Mobile App Pentest
New technologies always bring new security risks, and mobile computing is no exception. We help you eliminate the possibilities of attacks on your mobile apps.

Mobile App Pentest

New technologies always bring new security risks, and mobile computing is no exception. We help you eliminate the possibilities of attacks on your mobile apps.

What is Mobile App Penetration Testing?

The Mobile App Pentest is a procedure for evaluating the security of mobile applications - in short App. We conduct Mobile Pentest according to the OWASP Mobile Security Testing Guide. Digital business models, the processing of sensitive information and a secure handling of the interoperability between different APIs and other mobile apps makes a pentest indispensable. Our mobile app pentesters have a background in infrastructure and web pentesting, a quality necessary for testing mobile apps, because almost every app communicates with a backend system. This exterpise is essential as it allows us to test the full spectrum of native apps, hybrid apps, web apps and progressive web applications.

Protect your Users from Criminals!

The pentest for mobile apps is planned, performed and evaluated by our specially trained security engineers according to recognized standards.

We protect your data from loss and check compliance with data protection regulations
  • We ensure that external use of user data such as messages, personal data, address books, location and movement profiles is not possible.
  • A comprehensive check of access rights protects against unauthorized access and unwanted disclosure of data.
  • The security of the interacting servers as well as the interface between the mobile device and the server must be extensively tested to ensure smooth interoperability.
  • The checks cover static and dynamic analyses.
We carry out pentests on the basis of recognised standards and guidelines.
  • The testing of mobile apps follows the categorization of the MASVS (Mobile Application Security Verification Standard)
  • Our processes are adapted to the practical guidelines for pentests of the Federal Office for Information Security (BSI).
  • We have developed a comprehensive final report that provides an optimal insight into our work and its results. Pentests are conducted and evaluated according to the OWASP Testing Guide. Alignment with OSSTMM and PCIDSS is also possible upon request.

IT Pen Test Modules for iOS and Android

Basically, the longer our security engineers examine your app, the more meaningful the results are. If you have special requirements, we will be happy to make you an individual offer.


    For each component of the app, the scope of functions and security features must be clearly defined and known. Most apps communicate with interfaces, so appropriate security standards must also be implemented for these API endpoints.


    The protection of sensitive data such as user credentials and private information is a key focus in the area of mobile security. Data leaks can occur unintentionally in cloud data storage, backups or keyboard cache. In addition, mobile devices can be more easily lost or stolen.


    Cryptography is an essential cornerstone for protecting data stored on mobile devices. But it is also a category where many things can go wrong, especially if you don't follow standard conventions. The category is intended to ensure that a verified app uses cryptography best practices.


    The purpose of this category is to ensure the confidentiality and integrity of transmitted data between mobile app and remote server. To achieve this, a mobile app must establish a secure, encrypted channel for network communication using the TLS protocol with adequate TLS settings.


    The requirements in this category are intended to ensure that platform components and standard components are used by the app in a secure manner. In addition, the requirements also cover communication (IPC) between apps.


    The goal of this category is to ensure that basic security practices are followed during app development and that the included security features of the compiler are enabled.


    This category covers Defense-in-Depth measures recommended for apps that contain access to sensitive data or sensitive functionality. If these measures are not implemented, this does not immediately lead to a vulnerability, but the measures increase the robustness of the app against attacks and reverse engineering.

App Pentest

Final Report of the IT Security Analysis

We have developed a comprehensive reporting format that provides optimal insight into our work and its results. Pentests are conducted and evaluated according to the OWASP Mobile Security Testing Guide.

  • Our report is prepared according to recognized standards and includes a management summary, a technical summary and recommendations for action. The evaluation of the findings is based on the CVSS 3.0 standard.
  • Our detailed reporting format not only shows which vulnerabilities were identified during the pentest, but also which attack vectors were checked. Thus, you can optimally understand our work.
  • The final report is individually prepared and delivered both as a classic PDF document and in a special HTML format. In the dynamic HTML format, content and vulnerability findings can be filtered, sorted and exported to other formats.
  • In a joint final meeting, we discuss the details of the report with you and, if necessary, support you in eliminating the identified weaknesses.

How do we perform the Penetration Test?

Pentests carried out by us are an agile process and are carried out in close consultation with the customer.


The preparation of the pentest takes place in the context of a kick-off meeting with the technical and organizational responsible persons of your company. The framework conditions to be tested are specified, necessary user accounts and access routes are agreed, contact persons and escalation routes are defined and the pentest is discussed in detail together.

Manual & Automated Research

Our security engineers try to collect as much information as possible. Based on this information, analysis strategies are developed to identify possible attack vectors. These attack vectors are then examined for weak points in extensive tests.

Manual Exploitation
Manual Exploitation

Here we try to exploit the identified vulnerabilities in order to gain access to the target systems, using new or existing exploit writings by our pentester, depending on the respective service or technical environment. Potential vulnerabilities can turn out to be false positives. Only verified vulnerabilities are included in the final report and are classified according to their criticality in accordance with CVSS 3.0.


We have developed a comprehensive reporting format that provides optimal insight into our work and its results. It consists of a business risk analysis, management summary and a comprehensive test and vulnerability description. The criticality of the weaknesses and recommendations for action are described in detail.

Remediation (Optional)

Once the analysis is complete, you will be able to fix the identified vulnerabilities, and our analysis will provide you with detailed recommendations about the respective vulnerability. If required, our security engineers can provide extensive support for the elimination.

Free Verification (Optional)

We are happy to re-examine the security weaknesses to ensure that the defense mechanisms have been implemented correctly. It is important to us that our recommendations are implemented, so this process activity is always free of charge.

Final Meeting & Certification (Optional)
Final Meeting

In the final meeting, all critical points in the results report are discussed and all questions are clarified. Finally, we will be pleased to present you with a certificate as proof for your customers.

Latests Posts

Our employees regularly publish articles on the subject of IT security

Pentest: Which Components should be Considered First?
Pentest: Which Components should be Considered First?

For most applications, it makes sense to check the API interface first. Vulnerabilities of severity critical can arise here.

Does a Pentest have to be Done only Once?
Does a Pentest have to be Done only Once?

Companies often think that a single pentest before rolling out a system is sufficient. Why this assumption is a mistake?

What is an Ethical Hacker?
What is an Ethical Hacker?

Hackers have a bad reputation. They penetrate security systems, steal data and cause financial damage. But is that true?


Curious? Convinced? Interested?

Arrange a non-binding initial meeting with one of our sales representatives. Use the following link to select an appointment:

Alternatively, you can write us a message. Request a sample report or our service portfolio today. We will be happy to consult you!