What this is
A manual penetration test of your mobile application and the systems behind it. We reverse-engineer the released binary, instrument the app at runtime, intercept and tamper with its traffic, and attack the backend APIs the way a motivated adversary would: not a scanner pass over the APK. For banking and mobile money apps, the channel-specific risks are concrete: credential and token theft from the device, pinning bypass on hostile networks, and server-side authorisation flaws reachable only through the mobile API. We cover what that looks like in practice in our guide to mobile banking security assessment.
Methodology: OWASP MASVS and MASTG
We test against the OWASP Mobile Application Security Verification Standard (MASVS), the industry baseline for mobile app security, executed through the test cases in the Mobile Application Security Testing Guide (MASTG). The MASVS control groups structure the work: storage, cryptography, authentication, network communication, platform interaction, code quality, and resilience. At scoping we agree the verification target: MAS-L1 as the floor for any app, MAS-L2 plus the resilience controls for apps that hold credentials or move funds. Resilience controls (root and jailbreak detection, anti-tampering, obfuscation) get tested honestly: they slow an attacker down, and we demonstrate where the server still trusts a client it should not.
Who this is for
Institutions whose mobile channel is a production payment system, in Rwanda, East Africa, and across the continent:
- Banks: mobile banking apps and their APIs sit inside the annual testing obligations of BNR Regulation N°50/2022 for BNR-supervised institutions
- Mobile money operators and telcos: wallet apps, agent apps, and the USSD rails that carry most transaction volume; see what we typically find in mobile money platforms
- Fintechs and payment service providers: lending, savings, and payment apps where one authorisation flaw in the mobile API is a direct path to customer funds
If your customers reach you through *XXX# as well as the app store, scope both: our guide to USSD security testing explains why the legacy channel deserves the same scrutiny as the app.
Deliverables
- Evidence-led report, written by hand: executive summary for management, technical findings with proof-of-concept evidence, CVSS v3.1 ratings, and prioritised remediation guidance
- MASVS mapping: each finding tied to the control it violates, so your team and your auditor can see coverage, not just a vulnerability list
- Free retest: verification testing after you remediate, with a clean retest report for your regulator or your board
- Live debrief: a walkthrough with your engineering team so fixes land in the next release, not the next audit cycle
Engagements are scoped individually: request a scoped quote with the platforms, API surface, and deadline you are working to. Mobile testing is one discipline within our manual VAPT practice across web, API, network, and cloud; see the full penetration testing service for the wider scope.
Frequently asked questions
What standard do you test mobile apps against?
Do you test both Android and iOS?
Do you test the backend APIs behind the app?
Does BNR Regulation N°50/2022 cover our mobile banking app?
Do you need our source code to test?
Can you test our USSD service alongside the app?
How much does a mobile app penetration test cost?
Shipping a release or facing an audit?
Tell us the platforms, the API surface, and the date you are working to. We reply within 24 hours, and a scoped proposal follows within 48 hours of the scoping call.