Mobile Application Penetration Testing in Singapore

What is Mobile Application Penetration Testing?

Mobile Application Penetration Testing (a.k.a. Mobile Pentest, Mobile VAPT, Mobile Pen Testing) reveals vulnerabilities in the cyber security posture of a mobile application. Applications running on iOS and Android applications commonly require this assessment. Protect your mobile applications against cyber security threats with softScheck Singapore.

The main attack surface for a mobile security test consists of a conjunction of multiple different tiers of components: app, communication, and back-end server.


softScheck is a CREST accredited Penetration Testing provider in Singapore.



Insecure data storage, poor resiliency against reverse engineering etc.


Usage of insecure or unencrypted communication channels, missing SSL certificate pinning etc.

Back-end Servers

Flawed authentication and session management, vulnerable server-side functions etc.

Objective of the mobile application penetration testing assessment

Identify gaps in security of the mobile application, and its API/web platform/web service
Ensure the expected security protections exist and are effective
Compliance with regulations in Singapore

Our Mobile App Pen Testing Approach & Methodology


Application Walkthrough and Binary Analysis


Vulnerability Identification


Vulnerability Exploitation



Our Mobile App Pen Testing methodology is based upon the industry standard Open Web Application Security Project (OWASP Mobile), and our internal manual checklist developed from our research lab in Singapore. The mobile pen testing assessment covers vulnerabilities including, but not limited to:

Weak server-side controls, e.g.
(a) Injection flaws; (b) Access controls; (c) Improper session handling; (d) Untrusted inputs; (e) Poor authorization and authentication; (f) Application logic flaws. Test and review business logic exposures and verify results from automated tools.
Insecure data storage. Review the contents of mobile devices to identify sensitive information stored, e.g.
(a) Credentials on the file system; (b) Credentials in memory; and (c) Data stored on the file system
Insecure transport layer protection;
Unintended data leakage, e.g.
(a) Clear text data; (b) Backdoor data; and (c) Clear text credentials
Broken cryptography;
Client-side injection including code tampering;
Lack of binary protection;
Decompiling, analysing and modifying the installation package;
Improper platform security (e.g. jailbreak, phone, user)

The vulnerabilities are evaluated using the Common Vulnerability Scoring System) (CVSS) method to assess and evaluate the risk.