Mobile Pentest Methodologies

Review methodologies for Mobile Apps.

Our pentesters test your assets rigorously.

We use the penetration testing objectives listed on this page. If you want to know more about each methodology, navigate to the Pentest Methodologies page associated with your asset.


The Cobalt team of pentesters do not need access to the underlying mobile application source code, unless you specify it as a requirement.

When you set up a pentest for a mobile asset in the UI, you’ll see the following in the Objectives text box:

Coverage of OWASP top 10, ASVS and application logic.

Learn more about these objectives from OWASP:

Share Mobile App Files

We look at application logic by working with your app. To support our pentesters, share the .ipa (iOS) and/or the .apk (Android) files when you Define Your Assets. You may also share this information in the private Slack channel for your pentest.

Methodology Details

We follow an industry standard methodology primarily based on the OWASP Application Security Verification Standard (ASVS) and Testing Guide. Our team takes the following steps to ensure full coverage:

Select the key for more information on each step.

Target scope reconnaissance
Automated and manual testing
Exploit discovered vulnerabilities
Report, triage, and retest

Mobile pentest flow

Additional Requirements

You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!

If you have special instructions for a pentest, add them later, under Special Instructions.

Was this page helpful?

Yes No Create an Issue

Last modified December.12.2022