Mobile app pen testing for iOS & Android: a 2026 OWASP MASVS guide

Mobile pen testing is its own discipline. The asset is a binary, not a server. The threat model includes the user themselves. The test guide is the OWASP MASVS — which since 2023 has been the canonical replacement for the older MSTG. Here is what we actually do on a 2026 mobile engagement.

The MASVS levels

• MASVS-L1 — baseline. Covers the obvious: secure storage, secure communication, basic auth, basic crypto. Most Indian B2C apps target this.
• MASVS-L2 — defense-in-depth. Adds platform-interaction controls, anti-tampering, anti-debugging. Most Indian fintech and banking apps target this.
• MASVS-R — resilience controls (root detection, RASP). Now folded into L2 as the resilience profile.

Test environment

Two physical devices, not emulators — emulators miss Frida-detection edge cases and SafetyNet/Play Integrity failures that real users encounter. Android: a rooted Pixel with Magisk + Zygisk. iOS: a checkra1n-able iPhone 7/8/X for stable jailbreak. Frida, Objection, jadx-gui, MobSF, Burp Suite as the HTTP proxy.

Static analysis (3–4 days)

• APK/IPA decompilation — jadx for Android, Hopper or Ghidra for iOS Mach-O.
• Manifest review — exported activities, content providers, custom URL schemes, deep links.
• Hard-coded secrets — API keys, AWS credentials, signing keys. We find these in roughly one in three Indian apps.
• Cryptography — AES-ECB usage, hard-coded IVs, weak key derivation, custom XOR "encryption".
• Logging — sensitive data written to Log.d on Android or NSLog on iOS.
• Third-party SDKs — old versions with known CVEs, SDKs sending data to ad networks the privacy policy does not declare.

Dynamic analysis (4–6 days)

• Traffic interception — pinning bypass with Frida or Objection where present.
• Storage inspection — SharedPreferences, SQLite, Keychain, NSUserDefaults. Anything sensitive should be in the platform keystore, not plaintext.
• Runtime instrumentation — hook authentication, hook crypto, hook root-detection methods.
• IPC testing — exported Android components reachable via adb am, iOS URL schemes invokable from Safari.
• Backup analysis — adb backup on Android with allowBackup=true, iTunes/Finder backups on iOS.
• Memory dump — credentials, tokens, PII in the process heap after the user logs in.

Root / jailbreak detection bypass

If the app implements detection, we bypass it — that is the point of MASVS-L2 testing. Common bypasses:

• Frida-Server with --no-stdio and a renamed binary against name-based detection.
• Magisk Hide / Zygisk for SafetyNet, escalating to Play Integrity tier evaluation.
• Objection's android root disable for the trivial RootBeer library.
• iOS — Liberty Lite, A-Bypass, or custom Frida hooks against fork() and NSFileManager.

A correctly-implemented detection takes us 1–4 hours to bypass. An incorrectly-implemented one takes 5 minutes. We report the strength as part of the finding.

Common Indian mobile findings

1. SSL pinning trivially bypassed — pinning implemented in OkHttp but not in WebViews or in third-party SDKs.
2. MPIN brute-forceable — fintech apps with 4-digit MPINs and server-side lockout only after device-side counter.
3. Deep-link account takeover — app://reset?token=X reachable from any malicious app.
4. Sensitive data in screenshots — task switcher captures the balance/PII screen.
5. JWT in plain SharedPreferences — long-lived token, no keystore.

For our service page, see mobile application VAPT.