Mobile Pentest Methodologies
Review methodologies for Mobile Apps.
Our pentesters test your assets rigorously.
We use the penetration testing objectives listed on this page. If you want to know more
about each methodology, navigate to the Pentest Methodologies page associated with your asset.
Mobile
The Cobalt team of pentesters do not need access to the underlying mobile application source code,
unless you specify it as a requirement.
When you set up a pentest for a mobile asset in the UI, you’ll see the following in the
Objectives text box:
Coverage of OWASP top 10, ASVS and application logic.
Learn more about these objectives from OWASP:
Share Mobile App Files
We look at application logic by working with your app. To support our pentesters, share the .ipa (iOS) and/or the .apk (Android)
files when you Define Your Assets. You may also share this information in the private Slack channel
for your pentest.
Methodology Details
We follow an industry standard methodology primarily based on the OWASP Application Security
Verification Standard (ASVS) and Testing Guide. Our team takes the following steps to ensure
full coverage:
Select the key for more information on each step.
Target scope reconnaissance
Based on the Pentest Brief prepared by the client, Cobalt pentesters search for
information about the targets and investigate the scope. This information
includes:
- Understanding workflows
- Understanding business logic
- Mapping the attack surface of the application
Pentesters then confirm that they can:
- Reach and scan the targets
- Test the functionality of the application
Our pentesters may use scanning tools such as:
- MobSF
- Frida
- Apktool
- Dex2Jar
Automated and manual testing
Our pentesters use a range of manual techniques and automated tools to ensure
proper coverage. They analyze your mobile app dynamically. They also
assess the archive as well as the local file.
Our pentesters focus on:
- Communication channels
- Traffic that the application exchanges with external endpoints
- Inter-Process Communication (IPC)
Our pentesters may also reverse engineer the application for insight and try to access sensitive data.
For backend tests, they use API Pentest Methodologies.
Our pentesters may use scanning tools such as:
- MobSF
- Frida
- Apktool
- Dex2Jar
Exploit discovered vulnerabilities
When our pentesters discover a vulnerability, they use various techniques to measure the impact on the following aspects of your data:
- Confidentiality
- Integrity
- Availability
Our pentesters use various privilege escalation methods to impersonate different users, possibly
to impact the security posture of the application.
Our pentesters may use scanning tools such as:
- MobSF
- Frida
- Apktool
- Dex2Jar
Report, triage, and retest
Pentesters report and triage all findings as they work. We share details through our online platform.
We encourage you to address critical findings as we discover them. Our pentesters can retest findings, based
on your PtaaS tier.
As our pentesters document findings, they provide:
- Detailed steps to fix or remediate findings
- Advice on what you can do to improve your security

Additional Requirements
You’re welcome to define additional test objectives. If you follow best practices other than
OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a
“well-known” security practice, our pentesters probably already know them!
If you have special instructions for a pentest,
add them later, under Special Instructions.
Last modified December.12.2022