Mobile App Pentest Checklist: iOS & Android (MASVS Aligned)

Unlike a web app, a mobile binary lives on a device you do not control. Every secret you ship, every endpoint you call and every assumption about 'the user is not an attacker' is testable with off-the-shelf tools like Frida, Objection, MobSF and a jailbroken iPhone.

A mobile pentest worth paying for goes deeper than running MobSF. It must validate the OWASP MASVS controls relevant to the app's risk profile — typically L1 for most apps and L2 plus R for financial, healthcare and crypto apps.

Walk the app's sandbox: Keychain, NSUserDefaults, Core Data, SQLite, SharedPreferences, internal vs external storage, and any file written under Documents or Caches. Look for session tokens, PII, payment data, and JWTs cached in clear.

Check backup behaviour. iOS Files exclusion, Android allowBackup, auto-backup rules, and screenshot/recents caching are all places we routinely find sensitive screens leaking to disk.

Static analysis of the binary should surface hardcoded API keys, signing secrets and S3 credentials. We treat any secret reachable by `strings`, `class-dump` or `apktool` as compromised.

Validate algorithm choices (no MD5/SHA1 for integrity, no ECB), proper IV/nonce handling, secure key storage via Keychain/Keystore, and certificate pinning that actually fails closed when bypassed.

Most real impact lives behind the API. Proxy the app through Burp or Caddy, defeat pinning if present, and treat every endpoint as a first-class web target — IDORs, BOLA, mass assignment, broken auth, and rate-limit bypasses are dominant findings.

Test downgrade behaviour: cleartext fallback, HTTP/2 vs HTTP/1, and CDN/origin host header smuggling. Mobile clients frequently trust whatever the server returns, which makes server-side validation non-negotiable.

Cover deep links, app links, custom URL schemes, intent filters, exported activities/services, content providers, and pasteboard usage. These are where 'one-click takeover' bugs hide.

Resilience (MASVS R) — root/jailbreak detection, anti-debugging, anti-tamper and obfuscation — is not a substitute for security, but should be present and tested for high-value apps.

You should walk away with a MASVS coverage matrix, CVSS-scored findings, reproduction steps with Frida scripts or Burp requests, and a clear remediation owner for each issue (mobile dev, backend, infra).

At StartSecure every mobile engagement includes a free retest after fixes, an executive summary your board can read, and a downloadable certificate suitable for sharing with enterprise buyers.