Browse categories
Explore
Fiverr Pro
English
$
USD
I will pentest and secure your mobile application
Senior Red Team Operator and Penetration Tester
e1abrador.com
Red Teamer with 6+ years in offensive security. I lead full-scope Red/Purple Team operations across financial, enterprise, and critical infrastructure environments, simulating the comple...
Vetted by Fiverr Pro
Eric L was selected by the Fiverr Pro team for their expertise.
Vetted for
Cybersecurity
About this Gig
Vetted Pro
Mobile Application Penetration Testing iOS & Android.
6+ years in offensive security. Full mobile pentest aligned to OWASP MASVS, Mobile Top 10, and NIST SP 800-115 suitable for SOC 2, ISO 27001, HIPAA, and PCI-DSS.
Scope:
Static analysis of IPA/APK/AAB hardcoded secrets, weak crypto, insecure libraries
Dynamic analysis on jailbroken iOS & rooted Android (Frida, Objection, Burp)
Local storage Keychain, Keystore, SQLite, plist, logs, cache
Auth & session biometrics, tokens, JWT, OAuth/SSO
Backend APIs BOLA/IDOR, broken auth, business logic
Platform issues deep links, intent injection, WebView, IPC
Anti-tampering root/jailbreak, anti-debug, repackaging
Deliverables:
Executive summary for leadership and auditors
Technical report with CVSSv4, PoC, reproduction steps
MASVS coverage matrix
Prioritized remediation roadmap
Retest (depends on the ordered package)
Industries: fintech, healthcare, crypto/Web3, enterprise. Message me for a tailored scope and timeline.
Expertise:
Privacy
•
Data Protection
•
Risk Assesment
Technology:
Cloud - IaaS
•
Mobile
•
Saas
•
Databases
•
Other
Regulation:
GDPR
FAQ
Do you test iOS, Android, or both?
Both. I test native iOS (Swift/Objective-C), native Android (Kotlin/Java), and cross-platform apps (React Native, Flutter, Xamarin, Ionic). If you have both platforms, I recommend testing them together since they often share the same backend but expose different client-side weaknesses.
What do you need from me to get started?
What do you need from me to get started? Four things: - The build (IPA, APK, or AAB) or a store link - Test accounts across different privilege tier - A clear scope including in-scope features and any backends.
Do you need source code?
No. I perform black-box and grey-box testing by default, decompiling and reverse engineering the build. If you provide source code, I can do a hybrid review and catch additional issues, but it's not required.
Do you test the backend APIs too?
Yes. The APIs your app talks to are in scope by default, that's where the most impactful findings usually live (BOLA/IDOR, broken auth, business logic flaws). If your backend is owned by a third party, I'll need their written authorization too.
What does the final report look like?
You get an executive summary for leadership, a technical report with CVSSv4 scoring, proof-of-concept, screenshots, and step-by-step reproduction for every finding, plus prioritized remediation guidance your developers can act on. Mapped to OWASP MASVS.
Will testing break our app or affect production users?
No. Testing is performed against a dedicated test environment or a non-production build whenever possible. If production testing is required, we agree on safe windows and exclusions.
Is my app and data kept confidential?
Always. I work under NDA, store artifacts on encrypted media, and securely destroy all build files, credentials, and findings 30 days after engagement closure (or per your retention policy).
