. Only the analysis of hardware chips under a microscope is something we leave to others.
Typical targets of our penetration tests include:
Web Applications and APIs
Mobile Applications
Servers, Platforms and Infrastructure
- Webserver Pentesting
- Network Pentesting
- Firewalls Pentesting
- WiFi / WLAN Pentesting
- Active Directory (AD) Pentesting
- RDP Server / Remote Desktop Pentesting
- OT Pentesting
Containers and DevOps
Identity and Authentication