Over the course of years, we've analyzed countless mobile applications for Android, iOS and Windows Mobile. Our in-depth understanding of mobile operating system internals, together with our expertise on application-specific issues, allow us to properly evaluate risks and provide practical remediations.
  • Android and iOS

    Through a comprehensive process based on static analysis, instrumentation, and dynamic testing we study mobile applications from different angles.

    Starting at the client, we analyze the integration with the operating system to identify improper usage of resources and deviation from consolidated security designs. In this phase, we identify various problems like open permissions, insecure data storage, exposed RPC and IPC capabilities, misuse of platform's security mechanisms, weak cryptographic providers and others.

    By inspecting and manipulating the network traffic, we can uncover issues pertaining to authentication and authorization, insecure session management and weak transmission protocols. Lastly, we review each server-side API endpoint with a methodology similar to that used for our web application assessments.

Information Gathering and Configuration Review

  • Languages, Frameworks and Libraries
  • Features and Components
  • Entry Points
  • Framework and Language Settings
  • Legacy and Unreachable Code
  • Manifest Configuration
  • Backup Configuration
  • Supported OS Versions
  • Requested Permissions
  • Debugging Configuration
  • Memory Protection, Allocation and Randomization

Client Integrity

  • Play Integrity API
  • SafetyNet Verify Apps API
  • DeviceCheck
  • ProGuard
  • Third-party and Custom Obfuscation
  • Debugging Detection and Prevention
  • Code Signing
  • Tampering Detection and Prevention

Input Control and Sanitization

  • Deep Links and URL Schemes
  • App Links and Universal Links
  • Exported Components and Permissions
  • SQL Injection
  • Command Injection
  • Heap or Stack Based Buffer Overflows Tapjacking


  • Cross Site Scripting
  • Cross Site Request Forgery
  • JavaScript Interfaces
  • Local Content and File Access
  • SafetyNet Safe Browsing API
  • Content Loading Restrictions

Cryptography and Data Protection

  • Improper X.509 Certificate Validation
  • Weak TLS/SSL Ciphers
  • TLS/SSL Key Strength
  • Sensitive Information Sent via Unencrypted Channels
  • Certificate Pinning
  • Encryption of Sensitive Data In Transit and at Rest
  • Device Keychain
  • Information Leakage
  • Excess Data Storage
  • Logging of Sensitive Data
  • Debugging Status
  • Intent Security

our research articles

Research is one of our founding principles and we invest in it heavily. All of our researchers have the privilege to use %25 of their time exclusively for self-directed research.

show more publications