Mobile App Penetration Testing

4.1 Key Responsibilities:

Perform end-to-end security testing of Android and iOS applications using static dynamic behavioral and
manual validation techniques aligned to mobile security best practices.
Assess mobile applications for insecure data storage weak authentication and authorization insecure
transport cryptographic weaknesses hardcoded secrets WebView issues deep link abuse root / jailbreak
weaknesses and anti-tamper gaps.
Validate source-based and binary-based security posture for APK / AAB / IPA deliverables including
package structure embedded components risky permissions and exposure of sensitive data or
functionality.
Operate or coordinate SAST SCA DAST and API Security testing for mobile applications and supporting
services ensuring results are triaged normalized and actioned.
Perform API security assessment of mobile backend services including object-level authorization broken
authentication excessive data exposure rate limiting gaps SSRF scenarios business-flow abuse and
security misconfiguration.
Support or evaluate IAST and runtime validation approaches where instrumentation can improve visibility
into reachable vulnerabilities and runtime behavior.
Validate mobile runtime protection / RASP-aligned controls such as SSL pinning jailbreak / root detection
anti-debugging integrity verification and anti-tamper mechanisms where applicable.
Conduct threat modeling for features architectures and user journeys using structured methods such as
STRIDE; convert threats into security requirements abuse cases and test objectives.
Integrate or govern security checks within CI/CD pipelines for mobile builds including scan orchestration
secure secrets handling branch / environment controls artifact signing and policy-based promotion
gates.
Generate review or govern SBOM outputs and assess software supply chain risk for dependencies SDKs
packages plugins and third-party services used in the mobile ecosystem.
Perform or coordinate binary and malware-oriented scanning to identify suspicious libraries trackers
embedded credentials policy violations and indicators of tampering or malicious behavior.
Lead vulnerability triage and remediation coordination with mobile engineers API teams DevOps QA
architecture and product stakeholders; provide evidence-based retest and closure support.
Own or contribute to metrics dashboards governance packs exception tracking and release security
sign-off reporting using Power BI or equivalent analytics tooling.
Support optional reverse engineering and app-store readiness activities where public release anti-tamper
assurance privacy declarations or reviewer instructions are required.

Bachelors degree in Computer Science Cybersecurity Information Security Software Engineering or a
related discipline; equivalent practical experience can be considered based on organization policy.
5 10 years of experience in Application Security Product Security Mobile Security Testing DevSecOps or
a closely related role.
Hands-on experience testing Android and/or iOS applications including static and dynamic analysis
traffic inspection authentication flows local storage review and abuse-case validation.
Strong understanding of mobile attack surfaces secure coding implications and release assurance
considerations for mobile applications.
Experience with SAST SCA DAST API Security threat modeling and vulnerability remediation
coordination.

Page 4

Internal - General Use

Working knowledge of CI/CD security dependency governance SBOM concepts and software supply chain
risks.
Ability to communicate findings clearly to developers product managers and leadership audiences with
actionable remediation guidance and prioritization rationale.

Comfort operating in an enterprise governance model with dashboards KPIs exceptions and evidence-
based closure.

Experience with reverse engineering and tamper analysis of Android and iOS applications.
Experience with runtime shielding mobile RASP fraud defense or in-app runtime protection technologies.
Experience supporting Play Store / App Store release readiness privacy/security declaration checks or
policy-driven reviewer submissions.
Familiarity with pipeline provenance artifact signing attestation or SLSA-aligned software supply chain
controls.
Experience creating executive-ready dashboards in Power BI or similar BI tooling.
Security certifications or mobile-security-specific credentials as relevant to the organization.

The exact tooling stack will vary by organization. Typical exposure may include: mobile security testing
frameworks intercepting proxies debuggers API testing tools source and dependency scanners CI/CD platforms
secrets management artifact repositories BI dashboards and issue tracking / governance platforms.

Operate with strong analytical rigor and evidence-based decision-making.
Demonstrate developer empathy and translate security defects into implementable fixes.
Balance technical depth with governance discipline and measurable outcomes.
Collaborate across engineering product architecture DevSecOps QA and governance stakeholders.
Escalate risk responsibly with clear business impact and remediation options.