New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Mobile penetration testing: a necessity for your company's security

Mobile pentesting: why do one and how to succeed?

A mobile application is not a website with a smaller screen. It's a binary file that executes. in enemy territory — on the user's phone, sometimes rooted, sometimes jailbroken, sometimes in the hands of an attacker who has all the time in the world to decompile it. Your API keys, your internal endpoints, your business logic, your session tokens: everything you've included in the iOS bundle or the Android APK is, by default, within reach of a motivated analyst.

Since the transposition of the Directive (EU) 2022/2555 (NIS2) Under French law no. 2025-391, 18 sectors of activity—healthcare, energy, transport, finance, government, and digital providers—are required to ensure the security of their information systems. Penalties reach €10 million or 2,130,000 of global revenue for essential entities. The mobile pentesting This is part of the audit process that ANSSI considers a pillar of this compliance.

This guide lays the groundwork: what a mobile penetration test actually is, how it's conducted, what tools it uses, and how to choose your service provider to avoid ending up with a generic automated scan report disguised as an offensive audit.

Definition and differences with a web pentest

According to the definition of ANSSI, A penetration test (or pentest) is a method of evaluating the security of an information system by simulating a real-world attack scenario. When applied to mobile devices, the exercise takes on a particular dimension: the auditor doesn't just test the server. They attack. the client application itself, its local storage, its communications with the backend, its embedded authentication mechanisms, and its interaction with the host operating system.

The professional standard is the’OWASP MASVS (Mobile Application Security Verification Standard), along with its operating guide MASTG (Mobile Application Security Testing Guide). The MASVS defines eight control groups: storage (MASVS-STORAGE), cryptography (MASVS-CRYPTO), authentication (MASVS-AUTH), network communications (MASVS-NETWORK), interactions with the platform (MASVS-PLATFORM), code quality (MASVS-CODE), resilience against reverse engineering and tampering (MASVS-RESILIENCE) and confidentiality (MASVS-PRIVACYA serious mobile pentesting study is conducted on each of these axes.

Not to be confused with a pure source code audit, a SAST analysis, or a vulnerability scan. Mobile penetration testing is offensive He seeks to exploit and chain together vulnerabilities to achieve a specific objective (exfiltrating data, escalating privileges, bypassing a payment system). This is an attack simulation, not a theoretical review.

Why perform a mobile pentesting?

First reason: regulatory. With the entry into force of NIS2 in October 2024 and its national transposition, the obligation to implement "appropriate and proportionate" technical measures requires proof—not just declaration—of cyber risk management. Penetration testing is the ultimate form of evidence. Regarding personal data, the CNIL Regular security audits are considered a required measure under Article 32 of the GDPR. A mobile application that processes health, banking, or identity data without having been audited constitutes a clear breach.

Second reason, operational. A mobile application lives in a hostile environment. It is distributed publicly via app stores, and is therefore downloadable, decompilable, and exploitable. Attack vectors are present within this environment. specific :

  • Unencrypted local storage : OAuth tokens in plain text in SharedPreferences (Android) or NSUserDefaults (iOS), SQLite databases containing PII, log files left in production.
  • Certificate pinning is missing or poorly implemented. : an attacker in a MITM position (public Wi-Fi, fake access point) intercepts traffic and replays or modifies API requests.
  • Backend APIs exposed without server-side authorization control The business logic incorrectly assumes that only the official mobile client will call the API. A well-placed curl command does the rest.
  • Exported Android Components : Activity, Service, ContentProvider, BroadcastReceiver accessible to other phone applications, sometimes without permission.
  • Deep links and URL schemes Incorrect validation: opening an authenticated view from any website, injecting parameters, triggering sensitive actions.
  • Anti-debug and anti-tampering absent or trivial to work around on high-stakes applications (payment, gaming, banking).

Without a pentest, these defects remain in the application until that an attacker finds them before you do.

How does a mobile pentesting work?

An Intrinsec mission aligns with the methodology MASTG from OWASP, the PTES (Penetration Testing Execution Standard) and, for threat modeling, EBIOS Risk Manager published by ANSSI. The typical process is structured in six phases.

1. Framing and threat modeling. Defining the scope (iOS, Android, or both), target platforms (OS versions), test accounts, backend access, and business objectives to be protected. Identifying critical assets and priority attack scenarios.

2. Recognition and static analysis. Extracting the IPA or APK, decompiling (apktool, jadx, Hopper Disassembler, Ghidra). Inventory of permissions declared in the Manifest Android or the file Info.plist iOS. Search for hard-coded secrets (AWS keys, API tokens, internal URLs), sensitive strings, and outdated third-party SDKs. Mapping of Activity exported, deep links, intent filters.

3. Dynamic analysis and instrumentation. Installation on a rooted (Android) or jailbroken (iOS) device, injection of Frida or Objection to hook system calls, bypass root detection, bypass SSL pinning, instrument cryptographic functions. Inspection of the application's file system after use (/data/data/ (Android side, containerized sandbox on iOS).

4. Network interception. Implementation of Burp Suite Or mitmproxy with import of the CA certificate, bypassing of pinning if present, analysis of API calls, search for authorization defects (IDOR, horizontal segmentation), data leaks in responses, poorly secured tokens.

5. Exploitation and sequencing. Vulnerabilities are confirmed through actual exploitation. A kill chain is attempted to achieve the objectives defined during the scoping phase. The actual severity is assessed, distinct from the raw CVSS score.

6. Restitution. Detailed report compliant with PASSI requirements: executive summary for management, technical sheets for developers (evidence, replication steps, prioritized recommendations), oral debriefing. Remediation tests after correction.

The different methods of mobile pentesting

Three approaches coexist, to be chosen according to the level of realism expected and the budget.

Black box. The auditor only has access to the application as an external attacker would obtain it. No source code, no documentation. It replicates the scenario of a motivated opportunistic attacker. Excellent for validating resilience against external attacks, but less comprehensive in identifying flaws in business logic.

Grey box. The auditor receives the application, test accounts representative of the different roles, and functional documentation. This is the approach recommended by default : it replicates the scenario of an attacker who has already compromised a legitimate account or a malicious user, and allows for in-depth exploration of the authorization logic.

White box. The auditor has access to the source code and architecture documentation. This allows for comprehensive coverage, essential for highly sensitive applications (healthcare, defense, regulated finance) where even the smallest residual defect is critical.

In addition to the three approaches, there is a distinction between SAST (static analysis of binary or code) and DAST (dynamic analysis of the running application). A complete mobile pentest must combine both: a hard-coded secret (SAST) that is never used in practice (DAST) does not have the same criticality as a hard-coded secret actually transmitted over an insecure channel.

The tools used for a mobile pentesting

A seasoned mobile pentester's arsenal combines open-source tools recognized by the profession and custom-built scripts. (This list is not exhaustive.)

  • Static analysis MobSF (Mobile Security Framework) for the first automated pass, jadx And apktool to decompile APKs, Hopper and Ghidra for iOS reverse engineering and ARM64 reading, class-dump to extract the Objective-C headers.
  • Dynamic instrumentation : Frida (the Swiss Army knife of the mobile pentester, JavaScript scripts for on-the-fly hooking), Objection (Frida overlay geared towards penetration testing), Xposed Framework on the Android side.
  • Network interception : Burp Suite Professional with extensions (Authz, JWT Editor, Hackvertor), mitmproxy for automation and Python scripting, Wireshark for low-level analysis.
  • Android-specific : adb, Drozer for evaluating exported components, apksigner And zipalign Magisk is for repackaging and Magisk is for rooting.
  • iOS specific : Frida-iOS-dump to extract the decrypted binaries, Filza Or iFunbox To explore the sandbox, checkra1n / palera1n for the jailbreak.

The choice of tools depends on the mission context, the protections built into the application, and the platform's specific characteristics. No tool can replace the tester's expertise: a raw MobSF scan is not a penetration test.

The benefits of a mobile penetration test

Beyond the regulatory checklist, mobile penetration testing provides measurable operational value.

Vulnerability identification prior to exploitation. It's better to pay an auditor than to compensate customers after a data breach. The average cost of a data breach in France exceeds €4 million according to industry reports, not including CNIL fines and reputational damage.

Demonstrable conformity. PASSI report usable as evidence to a regulator, an ISO 27001 auditor, a B2B client who requires a security certificate (PCI DSS, HDS, SecNumCloud).

Reduction of security debt. Early identification of architectural flaws (poor secret management, vulnerable dependencies) which cost ten times more to correct after production deployment.

Raising awareness among development teams. The post-penetration test technical debriefing is one of the best ways to improve mobile developers' skills in security best practices.

The risks in the absence of a mobile pentesting

Skipping penetration testing exposes you to a cumulative risk.

Regulatory sanctions. French law no. 2025-391, transposing NIS2, provides for administrative fines that can reach 10 million euros or 2 % of global annual turnover for essential entities, €7 million or 1.4 % for large entities. The GDPR provides for up to €20 million or 4.13 trillion of turnover. The legal framework no longer tolerates the absence of audits for the operators concerned.

Data leak. A poorly secured mobile application is a prime entry point to the internal information system via exposed APIs. Mobile devices are now one of the primary attack vectors for user accounts (token theft, MFA bypass).

Compromised software chain. A poorly protected mobile binary can be repackaged with a malicious payload and redistributed via third-party stores or phishing campaigns, turning your brand into an attack vector.

Loss of confidence. For B2C companies, a widely publicized security incident on the app leads to a lasting decline in installations and ratings on the stores.

How to choose your service provider?

Not all penetration tests are created equal, and the market includes as many reputable specialists as it does providers selling automated scans in polished PDFs. Here are a few key differentiating factors.

PASSI qualification from ANSSI. For regulated entities (OIVs, OSEs, government agencies, NIS2), PASSI qualification is a requirement—not an option. It attests to the provider's methodological maturity, the control of its processes, and the verified competence of its auditors.

Demonstrated mobile specialization. Ask for mobile references, not web references. An excellent web penetration tester isn't automatically a good mobile penetration tester: the tools, attacks, and protections are specific. Mastery of Frida, iOS/Android reverse engineering, and in-depth knowledge of MASTG can't be acquired overnight.

Methodology explained. A serious service provider delivers a scoping document that specifies the methodology, the referenced standards (MASVS, MASTG, PTES), the breakdown of phases, and the expected deliverables.

Internal team, not outsourced. Verify that the auditor who will sign your report is an employee of the service provider, not a freelancer assembled for the assignment.

Remediation and follow-up capacity. The report is not enough: demand a remediation test included, a technical debrief with the developers, and availability for follow-up questions.

Mobile pentesting at Intrinsec

An independent cybersecurity player for over thirty years, Intrinsec is qualified by ANSSI for three main service offerings: PASSI (Information Systems Security Audit Provider), TAKEN (Security Incident Response Provider) and PACS (Security Support and Consulting Provider). This triple qualification is rare on the French market and guarantees end-to-end coverage, from offensive auditing to crisis management.

Recognized as leading SOC in France, Intrinsec operates continuously on incident detection and response, which in turn feeds into the practice of penetration testing: our auditors see in direct The attack techniques actually used against our clients' mobile applications. This defensive-offensive feedback loop is a strong differentiator. Our penetration testing offering is based on a more extensive body of documentation and methodology specifically focused on mobile.

Our mobile penetration testing services cover iOS and Android, using black box, grey box, or white box testing, on native, hybrid (React Native, Flutter, Cordova), and progressive scan applications. Each deliverable complies with PASSI requirements and can be used as evidence of NIS2, GDPR, or ISO 27001 compliance.

FAQ

What is a mobile pentesting test? A mobile penetration test is an offensive security audit of an iOS or Android application, its local storage, network communications, authentication mechanism, and interaction with the operating system. It is based on the OWASP MASVS and MASTG frameworks.

Why perform a mobile pentesting? To identify exploitable vulnerabilities before an attacker, demonstrate regulatory compliance (NIS2, GDPR, ISO 27001) and protect the data processed by the application.

How does a mobile pentesting work? In six phases: framing, static analysis of the binary, dynamic analysis with instrumentation (Frida, Objection), network interception (Burp Suite), exploitation and written and oral reporting.

What tools are used for a mobile pentesting? MobSF, Frida, Objection, Drozer, Burp Suite, mitmproxy, jadx, apktool, Ghidra, Hopper, and many specific scripts depending on the context.

What are the benefits of a mobile penetration test? Proactive identification of vulnerabilities, demonstrable regulatory compliance, reduction of security debt, awareness of development teams.

Who is affected by the mobile pentesting? Firstly, the essential and important entities as defined by the NIS2 Directive and Law No. 2025-391: 18 sectors including energy, health, transport, finance, water, digital infrastructure, public administrations, postal services, waste management, agri-food industry, medical device manufacturing, and digital providers. Beyond the regulatory framework, any organization that distributes a mobile application dealing with sensitive data (health, payment, identity, personal data as defined by the GDPR), or whose application is a critical channel of customer relations, should consider mobile pentesting as a standard security measure — just like a web audit for an e-commerce site.

Articles by category