Mobile Application Security
Security testing for iOS and Android apps — from static analysis to runtime.
iOS Testing
Testing of iOS applications covers local data storage (Keychain usage, plist files, Core Data), runtime analysis (method swizzling, debugger attachment), network communication (certificate pinning, TLS configuration), and binary protections. I use a combination of static analysis of the IPA and dynamic testing on a jailbroken device.
Android Testing
Android assessments include APK reverse engineering and manifest analysis, permission review, local storage inspection (SharedPreferences, SQLite, file system), runtime hooking with Frida, and network traffic analysis. I test on rooted devices to get full visibility into the app's behaviour.
What's Covered
- Authentication — biometric bypass, token storage, session handling
- Data at rest — encryption, secure storage, leaked credentials
- Data in transit — certificate pinning, TLS misconfigurations
- Backend API communication — tested alongside the mobile client
- Binary protections — obfuscation, root/jailbreak detection, tamper resistance
Process
- Static analysis — Code and configuration review of the app binary.
- Dynamic testing — Runtime analysis, traffic interception, and behaviour monitoring on-device.
- Reporting — Findings with severity, reproduction steps, and clear remediation guidance.