Do reports cover APP 11 reasonable-steps evidence?

Yes. Storage, keychain, and IPC findings each list the APP 11 step that fails and the fix needed before OAIC review.

How do you handle cross-border SDK traffic under APP 8?

Each third-party SDK call is logged with destination country. Findings flag APP 8 disclosures the privacy notice must list.

Will the NDB scheme apply if a flaw leaks data?

We mark every finding with the eligible-data-breach criteria. If exploit leads to serious harm, the 30-day OAIC clock and notification draft is in the report.

Do you test against MASVS levels?

Yes. L1 by default. L2 plus resiliency for banking apps. Each MSTG control maps to a pass, fail, or partial verdict.

Mobile app penetration testing

Two stores. Two binaries. One method.

Mobile application penetration testing across iOS · Android, tested by hand for insecure deeplink hijack, Keychain / Keystore mishandling, addJavascriptInterface RCE, intent injection, TLS-pinning bypass, and binary-extracted secrets. Every finding lands with a working proof-of-exploit, the patch path, and a verified re-test.

Read a sample report

iOS · Android

Native, hybrid, and cross-platform builds, read by hand, hooked at runtime.

Static + Dynamic

IPA / APK reviewed and the binary instrumented under Frida, Objection, and a real device proxy.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

On record

Why mobile pentest needs runtime

Static stops at the surface. Runtime tells the truth.

MAST scanners read what the binary admits to: manifest exports, declared permissions, declared TLS posture. None of that survives contact with a real device under instrumentation. Frida hooks the live process. Objection bypasses pin checks. A proxy reads the network as the app sees it. Only at runtime do you see the secrets that resolve from the Keychain, the deeplink that sidesteps auth, the WebView bridge that hands JS the file system, the API call the app makes when it thinks no one is watching. We deliver the chain in motion: source, binary, hook, exploit, the patch path, the re-test.

How AI fits in mobile pentest engagements →

Two columns. Left, Static: a closed opaque binary box with one isolated surface dot, the scanner's view. Right, Runtime: the same binary with a Frida hook attached, revealing an internal data-flow chain ending in an orange terminator. Findings only emerge once the binary is instrumented at runtime.

MOBILE PENTESTS DELIVERED.

Two stores. Counted, not claimed.

Native binaries, hybrid frameworks, and the backends they call. Each reviewed by hand and hooked at runtime. Numbers below are engagements SecureLayer7 has actually closed, not market-size estimates.

Android pentests delivered

3,256+

Manual review of DEX, Smali, Kotlin, and Java. Frida runtime hooks, Keystore mishandling, intent injection across exported components.

iOS pentests delivered

2,177+

Manual review of Mach-O, Swift, and Objective-C. Keychain access-control flaws, ATS bypass, Universal Links auth gaps under a live-device proxy.

Stores per engagement

Both

iOS and Android run side-by-side under one scope. The shared mobile backend is included by default. One engagement, two binaries, one report.

TWO STORES.

The runtime classes both iOS and Android share, plus the platform-specific ones.

01
Frida runtime hooks
We attach Frida or Objection to bypass client-side controls and read live state from running iOS and Android processes.
02
Keychain and Keystore drift
iOS Keychain ACL misconfig (kSecAttrAccessibleAlways) and Android Keystore unbound keys that survive lock-screen prompts.
03
Deep-link account hijack
Custom-scheme and Universal Link collisions abused to land the attacker inside an authenticated session without a tap.
04
Intent redirection
Exported Android activities and pending-intent reuse turned into cross-app privilege escalation and forced token exfiltration.
05
WebView and JS bridge
addJavascriptInterface RCE, file:// XSS, and bridge methods that hand the WebView keys to the native shell.
06
Pinning and biometric bypass
TLS pinning unhooked at SSLSocketFactory or NSURLSession, plus LAContext callbacks faked to skip Face ID and BiometricPrompt.
07
Binary-extracted secrets
Strings, .plist, Smali, and DEX inspection that lifts API keys, signing certs, and back-end URLs straight out of the shipped artifact.

What we cover —

Eight layers. Every one read by hand and hooked at runtime.

Mobile is a stack: the binary, the runtime, the IPC, the network, the backend it actually calls. We test each layer in the language and toolchain your team ships in.

iOS native — Swift · Objective-C · SwiftUI

Keychain access-control mishandling, ATS bypass via NSAllowsArbitraryLoads, URL-scheme hijack, Universal Links validation gaps, App Group leakage, jailbreak-detection bypass under Frida.

Android native — Kotlin · Java · Compose

Exported-activity hijack, intent injection, ContentProvider authority abuse, insecure SharedPreferences, Keystore mishandling, root-detection bypass, Smali patch under MOBSF / objection.

Hybrid — React Native · Flutter · Cordova · Ionic

JS-bridge exposure, deserialised props from native to JS, asset bundle tampering, hot-reload server abuse on dev builds shipped to prod, Flutter snapshot reverse-engineering.

WebView surface

addJavascriptInterface RCE, file:// URI access from a remote origin, mixed content, intent:// scheme abuse, JS-to-native bridge auth gaps, cookie scope leakage between WebView and host app.

Inter-process communication (IPC)

Android intents, iOS URL schemes, Universal Links, App Links, broadcast receivers, deep-link OAuth-state mishandling, activity-stack tampering, share-sheet payload injection.

Mobile API & backend

REST and GraphQL endpoints called only by the mobile client — broken object-level authZ, mass assignment, mobile-only auth flows, refresh-token rotation gaps, abuse of mobile-specific headers as trust signals.

Embedded SDKs & native libs

Third-party SDKs (analytics, payments, in-app messaging) audited for over-permission and data exfiltration. JNI / NDK native libs reviewed for buffer overflow, format-string, use-after-free, and unsafe FFI boundaries.

Reverse engineering & resilience

Mach-O / DEX / Smali disassembly under IDA, Ghidra, jadx. Hardcoded API keys, signing material, and crypto secrets extracted from the binary. Control-flow obfuscation and tamper-detection tested against real bypasses, not vendor claims.

MOBILE METHODOLOGY.

Eight phases. Binary to backend.

Threat-modelled to your platform mix, build pipeline, and backend reach. Not a checklist run against every IPA we receive.

01
Scope & threat-model
02
Source & binary recon
03
Static analysis
04
Dynamic instrumentation
05
Network & backend
06
Reverse engineering
07
Exploit synthesis
08
Patch verification

Insights

Mobile security Resources.

Mobile reviewer write-ups: cert-pinning bypass, deep-link auth bugs, and the Android/iOS findings our pentesters file at scale.

Sandyaa source-code auditor, install command

AppSec

Sandyaa: Open-Source Autonomous Source Code Auditor

Context-aware static analysis that ranks exploitable findings vs. noise. Built by SL7 Lab, used on Android / iOS source as one input to manual mobile audits.

Local File Inclusion, attack steps diagram

AppSec

Local File Inclusion: How attackers chain it to RCE

LFI to RCE in mobile-API backends, detection patterns, the chained-exploit shape SL7 reports under mobile pentests, and the fix.

CVE-2025-57738 Apache Syncope Groovy injection PoC

Lab

CVE-2025-57738: Apache Syncope Groovy Injection RCE

SL7 Lab disclosure, unauthenticated RCE through Groovy-expression injection. Working PoC and the fix diff.

Meet our engagement lead

John Dill

vCISO at SecureLayer7

5,000+

Mobile pentests scoped

iOS · Android

Platforms in scope

98%

Engagement-lead close rate

John scopes mobile pentest engagements against your platform mix, build pipeline, and backend reach. He runs kick-off, status reviews, and sign-off so the mobile pod stays heads-down on the binary.

Scopes engagements across iOS, Android, hybrid (RN, Flutter), and mobile-API surfaces against your real risk model.
Owns kick-off, mid-engagement walkthroughs, and live review of every finding.
Drives remediation review and re-test until every finding is closed and proven.

SL7 Lab. Published CVE research.

Ready to scope a mobile pentest? Book 30 minutes with John to walk through your iOS and Android builds, hybrid stack, and timeline.

Book a 30-min call

Whitepaper

Mobile-app control bypass.

Original research on bypassing Appdome mobile-app privacy and security controls. Read before you assume RASP / shielding fully protects a release.

WHITEPAPER

Appdome mobile-app privacy + security control bypass

Original research from SL7 Lab. Methodology, exploit chain, and what to do about it.

Download PDF (5.8 MB)

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

Banking apps, UPI-aware mobile clients, custody apps, KYC capture flows.

See FinTech pentest

Retail

Retail apps, in-app checkout, loyalty wallets, kiosk-pairing flows.

See Retail pentest

HealthTech

Patient apps, telehealth clients, PHI capture, prescription pickup flows.

See HealthTech pentest

Built for Australia engagements

What changes when we deliver here.

Regulatory framework
APP 11 reasonable-steps column per finding
Compliance scoping
APP 8 third-party SDK destination ledger
Local engagements
Big 4 bank super-app retested across 3 OS versions
Local pricing
AUD fixed-fee per platform, GST on quote
Compliance scoping
OWASP MASVS L1 / L2 verdict per control

Questions Australian mobile teams ask first.

Do reports cover APP 11 reasonable-steps evidence?
Yes. Storage, keychain, and IPC findings each list the APP 11 step that fails and the fix needed before OAIC review.
How do you handle cross-border SDK traffic under APP 8?
Each third-party SDK call is logged with destination country. Findings flag APP 8 disclosures the privacy notice must list.
Will the NDB scheme apply if a flaw leaks data?
We mark every finding with the eligible-data-breach criteria. If exploit leads to serious harm, the 30-day OAIC clock and notification draft is in the report.
Do you test against MASVS levels?
Yes. L1 by default. L2 plus resiliency for banking apps. Each MSTG control maps to a pass, fail, or partial verdict.

Delivery in Australia

APP 11 security. APP 8 transfer. OWASP MASVS.

Findings cite APP 11 reasonable steps and APP 8 cross-border disclosure clauses. Reports trace each storage and transit issue to MASVS L1 or L2.

Direct line: +61-2-0000-0000
Office: Sydney, Australia

Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.

Sample mobile pentest report, chain · evidence · patch path · re-test

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full mobile-pentest narrative, working PoC on a real device, the patch path, and the re-test confirmation. Sent on request after a 5-minute scoping call.