Mobile Application Penetration Testing.
Mobile application penetration testing is a manual security assessment of your Android and iOS apps — examining the compiled binary, on-device data storage, inter-process communication, and the backend APIs they talk to — to find and prove vulnerabilities an attacker could exploit on a real device.
We assess each app against the OWASP Mobile Application Security Verification Standard (MASVS) using the MASTG testing methodology, on both the client and its backend.
Insecure data storage
Sensitive data in plaintext, shared preferences, SQLite, keychains, logs, and backups.
Platform & IPC
Exported components, deep links, intent abuse, and insecure inter-process communication on Android and iOS.
Network & transport
TLS validation, certificate pinning bypass, and traffic interception via dynamic instrumentation.
Authentication & crypto
Weak or hardcoded keys, broken token handling, and misuse of platform cryptography.
Reverse engineering & RASP
Code hardening, root/jailbreak detection, anti-tamper, and resistance to runtime manipulation with Frida.
Backend API
The APIs the app depends on — authorization, IDOR, and injection — aligned with the OWASP API Security Top 10.
- check_circle An executive summary that translates technical risk into business impact.
- check_circle Each finding with reproduction steps, evidence, and CVSS-scored severity.
- check_circle Remediation guidance tailored to your platform (Android / iOS) and stack.
- check_circle A complimentary retest to confirm your fixes hold up.
We follow the OWASP mobile security standards and map findings to the Indonesian regulatory context. Warpstar is a collective of certified operators; we do not claim organizational certifications we do not hold.
Do you test both Android and iOS? add
Yes. We test Android (APK/AAB) and iOS (IPA) applications, including the on-device storage, the binary, and the backend APIs. You can scope one platform or both.
Do you need the source code? add
No. We perform black-box and grey-box mobile testing without source code, working from the compiled app. If you can provide source code or test accounts, a white-box engagement gives deeper coverage.
How much does a mobile pentest cost? add
It depends on the number of platforms, the size of the app, and the backend scope. Send us your app details and we will provide a fixed quote up front.
Can you bypass certificate pinning and root detection? add
Yes — assessing how well your pinning, root/jailbreak detection, and anti-tamper controls resist a determined attacker is a standard part of the engagement.