Hackers can bypass security controls of iOS and Android

Mobile application testing requires both the special skills of your pentester as well as a specialized lab environment. Once Raxis has your mobile application we perform a real-world breach simulation against your product. Often using jailbroken or rooted devices, Raxis interfaces the mobile device to a computer running specialized software, allowing us to capture traffic and manipulate the application in ways your team might not have considered but a real-world attacker will most certainly attempt.

A comprehensive mobile application test from Raxis provides your team valuable insight into existing vulnerabilities and exploitations that exist in your environment.


Mobile applications can be hacked like any other technology, exposing private data that could damage your reputation.


Raxis tests all aspects of your mobile application using rooted mobile devices to look closely for cyber security threats.

Discover how to protect your mobile data in the event the user's device is compromised

Raxis engineers use jailbroken or rooted devices as well as emulators when testing mobile applications. While the workflow is much like that of web application tests and closely follows the OWASP Top 10 security guidelines, mobile applications bring another layer of complexity. From SSL certificate pinning to root/jailbreak detection and loggers transmitting sensitive data, Raxis engineers move beyond other application testing in order to provide a comprehensive test of all entry points.

Raxis engineers are well versed in mobile applications technologies and frameworks. With a focus on device security, platform configuration, mobile API elements, credential management, at-rest and in-transit data encryption, and data compartmentalization, we test your apps as well as specialized devices you may require for internal mobile applications used by your employees.

Does my app require a mobile application penetration test?

Yes. Any application always presents a potential attack point. Raxis urges our customers to test all of their applications (web, mobile, or thick client) following industry best practices of annual testing or before any major updates are released.

While mobile apps may mimic the functionality of your web application for your users (and may even use the same API behind the scenes), to a hacker, they open up a whole new avenue into your sensitive data and systems.

Should mobile app testing be a part of our Mobile Software Development Lifecycle (SDLC)?

We highly recommend that it is. Raxis customers do this in several ways:

New applications - Raxis can test your application in a QA environment before you go live so that you -- and your customers -- can rest assured that security features have been thoroughly tested and protections are in place to stop malicious actors from gaining access to your site and systems or even disrupting the environment.

Applications in constant development - When your application changes rapidly with agile teams pushing updates to production often, Raxis recommends the Pen Test as a Service (PTaaS) for mobile applications. This service includes an annual traditional penetration test and then monthly manual testing to check for updates and differences. If changes are discovered, a Raxis pentester will manually look at newly discovered vulnerabilities and alert your team. In this way your security keeps up with your constantly developing application..

Applications with scheduled updates - For applications that update rarely... quarterly or even annually, companies sometimes prefer scheduling full pentests against the changes before the updates go live. As with applications that are in constant development, Raxis can work with your team during the development process to test changes as the application is updated and to guide you on when the application should have a new full pentest as it grows.

What if my application runs on proprietary equipment?

We recommend you not only test the application, but also the device running the application. A Raxis pentest on proprietary equipment can include destructive testing to try to access ports and other device-based connections that allow us to manipulate your device and application in ways you might not foresee. Depending on the environment, knowledge of what an attacker could do upon gaining unattended access to the device is critical for a full understanding of potential risk.

If I’ve already had a web or API test, is a mobile app test needed as well?

In short, yes. Each environment offers new potential risks. If your company has in-house developed mobile applications, you should be testing them in cycle along with all of your other penetration testing.


Mobile Application Penetration Test Specifications

  • Powered by Raxis One, a secure web interface for all Raxis services
  • Testing can be performed on both iOS and Android applications
  • Raxis utilizes the same tools and techniques as a blackhat hacker, customized for mobile application attacks
  • Predictable timeline for the assessment
  • Exploitation, pivoting to other in-scope systems, and data exfiltration in scope
  • Executive debrief conference provided, if desired
  • Optional re-test to validate remediation
  • All Raxis tests are based on the MITRE ATT&CK penetration testing framework
  • Meets or exceeds requirements for NIST 800-53, NIST 800-171/CMMC, PCI, HIPAA, GLBA, ISO 27001, and SOX compliance
  • Available as a one-time service, multi-year agreement, or continuous monitoring/Penetration Testing as a Service
  • Self-managed testing via the Raxis One portal
Contact Us
©2023 Raxis LLC - All rights reserved.