Cutting-edge penetration testing techniques for APIs and Mobile Apps
Our API and Mobile Application Penetration Testing service are designed to provide organizations with a comprehensive test of their API and mobile application security. We use a risk-based approach to analyze and test the application and API's architecture, implementation, and controls.

Webservice APIs and Mobile Apps
API and Mobile App Testing Options
- API Penetration Test
- Mobile App Penetration Test


API Penetration Test
An API penetration test is a type of security assessment that focuses on testing the security of an application programming interface (API). The goal of an API penetration test is to identify vulnerabilities in an API and provide recommendations for how to fix those vulnerabilities.
During an API penetration test, Secure Ideas manually tests the API using a variety of techniques and tools. We send different types of requests to the API to see how it responds, examining the API's documentation to look for potential security vulnerabilities, and attempting to access the API using unauthorized credentials.


Mobile App Penetration Test
The goal of a mobile app pen test is to provide the app's developers or administrators with information about potential security vulnerabilities so that they can be fixed before the app is released or made available to users.
During a mobile app pen test, a tester would manually test the app using a variety of techniques and tools. This could include manually sending different types of requests to the app to see how it responds, examining the app's code to look for potential security vulnerabilities, and attempting to access the app using unauthorized credentials.
Scoping
APIs
API testing is scoped by the overall size of the API in terms of the number of endpoints and their complexity. In addition, API testing is facilitated through scripting. The overall effort may be impacted by whether or not sufficient API documentation and valid sample requests are available to the testing team.
Size | Scope | Price-range |
---|---|---|
Small | Simple RESTful API with a small number of endpoints or request types. Either no authentication, or all authenticated users have the same permissions. | $10,400 |
Average | SOAP API or moderately complex RESTful API. May have 2-3 authenticated roles or replay protection, not both. | $20,800 |
Large | Complex multi-functional SOAP or REST APIs or web services that may involve multiple endpoints and many parameters. May also have multiple roles with different permission sets. May have replay protection. | $28,600+ |
Mobile Apps
A mobile application is scoped in a similar fashion to a web application with similar functionality. However, there are a few things that will affect the effort involved for a mobile application penetration test:
Certificate Pinning: This is a common control whereby the mobile application validates that the server's certificate is not only trusted, but also that it follows a specific certificate chain that is allow-listed by the application.
Code Availability: The effort will increase when reverse engineering is expected or if the source code is obfuscated. The effort can be decreased by providing the testers with access to the source code, as this eliminates the reverse engineering effort from the test.
Size | Scope | Price-range |
---|---|---|
Small | Small, single purpose application. One role, or unauthenticated with up to 5 pages. | $7,800 |
Average | Average application with 1-2 roles, up to 25 views or activities. Focus on one platform (e.g. iOS or Android) | $13,000 |
Large | Average application with 1-2 roles and up to 25 views & activities. Test both iOS and Android. | $20,800 |
Enterprise | An enterprise, flagship, or muti-tenant mobile app with a large amount of functionality. Both iOS and Android to be tested. | $33,800+ |