PEN Consultants Logo
Don’t Be a Victim: Find your weaknesses before the criminals do. PEN Consultants can help!

Mobile Application Security Testing

Mobile Application Security Testing tests Android and/or iOS apps and the web services/APIs they interact with.

Testing involves automated and manual evaluations of one or more apps to ensure they provide protection against abuse of your data. We use industry-standard tools to carry out automated scans looking for well-known vulnerabilities, and we also conduct manual testing to find vulnerabilities and attack vectors not otherwise detectable by automated tools.

More than a Vulnerability Assessment

This is more than a simple vulnerability assessment. We actively attempt to circumvent security controls by carrying out exploits that take advantage of discovered vulnerabilities, revealing what an adversary would be able to do. During testing, we look for any method that can violate the CIA Triad security model (confidentiality, integrity, availability).

  • Confidentiality is limiting information to only the authorized person(s) who should have access to it.
  • Integrity is ensuring data/communication at rest or in transit can only originate from, be sent to, or be modified by an authorized person(s).
  • Availability is the ability for an authorized person(s) to access the resources when needed.

The purpose of testing is to enumerate your exposure (within the given time constraints), identify and verify as many vulnerabilities as possible, ensure the security of your app is strong, and then provide actionable solutions to help you protect against attack/compromise. For example, we use industry-standard tools and techniques to look for well-known/unpatched vulnerabilities that allow an attacker to gain access to carry out remote code execution, privilege escalation, circumventing intended controls, gain access to sensitive data, etc.

See Additional Examples
All relevant web app testing techniques and attacks, interaction with web services, security controls are server-side, data storage & privacy, system credential storage facilities, sensitive data in logs, 3rd party app & service interaction, keyboard cache, IPC, backups, backgrounded and locked screen privacy protections, memory analysis, device security policy check & enforcement, strong, modern & properly configured encryption, protocols & algorithms, up-to-date system dependencies and jailbroken checks, minimum permissions requested, webviews, properly signed & provisioned app, decompiling, reverse engineering & trojanizing, non-debuggable build, anti-tampering, device binding, obfuscation, RCE, and more

In most cases, we will leverage the discovered vulnerabilities to (1) verify it is exploitable and (2) determine the exposure, should it be breached.  The testing is largely centered around the OWASP Mobile Security Testing Guide, but also includes our internal/proprietary methodologies.

View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.

Schedule a Consultation

Sample Pricing

  • Micro: Apps with less than 10 major functions and 1 user role – $11,000
  • Small: Apps with less than 20 major functions and 1 user role – $14,000
  • Medium: Apps with less than 40 major functions and/or 1-2 user roles – $18,000
  • Large: Apps with less than 75 major functions and/or 3-4 user roles – $25,000
  • xLarge: Apps with more than 75 major functions and/or 4+ user roles – Varies
  • * Add $500 for iOS

Add-On Services

In order to keep our testing prices low, we’ve removed certain services that not every client requests. Under our Cybersecurity Unlimited Retainer (included with all of our contracts) you can add on the following services as needed. Please reference the Cybersecurity Unlimited Retainer page for pricing details.

Post-Testing Briefings
Executive Level and/or Technical Level
Micro: ~1.5 hours, Small: ~2 hours, Medium: ~2.5 hours, Large: ~3 hours, xLarge: 3+ hours
Remediation Testing
Micro: ~2.5 hours, Small: ~3 hours, Medium: ~3.5 hours, Large: ~4 hours, xLarge: 4+ hours
Assist Technical Support Staff with Mitigations
Hours vary depending on your needs
Assist SOC Staff in Building Detections
Hours vary depending on your needs
On-Site Supplemental Testing and/or Visits
See Cybersecurity Unlimited Retainer page for pricing details
DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours needed to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).