I perform mobile application penetration tests against iOS and Android apps covering the OWASP Mobile Application Security Verification Standard (MASVS) and OWASP Mobile Top 10 — using both static analysis and dynamic instrumentation with Frida and Objection.
Static analysis: binary reverse engineering (jadx, apktool, class-dump, Ghidra); hardcoded secrets and API keys; insecure data storage (SharedPreferences, SQLite, Keychain, plist files); certificate validation implementation; exported components and intent handling.
Dynamic analysis: runtime manipulation with Frida and Objection; certificate pinning bypass; traffic interception (Burp Suite proxy); authentication bypass; backend API authorization testing from the app's authenticated context; root/jailbreak detection bypass.
Working from a compiled binary — no source code required, just as an attacker would work. Provide the APK or IPA file, written authorization, and test account credentials. Staging environment strongly preferred for backend API testing. Deliverables include full mobile pentest report, evidence, CVSS ratings, and remediation guidance.