Cutting-edge penetration testing techniques for APIs and Mobile Apps

Our API and Mobile Application Penetration Testing service are designed to provide organizations with a comprehensive test of their API and mobile application security.  We use a risk-based approach to analyze and test the application and API's architecture, implementation, and controls.


Webservice APIs and Mobile Apps

There are a lot of similarities between modern  web and mobile application architecture, and a close relationship between mobile and APIs.  We can test one or the other, or both simultaneously.

API and Mobile App Testing Options

API and mobile app penetration testing vary greatly depending on the scope.  For instance, you may be primarily concerned with the risk of an outside attacker gaining access to sensitive information or functionality.  Or you may be looking for a comprehensive test of API functionality.  We will tailor your penetration test depending on your goals.
Website designer working digital tablet and computer laptop with smart phone and graphics design diagram on wooden desk as concept

API Penetration Test

An API penetration test is a type of security assessment that focuses on testing the security of an application programming interface (API). The goal of an API penetration test is to identify vulnerabilities in an API and provide recommendations for how to fix those vulnerabilities.

During an API penetration test, Secure Ideas manually tests the API using a variety of techniques and tools. We send different types of requests to the API to see how it responds, examining the API's documentation to look for potential security vulnerabilities, and attempting to access the API using unauthorized credentials.

Questions? Contact Us
Hand using phone with cloud computing and online storage concept

Mobile App Penetration Test

The goal of a mobile app pen test is to provide the app's developers or administrators with information about potential security vulnerabilities so that they can be fixed before the app is released or made available to users.


During a mobile app pen test, a tester would manually test the app using a variety of techniques and tools. This could include manually sending different types of requests to the app to see how it responds, examining the app's code to look for potential security vulnerabilities, and attempting to access the app using unauthorized credentials.

Questions? Contact Us


API and Mobile App penetration testing is scoped by an estimation of the overall effort.  The following tables provide a starting point for what to expect, and the estimate can usually be refined with a short scoping call.

API testing is scoped by the overall size of the API in terms of the number of endpoints and their complexity.  In addition, API testing is facilitated through scripting. The overall effort may be impacted by whether or not sufficient API documentation and valid sample requests are available to the testing team.

Size Scope Price-range
Small Simple RESTful API with a small number of endpoints or request types. Either no authentication, or all authenticated users have the same permissions. $10,400
Average SOAP API or moderately complex RESTful API. May have 2-3 authenticated roles or replay protection, not both. $20,800
Large Complex multi-functional SOAP or REST APIs or web services that may involve multiple endpoints and many parameters. May also have multiple roles with different permission sets. May have replay protection. $28,600+
Mobile Apps

A mobile application is scoped in a similar fashion to a web application with similar functionality.  However, there are a few things that will affect the effort involved for a mobile application penetration test:

Certificate Pinning: This is a common control whereby the mobile application validates that the server's certificate is not only trusted, but also that it follows a specific certificate chain that is allow-listed by the application. 

Code Availability: The effort will increase when reverse engineering is expected or if the source code is obfuscated.  The effort can be decreased by providing the testers with access to the source code, as this eliminates the reverse engineering effort from the test.

Size Scope Price-range
Small Small, single purpose application. One role, or unauthenticated with up to 5 pages. $7,800
Average Average application with 1-2 roles, up to 25 views or activities. Focus on one platform (e.g. iOS or Android) $13,000
Large Average application with 1-2 roles and up to 25 views & activities. Test both iOS and Android. $20,800
Enterprise An enterprise, flagship, or muti-tenant mobile app with a large amount of functionality. Both iOS and Android to be tested. $33,800+

Our Process

Have more questions about API and Mobile App Penetration Testing?