ImmuniWeb® AI PlatformMobileSuite

ImmuniWeb® MobileSuite

ImmuniWeb® MobileSuite leverages our award-winning Machine Learning technology to accelerate and enhance
mobile penetration testing. Every pentest is easily customizable and provided with a zero false positives SLA.
Unlimited patch verifications and 24/7 access to our security analysts are included into every project.

Mobile Penetration Testing Made Simple

Zero False Positives SLA

Money-Back Guarantee for
a single false-positive

In-Depth Testing

Business logic testing, SANS Top 25,
PCI DSS & OWASP coverage

Actionable Reporting

Tailored remediation guidelines
and 24/7 access to analysts

Rapid Delivery SLA

Guaranteed execution schedule
and report delivery

DevSecOps Native

SDLC and CI/CD tools integration,
WAF for mobile backend flaws

How it works

Customize and schedule
the test in few clicks
Monitor the testing
in real time
Get the report and
schedule a re-test

Free Trial Ask a Question

Actionable Report. Simple Remediation.

DevSecOps Native

WAF Integrations

Mobile Penetration Test for Any Need

Mobile App Security

Static, dynamic and interactive
security testing with SCA

Mobile Backend Security

Comprehensive testing of
mobile app’s endpoints

Privacy and Encryption

Detailed analysis of privacy
and encryption problems

Black & White Box

Authenticated (including MFA/SSO)
or Black Box testing

Open Source Security

Software Composition Analysis (SCA)
tests for 20,000+ known CVE-IDs

Red Teaming

Breach and attack simulation per
MITRE ATT&CK® Mobile

OWASP Mobile Security Testing Guide (MSTG)
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
PCI DSS Information Supplement: Penetration Testing Guidance
MITRE ATT&CK® Matrices for Mobile and Enterprise
FedRAMP Penetration Test Guidance
ISACA’s How to Audit GDPR

OWASP Application Security Verification Standard (ASVS v4.0.2) Mapping
Common Vulnerabilities and Exposures (CVE) Compatible
Common Weakness Enumeration (CWE) Compatible
Common Vulnerability Scoring System (CVSS v3.1)

Injection Flaws
Many Other "High" Risk Vulnerabilities
Buffer Overflows
Cross-Site Scripting (XSS)
Insecure Cryptographic Storage

Improper Access Control
Insecure Communications
Cross-Site Request Forgery (CSRF)
Improper Error Handling
Broken Authentication and Session Management

CWE-787: Out-of-Bounds Write
CWE-79: Improper Neutralization of Input During Web Page Generation
CWE-125: Out-of-Bounds Read
CWE-20: Improper Input Validation
CWE-78: Improper Neutralization of Special Elements used in an OS Command

CWE-89: Improper Neutralization of Special Elements used in an SQL Command
CWE-416: Use After Free
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-434: Unrestricted Upload of File with Dangerous Type

CWE-306: Missing Authentication for Critical Function
CWE-190: Integer Overflow or Wraparound
CWE-502: Deserialization of Untrusted Data
CWE-287: Improper Authentication
CWE-476: NULL Pointer Dereference

CWE-798: Use of Hard-coded Credentials
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-862: Missing Authorization
CWE-276: Incorrect Default Permissions
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-522: Insufficiently Protected Credentials
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-611: Improper Restriction of XML External Entity Reference
CWE-918: Server-Side Request Forgery (SSRF)
CWE-77: Improper Neutralization of Special Elements used in a Command

API1: Broken Object Level Authorization
API3: Excessive Data Exposure
API5: Broken Function Level Authorization
API7: Security Misconfiguration
API9: Improper Assets Management

API2: Broken User Authentication
API4: Lack of Resources & Rate Limiting
API6: Mass Assignment
API8: Injection
API10: Insufficient Logging & Monitoring

Most Comprehensive Mobile Penetration Testing

In every ImmuniWeb MobileSuite package

Penetration Testing

Mobile Penetration Testing
- SANS Top 25 Full Coverage
- PCI DSS 6.5.1-6.5.10 Full Coverage
- OWASP Mobile Top 10 Full Coverage
- Backend Testing (REST/SOAP/GraphQL APIs)
- AI Augments Human Testing and Analysis
- Machine Learning Accelerates Testing
- Authenticated Testing (OTP / MFA)
- Business Logic Testing
- Privacy Review
Full Customization of Testing
Rapid Delivery SLA Money back

Contractual money-back guarantee for a delayed delivery date.

Reporting

Threat-Aware Risk Scoring
Step-by-Step Instructions to Reproduce
Web Interface, PDF and XML Formats
Tailored Remediation Guidelines
PCI DSS and GDPR Compliances
CVE, CWE and CVSS Scores
OWASP ASVS Mapping
Zero False Positives SLA Money back

Contractual money-back guarantee for one single false positive.

Remediation

Unlimited Patch Verifications
24/7 Access to Our Security Analysts
DevSecOps & CI/CD Tools Integration
One-click Virtual Patching (Backend)
Multirole RBAC Dashboard with 2FA

ImmuniWeb® MobileSuite Packages

Mobile Application Penetration Testing

1 Configure Your Test

Upload your mobile application,
indicate any special testing or
reporting requirements

2 Schedule Your Test

Select your package, schedule the
penetration testing dates and
report delivery date

3 Get Your Report

Browse the interactive dashboard,
export data in PDF and schedule
patch verification scan

ImmuniWeb® MobileSuite	Corporate Pro Designed for mobile application of large size and complexity, with multiple endpoints (e.g. APIs or web services) or several user roles.	Corporate Designed for mobile application of medium size and complexity, with several endpoints (e.g. APIs or web services) or a couple of user roles.	Express Pro Designed for mobile application of small size and complexity, with one or two endpoints (e.g. APIs or web services) and one user role.	Express Designed for mobile application of very small size and complexity, with one main endpoint (e.g. API or web service) and one simple user role.
AI-Automated Penetration Testing Our award-winning Deep Learning AI technology accelerates and intelligently automates over 7,500 checks of your mobile application security, which usually require human labor and cannot be performed by traditional vulnerability scanners due to complexity.	120 hours	120 hours	72 hours	24 hours
Manual Testing of Business Logic Our CREST-accredited security experts conduct advanced security testing of your mobile application’s business logic, perform reverse engineering and exploitation of your mobile application backend (e.g. APIs or web services), and run other security and privacy checks that require human intelligence due to high complexity.	4+ experts	3+ experts	2+ experts	1 expert
Zero False Positives SLA Our Terms of Services provide contractual money-back guarantee for a single false positive in your penetration testing report.
Rapid Delivery SLA Our Terms of Services provide contractual money-back guarantee for delayed delivery of your penetration testing report.
WAF Virtual Patching Our technology alliances with the leading WAF vendors provide ready-to-use WAF rulesets with your penetration testing report to automatically mitigate the vulnerabilities found in the backend (e.g. APIs or web services) of your mobile application.
DevSecOps & CI/CD Integrations Our technology alliances with the leading SIEM and DevOps vendors provide one-click vulnerability data export into your vulnerability management systems, bug trackers, as well as integration of penetration testing into your CI/CD pipeline.
24/7 Access to our Security Analysts Our security analysts are at your disposal during and after the penetration test may you need any advice or additional information on remediation or implementation of security best practices.
Unlimited Patch Verification Scans Unlimited patch verification scans are available during 100 days after the delivery of your penetration testing report to verify that all of the detected vulnerabilities have been properly fixed by your software developers.
Privacy Assessment Our security experts examine widespread privacy issues and compliance failures in your mobile application.
Cross-Platform Apps Testing Corporate package is required for complex cross-platform applications (e.g. Xamarin Framework) as they usually require significantly more resources and human time for comprehensive testing.
Root or Jailbreak Detection Bypass Corporate Pro package is required if your mobile application has a protection against running on rooted or jailbroken devices.
Emulator Detection Bypass Corporate Pro package is required if your mobile application prevents running on an emulator or requires to be tested on a real device.
Certificate Pinning Bypass Corporate Pro package is required if your mobile application uses SSL certificate pinning technology.
Code Obfuscation Bypass Corporate Pro package is required if your mobile application's code is obfuscated to prevent reverse-engineering.
Red Teaming Exercise On request, our security experts may perform Red Teaming exercise tailored to your threat landscape, emulating tactics, techniques and procedures (TTP) of a specific cyber threat actor.
Price	$9495 —	$7495 —	$3495 —	$1495 —

Packages per Year:

Volume Discount:

Packages per Year: 25

Volume Discount: 10%

Buy Now

Frequently Asked Questions

Q

Do I need two packages for iOS and Android versions of the same app?

A

Normally yes, however, the second package will be offered with a 50% discount. Recurrent penetration testing of the same mobile app also has special discounts. Please get in touch with us to learn more and get a custom quote for your mobile security testing needs.
Q

How can customize my mobile pentesting requirements?

A

At the first step of project creation, you can easily configure special requirements for mobile penetration testing. For example, you can select authenticated (White Box) testing with 2FA/SSO if you mobile app supports authentication, try some specific attack vectors, such as extracting protected content or activate features that are only available to premium users.
Q

What package do I need for my mobile application?

A

Generally, the more features and functionalities your app has, the bigger package you need. Anti-reversing or anti-testing mechanisms increase pentesting complexity and thus require the biggest package. A smaller package may suffice if you deactivate them. If you have any questions, please use our free package selector and submit basic details about your app. Our security analysts will carefully analyze it and then promptly get back to you with the most suitable package.
Q

Can you test mobile applications built with Xamarin or Flutter?

A

Yes, we can test applications built with any mobile frameworks or technologies. However, complicated cross-platform frameworks, such as Xamarin and Flutter, impose additional challenges that usually require supplementary resources and human time for comprehensive testing of the application. Therefore, the minimum required package for those frameworks is MobileSuite Corporate.

Trusted by 1,000+ Global Customers

ImmuniWeb is an efficient and very easy-to-use solution that combines automatic and human tests. The results are complete, straightforward and easy to understand. It’s an essential tool for the development of the new digital activities

Didier Ramella
CISO

ImmuniWeb is the best and simplest way to secure your business online. It's really fantastic experience to get report with zero false positive with detailed actions how to resolve problems and remove vulnerabilities. I think ImmuniWeb is definitely the best alternative to pen testers. As well as a way to save on staff and other costs. I am glad that I can get it all without any hidden costs and without complicated licensing schemes

Nika Vachridze
Senior Information Security Officer

We believe ImmuniWeb platform would definitely address the common weaknesses seen in manual assessments. The AI-assisted platform not only automates the assessments, but also, executes them in a continuous, consistent and reliable fashion. Admittedly, the platform would definitely add quick wins and great ROI to its customers on their investment.

Abuhaneefa Fayaz
Information Security Officer

ImmuniWeb provides accurate assessment on the security posture of our cloud-based applications. The report provided is concise and easy to read with sound advisories on the necessary steps to fix the issues. What impressed me most was that no false-positive was listed and the vulnerabilities are real. ImmuniWeb certainly gives us the right level of assurance that our cloud-based applications are safe and "good-to-go" before we deploy them out to production

Lee Chye Seng
Director, Learning Systems and Applications

ImmuniWeb is an invaluable tool for iPresent with both automated and manual penetration testing. The fantastic manual testing has found even the most hidden and complicated bugs in our security and ImmuniWeb has delivered first class knowledge. The self-service interface also gives us great control to schedule and monitor tests when we need them

Neil Bostrom
Chief Technical Officer

ImmuniWeb is a great innovative service that brings unbeatable ROI. It is undoubtedly the best way to quickly and easily guarantee your customers that their data is safe with you - and yours too by the way! Efficient and effective!

Jean-Michel Beylard-Ozeroff
Head of IT

Mobile Application Penetration Testing

Best Value for Money

Many of our mobile security experts started mobile penetration testing with the first version of iPhone over a decade ago. Today, ImmuniWeb pioneers mobile application penetration testing market with ImmuniWeb® MobileSuite that combines all-inclusive security, privacy and compliance testing of a mobile app and its backend.

Being well familiar with all the hurdles of a traditional mobile application penetration testing, we have been designing and continuously improving our offering to make it both cost-efficient and easily consumable.

Our award-winning Deep Learning AI technology accelerates and intelligently automates a wide spectrum of laborious security checks and tests that usually require many hours of expensive and unscalable human work. On top of our unique technology, our mobile security experts and CREST-accredited penetration testers conduct the most sophisticated security tests spanning from reverse engineering of mobile app defense solutions to sophisticated exploitation of business logic flaws or chained vulnerabilities in iOS or Android apps.

This hybrid approach consolidates the best of AI technology and human genius, delivering the most inclusive but rapid and price-wise service to our customers and partners. Prominent industry analysts from IDC, Forrester and Gartner mentioned the advantages of ImmuniWeb technology compared to fully automated mobile application security testing or human-driven mobile penetration testing assisted with fairly primitive mobile vulnerability scanners.

Importantly, our mobile application penetration testing is fully equipped with all possible DevSecOps integrations to facilitate vulnerability remediation by software developers.

Our packages include holistic and in-depth security and privacy testing both of the mobile application and its endpoints such as APIs and Web Services, effectively combining web and mobile security.

Our pricing outshines traditional penetration testing, heavily based on unscalable and thus expensive manual labor. While our unbeatable quality of testing overshadows automated mobile security testing tools by the number of detected security vulnerabilities and privacy risks.

Our award-winning hybrid approach consolidates the very best of Artificial Intelligence and human genius, eventually making human ingenuity both scalable and cost-efficient.

Buy Now