Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

We like to break things

Mobile Application Penetration Testing

We run in-depth manual and dynamic analyses of Android/iOS devices and apps, guided by OWASP testing methodologies. Our zero-, partial-, or full knowledge assessments use industry-standard and internally developed tools in conjunction with expert-guided testing techniques to locate and validate mobile application security deficiencies.

Mobile Application Assessment

We attack mobile apps just like the bad guys to strengthen your security.

A Mobile Application Assessment (MAA) provides in-depth manual and dynamic (run-time) analyses of Android/iOS devices and applications, irrespective of source-code availability, following the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Verification Standard (MASVS) methodologies. Using the same tools and techniques as real attackers in addition to our own, we'll test your mobile applications for the OWASP Top 10 Mobile Risks.

When conducting an MAA as a Hybrid Application Assessment (HAA), we'll leverage the source code provided to validate and locate vulnerabilities. If source code isn't available, the team will attempt to reverse engineer the application’s binary to partially reconstruct an application’s source code and attempt to identify security vulnerabilities.

Mobile Application Assessment highlights:

  • Deeper than a pen test: Our methodology uses both binary and file-level analysis to find hard-to-discover vulnerabilities, going far deeper than a typical penetration test.
  • OWASP Top 10: We test for Improper Platform Usage, Insecure Data Storage, Insecure Communication, Insecure Authentication, Insufficient Cryptography, Insecure Authorization, Client Code Quality, Code Tampering, Reverse Engineering, and Extraneous Functionality.
  • API security: Our team also inspects the application’s API and dynamically instruments the application’s binary to identify issues in the business logic.
Bishop Fox Mobile application methodology assessment and mobile application penetration testing.

Peek under the hood

Explore Our Mobile Application Assessment Methodology

Bishop Fox’s Mobile Application Assessment (MAA) methodology identifies application security vulnerabilities by combining automated and manual testing techniques. Download the complete methodology to see what you can expect when you work with us.

Key Benefits

Gain expert visibility into mobile risks so you can keep data private and secure.

Icon Circuit Process

Simulate Attacks and Assess Your Security Posture

Assessment is the first step to securing your mobile application environments. Our team of experienced consultants put the full spectrum of your application under the microscope, performing runtime patches, network interception, filesystem storage, device keystore storage, binary reverse engineering, and server-side testing.

Icon Document Shield

Strengthen Compliance and Governance

We’re your partner in supporting your governance and compliance programs. Many regulatory requirements and internal policies mandate manual testing of your mission-critical apps. With deep expertise in mobile platforms, we’ve got you covered.

Icon Mobile Device

Discover Vulnerabilities with Advanced Analysis

By combining binary and file-level analysis, we identify difficult-to-find vulnerabilities. Notably, we test for the OWASP Top 10 Mobile Risks including Improper Platform Usage, Insecure Data Storage, Insecure Communication, Insecure Authentication, and more.

Icon Mobile Security

Benefit from Cutting-edge Mobile Assessment Tools and Technology

Our team uses advanced technology to create and use virtual devices when conducting our assessments. Our approach is highly efficient – maximizing testing time rather than configuring and managing physical mobile devices.

Developer Icon

Expose All Attack Vectors in Mobile Apps

We go beyond testing communications and a mobile app’s artifacts. We’ll also reverse engineer an application’s binary to find and exploit high severity security issues. Plus, we test the application’s API and dynamically instrument the binary to identify issues in the application’s business logic.

Icon People Process

Collaborate with Our Mobile App Security Experts

It’s hard to find expertise in mobile security because the technology is always evolving. Our team’s experience comes from a variety of fronts, from mobile developers to security consultants and vulnerability researchers. We see your apps from all sides.

Icon Documents Bookshelf

Operationalize Findings with Actionable Reports

Our high-quality reporting goes above and beyond static risk ratings and generic scoreboards. In addition to being fully customized to your application, your organization, and your desired outcomes, our reports offer actionable security guidance.

Award Icon

Work with the Best in the Business

Our consultants are actively engaged and contribute to the security industry by speaking at security conferences and sharing their research.

A hand opening an August Home Smart Lock that Bishop Fox performed mobile application penetration testing. August: Built-in Security in IoT Devices.
Customer Logo

Home Security Meets Cybersecurity

Connecting devices to the internet introduces new areas for innovation, improvement, and also intrusion. Connecting a lock to the internet meant that August Home had the unique challenge of maintaining customer confidence while introducing a new approach to securing their front door using the August Smart Lock.

Inside the Fox Den

Meet Our Featured Fox


Sebastian Guerrero

Sebastian Guerrero is a Senior Security Consultant at Bishop Fox, where his areas of expertise are mobile and web application penetration testing (static and dynamic), as well as network penetration testing and product security reviews.

Sebastian has demonstrated critical impact during client engagements. While performing application penetration testing on an acquisition for a major automobile manufacturer, he found numerous SQL injection issues in the company’s main portals, through which an attacker could gain total control over the DBMS, access sensitive information, and obtain remote code execution over the server. Over the course of the engagement, Sebastian also determined that the acquired company had experienced breaches that it was unaware of over the course of two to three years.

He has also presented at conferences such as Black Hat Asia, RSA, and RootedCON and sits on the bug bounty halls of fame for organizations such as Facebook, Google, Microsoft, Instagram, Mozilla, Adobe, Pinterest, and eBay.

Are you ready? Start defending forward.

We'd love to chat about your offensive security needs. We can help you determine the best solutions for your organization and accelerate your journey to defending forward.

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.