Data storage & cryptography
Hardcoded secrets, insecure key storage, plaintext databases, unencrypted preferences, keychain misuse, broken cryptographic primitives.
// mobile app VAPT
Android and iOS testing aligned with OWASP MASVS / Mobile Top 10. Static analysis, dynamic instrumentation, MITM, cert-pinning bypass, reverse engineering — by Hassan Jawaid for Pakistani teams shipping to Western clients.
The OWASP Mobile Application Security Verification Standard covers the full control set; every engagement maps to its requirements.
Hardcoded secrets, insecure key storage, plaintext databases, unencrypted preferences, keychain misuse, broken cryptographic primitives.
Cert-pinning bypass (Frida / Objection), TLS misconfiguration, sensitive data in transit, deep-link hijacks, exported activity abuse.
Biometric bypass, JWT/Token flaws on the mobile side, session continuity, offline-mode credential leakage, social-auth misuse.
Reverse engineering surface, anti-tamper, anti-debug, root/jailbreak detection bypass, dynamic instrumentation resistance, third-party SDK risks.
MobSF, jadx, apktool, JADX-GUI, Ghidra, otool/class-dump for iOS, semgrep mobile rulesets.
Frida + Objection, Burp Suite (proxied through device), Drozer, mitmproxy, Magisk / Checkra1n for rooted/jailbroken test devices.
Risk posture and remediation timeline written for non-technical readers.
Per-finding write-ups with CVSS, reproducible PoC, screenshots, and remediation.
Free re-test of every confirmed finding after your team patches.
Suitable for SOC 2, ISO 27001, and Play Store / App Store security questions.
A free 30-minute scoping call. We'll walk through your APK/IPA, your backend, and your timeline.