Mobile application security, tested on real devices and against real attackers.
Manual assessment of iOS, Android, and HMS mobile applications. Binary reverse engineering, runtime hooking, anti-tamper bypass, side-channel analysis, network and IPC abuse. We test on real device fleets — including the low-end Android estate that a typical pentest never sees.
Real binaries on real devices, instrumented manually.
Mobile pentest done well is hardware-bound work. The application running on a high-end iOS development device behaves differently from the same application running on a four-year-old Android phone with a vendor-modified runtime. We test on real fleets of both.
Our engagements include manual binary analysis (Ghidra, IDA, Hopper, radare2), runtime hooking with custom Frida instrumentation, and traffic analysis that survives certificate pinning bypasses we have built and refined per platform.
For customers with hardware tamper-resistance — payment terminals, agent-banking devices, sovereign-issued endpoints — we extend testing into the hardware lab.
What the assessment covers.
Static reverse engineering, native-code review, obfuscation analysis, third-party library audit, dependency-supply-chain review.
Custom Frida scripts, method hooking, runtime patch detection, debugger-attach research, root and jailbreak detection bypass.
TLS pinning bypass, mTLS impersonation, custom protocol analysis, intermediary-CA testing, traffic-replay engineering.
Activity / service abuse, intent injection, URL-scheme hijacking, content-provider leakage, broadcast-receiver attacks.
Keystore / Keychain analysis, custom cryptographic protocol review, white-box cryptography evaluation, key-derivation review.
RASP-bypass research, attestation analysis (Play Integrity, App Attest, vendor APIs), repackaging defences, screenshot and overlay attacks.
Agent-banking flows, USSD-bridging, KYC pipelines, settlement APIs, custom merchant SDKs. Field-tested across continent-scale deployments.
Third-party SDK behavioural analysis, advertising / analytics-SDK exfiltration review, embedded-mobile-client security.
Secure-element evaluation, fault-injection where the threat model includes it, side-channel analysis on cryptographic operations.
The shape we don't ship.
- No emulator-only testing
Genymotion / Android Studio emulators do not behave like the device fleet your customers actually run on. We test on real devices, including the low-end and old-OS estate.
- No SaaS-scanner output as deliverable
Mobile-application scanning SaaS is fine for triage. The output is not a security review. We do not bill expert hours for re-formatted scanner findings.
- No checklist deliverable
OWASP MASVS is a useful checklist for the customer's own engineering team. It is not the methodology we run.
- Local LLMs as tooling, not as methodology
Mobile binary analysis depends on understanding native runtime behaviour, vendor-modified frameworks, and platform-specific defences — current models do not reason about that reliably. We do use local LLMs we run in-house to accelerate decompiler output review, generate Frida-script scaffolds, and pattern-match across our binary corpus. Customer binaries never leave our lab.
Scoped per app, scaled to the fleet.
Single-app assessment. One iOS or Android app, full attack surface, full report.
Cross-platform mobile-money portfolio. Multiple apps, agent and customer variants, USSD bridges, KYC pipelines, settlement integrations.
Continuing engagement. Quarterly cadence as the application evolves. New release, new attack surface — instrumentation we built carries over.
Duration depends on the app's complexity, the platform mix, and the depth of coverage. We scope against the actual surface.