The depth and scope of NowSecure Platform testing gives customers assurance that their mobile AppSec programs meet the highest industry standard.

Media Announcement
magnifying glass icon

Penetration Testing for Mobile Applications

Penetration testing for mobile applications is used to analyze mobile apps security vulnerabilities to protect against attacks. The Apple App Store™ and Google Play™ host nearly than 6 million mobile apps combined. Organizations need proven mobile security testing across all app components. Successful mobile app pen testing begins with decades of skills, exemplary customer service, flexible scheduling and lightning fast turnaround time. These critical elements facilitate a threat-based approach, thoroughly testing with multiple analysis types, and assistance to remediate and validate any issues discovered.

Media Announcement

When a Pen Test Is Needed

There are a number of factors that make penetration tests necessary for mobile apps. Compliance
requirements are the most obvious. Certain features, functionalities, or authentication measures
also require a penetration test to ensure the safety of customer data, PII, and company IP.

  • Initial release
  • Major update
  • Store or handle sensitive data
  • Subject to industry regulations
  • Require advanced scoping
  • Support USB connectivity to external devices
  • Use Bluetooth Low Energy
  • Use multi-factor authentication
  • Run on a non-standard platform
  • Require defense-in-depth and reverse engineering resiliency

The NowSecure Mobile Advantage

NowSecure solutions span more than 25 industry frameworks, mobile app security standards and compliance standards with mobile apps. These include NIST 800-53 cybersecurity, OWASP Mobile Application Security Verification Standard (MASVS), California Consumer Privacy Act (CCPA) and Google Play Data Safety independent security review with ADA Mobile App Security Assessment (MASA). Encompassing all possible pen test options ensures the most successful assessment plus operationalizes a repeatable mobile penetration testing methodology. This methodology includes the OWASP Mobile App Security Checklist plus the use of Frida and Radare to ensure higher quality and fewer malicious exploits.

Threat modeling

Taking a threat-based approach, NowSecure uses proven repeatable threat model process by analyzing various organization and technical requirements of the mobile app and dependent infrastructure, identifying sensitive data and critical IP in the mobile app,  pinpointing the potential threats, and documenting the overall threat profile. This threat model drives a more effective assessment of each mobile app’s specific threat landscape.


Remediation guidance and assistance

Developers and security teams need to understand the vulnerabilities found in a mobile pen test and how to fix them. NowSecure partners with development and security teams to fully explain issues identified during mobile pen testing and recommend code changes for proper remediation, coaching the team to understand the attacker approach and exploitability.


Remediation verification and re-testing

Verifying threat isolation and successful remediation of vulnerabilities is critical to success. Through a targeted retest, NowSecure’s security analysts confirm proper remediation for confidence the mobile app is safe and ready for production.


Tiered model for level of depth and scrutiny

Because each mobile app has a different risk profile and threat model, NowSecure helps organizations build tiered risk model for their mobile app portfolio. Lower risk apps may require only periodic testing while higher risk apps may require more in depth testing for every release into production. In this way organizations can balance their spend and effort with risk.


Meet Standards And Regulations Requiring Penetration Tests


Google announced that Play developers must publish disclosures in their Play store listings how their apps collect, share, and secure user data. Now, developers can independently assess their applications, with NowSecure, using the highest standard of mobile security and privacy, established by the App Defense Alliance (ADA) using the Mobile Application Security Assessment (MASA). Developers who receive an Independent Security Review can then utilize the Google Play Data safety section to inform users that their application meets this heightened standard. NowSecure is an authorized lab to perform these independent security reviews.

OWASP MASVS Compliance

Open Web Application Security Project® (OWASP) is a nonprofit foundation improving the security of software. NowSecure OWASP Pen Testing program uses the three core components of OWASP mobile project

  • OWASP Mobile Application Security Verification Standard (MASVS)
    establishes a baseline of security requirements for mobile apps
  • OWASP Mobile Security Testing Guide (MSTG) outlines how to test the MASVS requirements
  • OWASP Mobile App Security Checklist tracks security assessment tasks


Mobile apps are critical to enabling the U.S. federal agencies to meet their mission. Core to that mission is ensuring a high security testing bar for the mobile apps they build and use. The National Information Assurance Partnership (NIAP) manages a national program for developing Protection Profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. For mobile apps, NIAP has created the Mobile App Vetting Protection Profile for Application Software v1.3 and NowSecure is the only vendor to support this initiative with an automated solution.

Rest Assured With NowSecure 
 Deep Mobile App Pen Testing Experience

NowSecure boasts more than a decade of mobile app pen-testing with experience testing more than 11,000 mobile apps and the industry’s broadest collection of the most skilled pen testers

Our experts have helped hundreds of organizations establish successful mobile app pen testing programs

Trusted by many of the world’s most demanding organizations across banking, insurance, high tech, retail, healthcare, government, IoT and others



Tickets include remediation suggestions from NowSecure which are very, very helpful.

Micha Katz

Chief Information Security Officer, Yellow Card Case Study | Fintech



“NowSecure Platform gives us confidence that the developers practice secure coding and NowSecure Mobile PTaaS gives us the required manual testing for compliance reporting and even more confidence in complete coverage.”

Information security manager

Genisys Credit Union



Collaborations with security researchers and analysts play a key role in how we keep the Peloton community secure.”

Jorge Lopez

Director of Global Security Incident Response & Threat Intelligence, Peloton

Not All Mobile Pen Tests Are Created Equal

NowSecure offers customers more than a decade of building advanced tools, delivering expert pen testing security services and actively supporting open-source and industry standards projects.This includes delivering the industry’s first full mobile app security solution suite with the launch of an online self-service training, certification program, and substantial enhancements to its existing solution portfolio.

Combine Manual and Automated for Depth at Speed

NowSecure Platform Guided Testing combines the best of automated and manual assessments. In a Guided Test, an automated battery of 600 tests is completed and the assessment utilizes the real physical devices used in every NowSecure Platform assessment. The mobile app is interrogated in four passes in order to test the different network conditions an attacker may utilize to compromise the application, and Guided Testing also provides the critical capability of leveraging the expertise of a NowSecure Analyst. This NowSecure Analyst interacts with the mobile application in order to provide coverage beyond anti-automation features like 2FA, MFA, CAPTCHA, and more, and tests the complex user navigation of the application. NowSecure Platform Guided Testing provides depth of coverage at the speed of DevSecOps.

Scale with Pen Testing as a Service

Pen Testing as a Service utilizes automation and manual assessments to empower development and security teams to adopt continuous testing while maintaining a regular cadence of manual assessments. With NowSecure Mobile PTaaS, get access to NowSecure Platform and NowSecure expert penetration testing services, and add industry or standards-based validation. Integrate testing into the CI/CD and dev toolchain to automatically initiate and generate tickets from assessments. Get best-in-class penetration testing from the industry leading mobile experts.

Full scope pen tests require sophistication and depth

A consultative approach to full scope penetration tests is key. Partnering with an expert to understand the threat landscape, attack vectors, and key information that can be extracted from a mobile application tailors the test for relevant, thorough testing. Full scope pen tests from NowSecure can be used for independent, third-party verification for compliance or to augment common staffing shortages. NowSecure bolsters security teams with an assessment leveraging industry mobile standards such as the OWASP MASVS and CVSS backed by decades of experience and tens of thousands of mobile app penetration tests.

Focused pen tests for specific workflows

Partner with our pen testing experts to identify and test specific app code in your mobile app, such as crypto / storage or network / backend API or test specific workflows such as account origination or shopping cart transactions. Ensure you are protecting critical app components to prevent  customer data leakage, IP theft, credential interception, or worse.

Granular differentiation for unique nature of mobile and web pen testing

Traditional web application security testing fails to fully assess the security risks present for mobile apps. Mobile is a far larger attack surface vs web app code running on a server or any other network infrastructure controlled behind firewalls. 100% of mobile app code lives in the operating system and is subject to a highly malicious quality of reversing tools today. Because 100% of mobile app code lives in the  wild in the mobile operating system,  it can easily be reverse engineered by any attacker or developer or security analyst.

Assemble and customize your toolkit, here’s a checklist too

NowSecure continues to extend proven industry leadership in the rapid and secure development of top software for the reverse engineering (Radare) and the dynamic analysis (Frida) of mobile applications. Radare discovers internal functions in low-level detail. Frida subsequently analyzes behaviors in real time. NowSecure Workstation is a fully developed mobile penetration testing kit that includes both Frida and Radare which security analysts of any expertise level can use to quickly and thoroughly pen test mobile apps.

See what an Expert Mobile App
Penetration Test Finds

Talk to a NowSecure Pen Tester Now