Mobile Audit — iOS & Android Application Security Review

Audit mobile apps against the OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG). Covers source code review, static analysis of compiled binaries, and runtime testing.

Scope: this skill covers the app and its interaction with the device, the backend, and other apps. For backend API security, pair with api-audit. For dependency CVEs (CocoaPods, SPM, Gradle), pair with dependency-audit.

Authorization Check

Before reverse-engineering or runtime-testing a binary, confirm:

1. The app is yours, or you have written authorization from the publisher
2. You're operating in an environment you control (test device, emulator, dedicated sandbox)
3. App store ToS — Apple and Google generally allow security research on apps you own; testing competitor apps without authorization is a fast path to legal exposure

If unclear, ask before proceeding.

Audit Checklist — MASVS-STORAGE (Sensitive Data Storage)