Mobile Pentest: iOS, Android and Hybrid Apps
Static + dynamic + communication + platform + API + business logic analysis. OWASP MASVS/MASTG, MASVS-L2 for apps handling sensitive data.
Why now
The real pain
Mobile pentest is the category with the highest rate of disguised scans in the Brazilian market. Many vendors deliver MobSF runs by interns and call it pentest. Fintech, healthcare and government apps need real manual validation — certificate pinning, secrets in release builds, IDOR on mobile-only endpoints, root/jailbreak detection. Without it, auditors reject and the client gets breached.
Applicable frameworks
/attack-surface
Pentest Mobile
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Static analysis (APK/IPA)
Secrets in release, manifest, embedded keys, obfuscation review, jadx/class-dump.
Dynamic analysis (runtime)
Runtime behavior, local SQLite, SharedPreferences/UserDefaults, cache, logs in logcat/Console.
Communication and certificate pinning
TLS, hostname validation, downgrade attacks, Burp MitM, Frida/Objection bypass.
Platform and secure storage
Keystore/Keychain, biometrics, intent injection (Android), URL scheme hijacking (iOS), WebView.
API consumed by the app
All endpoints, IDOR/BOLA, granular authorization, server-side validation, rate limit, JWT.
Business logic
Registration/KYC, login/biometrics, transaction, password recovery, critical feature flows.
Root/jailbreak and anti-tamper
Detection, bypass with Magisk Hide / Liberty Lite / Shadow, binary integrity.
Hybrid stack (RN/Flutter)
JS bundle analysis, native bridges, third-party deps, JS-native communication.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Mobile apps for banking, healthtech and fintech regulated by BACEN and ANS. MASVS L2 delivered within PCI-DSS 4.0 cycles.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/faq
FAQ — Pentest Mobile
How much does mobile pentest cost in Brazil?
Simple native Android app (1 platform, 3-4 critical flows): BRL 8-18k. Android + iOS without regulation: BRL 18-40k. BACEN-regulated fintech app: BRL 60-120k. Range depends on platform, stack, critical flows and compliance.
Do you test React Native and Flutter?
Yes. Hybrid stack has JS bundle and native bridge specifics. We cover bundle analysis, secrets in release, JS-native communication and dependencies.
Do you need a signed build or is debug APK enough?
Release build (signed) is strongly recommended — behavior differs from debug. TestFlight, Firebase App Distribution, internal link or corporate MDM work fine.
Is certificate pinning mandatory?
For apps processing sensitive data or financial transactions, yes. Required by PCI-DSS, BACEN and SOC 2. We audit the implementation and attempt bypass with Frida/Objection.
Does mobile pentest cover the API too?
It covers what the app consumes. For full API coverage with non-mobile endpoints, the ideal is combined mobile + API scope.
/contact
Get a mobile pentest quote
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.