Mobile App Security Audit (OWASP Mobile Top 10)

TRUETECH is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
Mobile App Security Audit (OWASP Mobile Top 10)
Complex
~3-5 business days
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    756
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    624
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1052
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    862
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    445
Show more works

Mobile Application Security Audit (OWASP Mobile Top 10)

OWASP Mobile Top 10 — structured list of most critical vulnerability classes in mobile apps. An audit to this standard doesn't mean formal checklist verification — each point requires active testing adapted to specific app architecture.

M1: Improper Credential Usage

Look for hardcoded credentials: API keys in code, passwords in config files, tokens in git history. Tools: jadx + grep, truffleHog for repo, analyze AndroidManifest.xml and Info.plist.

Check storage: credentials in SharedPreferences/UserDefaults — vulnerability. Should be in Android Keystore / iOS Keychain. On jailbroken device, read Keychain via objection keychain dump — see what's stored and with what access attributes.

M2: Inadequate Supply Chain Security

Third-party dependencies — often the weakest link. Check: library versions for known CVEs (OWASP Dependency-Check, gradle dependencyInsight, pod-outdated), use of libraries from untrusted sources, permissions requested by analytics and ad SDKs.

Separately — CI/CD pipeline: secret scanning in repo, artifact signing, dependency integrity via hash verification.

M3: Insecure Authentication/Authorization

Test: bypassing auth screen via deep links (passing parameters in URL that should be available only to authorized users), horizontal privilege escalation (authorized user A accesses user B data by changing user_id in request), missing session revalidation on critical operations.

In practice, we often find: deep link myapp://reset-password?token=XXX processed without checking intent source — any app can send such intent and trigger password reset. Or: changing email in profile doesn't require current password confirmation.

M4: Insufficient Input/Output Validation

Particularly relevant on mobile: SQL injection via deep link parameters or WebView URLs, XSS in WebView with setJavaScriptEnabled(true), path traversal working with files (URLs like ../../etc/passwd in upload parameters), unsafe deserialization in Intent extras.

// vulnerable code — accepts Intent extras without validation
String fileName = getIntent().getStringExtra("file_name");
File file = new File(getExternalFilesDir(null), fileName);
// fileName = "../../../../../../data/data/com.other.app/secret.db"

M5: Insecure Communication

Check via Burp Suite proxy:

  • HTTPS for all endpoints
  • Certificate Pinning (bypass via Frida ssl-unpinning.js)
  • Data in GET URL parameters (logged by servers, proxies, CDN)
  • Insecure WebSocket connections
  • Sensitive data leakage in request headers

network_security_config.xml on Android — check cleartextTrafficPermitted, custom CAs in trust-anchors. If debug-overrides allows cleartext — ensure it's debug builds only.

M6: Inadequate Privacy Controls

Permissions: app requests ACCESS_FINE_LOCATION constantly, but geolocation needed only in specific scenario? Or READ_CONTACTS without visible contact functionality? Analyze correspondence between requested permissions and declared functionality.

Logs: adb logcat often outputs PII in production build. Check for sensitive data in logcat, Crashlytics/Sentry messages (stack trace may contain user data), analytics events.

M7: Insufficient Binary Protections

Decompile APK via jadx, IPA via Ghidra. Assess:

  • Business logic readability after decompilation
  • Presence/quality of obfuscation (R8/ProGuard/DexGuard)
  • String constants in plaintext
  • Debug flags in production build (BuildConfig.DEBUG, debuggable in manifest)
  • Presence of anti-tampering checks

M8: Security Misconfiguration

Android: android:debuggable="true" in production manifest opens debug access. android:allowBackup="true" allows adb backup on Android < 12 — from backup SharedPreferences and databases readable. exported="true" on components without intent checking.

iOS: ATS (App Transport Security) disabled via NSAllowsArbitraryLoads. Entitlements: excessive capabilities (e.g., com.apple.developer.icloud-container-identifiers on app not using iCloud).

M9: Insecure Data Storage

Complete audit of device data stores:

Storage Look For Tool
SQLite DB sensitive data, missing encryption objection, sqlite3
SharedPreferences / UserDefaults passwords, tokens, keys objection data storage
Keychain (iOS) access attributes, what's stored objection keychain dump
Filesystem unencrypted documents, API response cache objection files ls
Clipboard auto-copy of sensitive data manual testing

Clipboard — often-overlooked vulnerability: app copies card number or password to clipboard, another app reads it. On iOS 14+ explicit UI needed for clipboard access, but check anyway.

M10: Insufficient Cryptography

Weak algorithms: DES, 3DES, RC4, MD5 for passwords, ECB mode for block ciphers, predictable seed in java.util.Random instead of SecureRandom, zero or fixed IV, missing MAC (using AES-CBC without HMAC).

Custom cryptography implementations instead of standard libraries — red flag. "Own crypto" is almost always broken.

Report and Prioritization

For each of 10 categories, fix: found/not found, specific vulnerability instances with CVSS scores, reproduction steps, recommendations with code examples. Priorities: Critical (exploitable without root/jailbreak, direct data access) → High → Medium → Low (informational findings).

Audit of typical mid-scale app to OWASP Top 10 — 3–5 working days. Includes static analysis, dynamic testing on rooted Android and jailbroken iOS, traffic analysis. Documentation volume — per client requirements.