Fileless malware has become a formidable adversary for security teams, operating entirely in memory and evading disk-based detection. A recent incident demonstrates how attackers leveraged a multi-stage fileless loader to deploy AsyncRAT, a powerful Remote Access Trojan (RAT), through legitimate system tools—leaving almost no footprint on disk. This case study highlights critical techniques for persistence, […]
GitLab has released urgent security patches for its Community (CE) and Enterprise (EE) editions, addressing multiple vulnerabilities, including two high-severity flaws that could lead to Server-Side Request Forgery (SSRF) and Denial of Service (DoS) attacks.
The company is strongly advising all administrators of self-managed GitLab installations to upgrade immediately to the newly released versions: 18.3.2, 18.2.6, and 18.1.6.
The updates address a total of six security vulnerabilities, ranging in severity. Customers using the cloud-hosted GitLab.com service are already protected, and GitLab Dedicated users do not need to take any action.
The fixes are part of GitLab’s scheduled patch releases, which aim to resolve security issues and bugs promptly.
High-Severity Flaws Patched
The most critical vulnerabilities fixed in this release are a high-severity SSRF flaw and a high-severity DoS issue.
The SSRF vulnerability, tracked as CVE-2025-6454, holds a CVSS score of 8.5. It existed in the Webhook custom header feature and could be exploited by an authenticated user.
By injecting specially crafted sequences, an attacker could force the GitLab instance to make unintended internal requests within proxy environments, potentially leading to further compromise.
This flaw affects all versions from 16.11 up to the latest patched releases. The second high-severity issue, CVE-2025-2256, is a DoS vulnerability with a CVSS score of 7.5.
An unauthenticated attacker could have exploited this flaw by sending multiple, concurrent significant SAML responses to a GitLab instance, overwhelming its resources and rendering it unresponsive to legitimate users.
This vulnerability has a wide impact, affecting all versions from 7.12.
Medium-Severity Vulnerabilities Addressed
Alongside the high-severity issues, GitLab patched four medium-severity vulnerabilities, three of which could also result in a denial of service.
CVE-2025-1250: A DoS flaw (CVSS 6.5) where an authenticated user could stall background job processing by using specially crafted commit messages or merge request descriptions.
CVE-2025-7337: A persistent DoS vulnerability (CVSS 6.5) that allowed an authenticated user with at least Developer-level access to crash a GitLab instance by uploading large files.
CVE-2025-10094: Another DoS issue (CVSS 6.5) enabling authenticated users to disrupt access to token-related operations by creating tokens with excessively long names.
CVE-2025-6769: An information disclosure vulnerability (CVSS 4.3) that could have allowed an authenticated user to view administrator-only maintenance notes by accessing runner details through specific interfaces.
GitLab has credited several security researchers, yuki_osaki, ppee, pwnie, and iamgk808, for discovering and reporting these vulnerabilities through its HackerOne bug bounty program.
In line with its disclosure policy, the full details of these vulnerabilities will be made public on GitLab’s issue tracker 30 days after the release.
The company has urged all self-managed customers to review the security announcement and apply the updates to protect their instances from potential attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A high-quality mobile application penetration testing company is essential for businesses that want to safeguard their digital assets and user data.
These specialized firms employ ethical hackers who simulate real-world cyberattacks to identify and exploit vulnerabilities within mobile apps.
The insights from these tests enable developers to fix security flaws before they can be leveraged by malicious actors, thereby preventing data breaches, reputational damage, and financial loss.
Choosing a top mobile app pentesting company requires a careful evaluation of their expertise, methodology, and reputation.
The best firms don’t just use automated tools; they combine them with deep, manual analysis to uncover complex, business-logic vulnerabilities that scanners often miss.
Their reports are not only comprehensive but also provide clear, actionable remediation steps, empowering development teams to build more secure applications.
With the mobile threat landscape constantly evolving, partnering with a leading mobile application penetration testing firm is a proactive and strategic investment for any business committed to security.
How We Chose These Best Mobile Application Penetration Testing Companies
To identify the best mobile application penetration testing companies, we focused on several key criteria that align with Google’s E-A-T (Expertise, Authoritativeness, Trustworthiness) guidelines and critical SEO signals. Our selection process was guided by the following factors:
Expertise and Methodology: We looked for companies with a proven track record of deep, specialized knowledge in mobile security. This includes expertise in both iOS and Android platforms, as well as a robust methodology that combines automated scanning with thorough manual testing and reverse engineering.
Customer Reviews and Reputation: We evaluated customer feedback and industry recognition from platforms like Gartner Peer Insights and other reputable sources. Companies with high customer satisfaction and positive peer reviews were prioritized.
Comprehensive Service Offerings: The top firms don’t just offer penetration testing; they provide a full suite of services, including static and dynamic analysis, API security testing, and compliance reporting (e.g., OWASP Mobile Top 10, GDPR).
Actionable Reporting: A key differentiator is the quality of the final report. We selected companies that provide clear, detailed, and actionable reports with risk prioritization and specific remediation guidance for developers.
Integration and Scalability: We considered firms that offer flexible solutions that can integrate seamlessly into a company’s existing DevSecOps pipeline, allowing for continuous security testing.
Comparison Table: Top 10 Best Mobile Application Penetration Testing companies in 2025
Company
Automated Scanning
Manual Pentesting
Cloud-Based Service
DevSecOps Integration
Compliance Reporting
Veracode
Yes
Yes
Yes
Yes
Yes
White Knight Labs
No
Yes
Yes
Yes
Yes
Appknox
Yes
Yes
Yes
Yes
Yes
Pradeo
Yes
No
Yes
No
Yes
Cyserch
Yes
Yes
No
No
Yes
Software Secured
No
Yes
No
Yes
No
NowSecure
Yes
Yes
Yes
Yes
Yes
Microminder CS
Yes
Yes
Yes
Yes
Yes
Checkmarx
Yes
No
Yes
Yes
Yes
Acunetix
Yes
No
Yes
Yes
Yes
1. Veracode
Veracode
Specifications:
Veracode offers a full-lifecycle application security platform that includes penetration testing as a service (PTaaS).
It combines expert-led manual testing with automated SAST, DAST, and SCA to find a wide range of vulnerabilities, including business logic flaws and nuanced issues that automated tools may miss.
Their approach is designed to be hassle-free and can be scheduled to meet recurring compliance needs.
Reason to Buy:
Best for enterprises seeking a complete, integrated application security platform that blends expert manual testing with powerful automation.
Features:
Penetration Testing as a Service; Centralized platform for all security testing; PCI-DSS, HIPAA, GDPR compliance support; AI-powered remediation guidance; Flexible, predictable pricing models;
Can be expensive for smaller teams; Steep learning curve for full platform usage; Some users report complex integrations; Not a pure-play pentesting firm;
Best For: Large enterprises and organizations that require a holistic, ongoing AppSec program with robust compliance and reporting capabilities.
White Knight Labs provides premier mobile application penetration testing with a focus on both iOS and Android platforms.
Their methodology is comprehensive, simulating multiple attack vectors including insecure storage, stolen device scenarios, and API exploitation.
The team has extensive experience in reverse engineering and tailors assessments to address platform-specific security risks.
Reason to Buy:
Ideal for organizations that need a highly specialized, hands-on, and expert-led manual penetration test for their mobile applications.
Features:
iOS and Android-specific expertise; Comprehensive methodology; Source code review and reverse engineering; In-depth API security testing; Detailed reports with remediation guidance;
Pros:
Highly experienced team; Tailored, manual approach; Deep technical analysis; Excellent reporting and consultation;
Cons:
Primarily focused on manual testing; May not be suitable for teams needing automated CI/CD integration; Less emphasis on automated scanning; Pricing can vary based on project scope;
Best For: Companies that need an in-depth, hands-on security assessment from a highly specialized team of experts.
Appknox is a mobile-first security platform that delivers a suite of solutions including automated and manual vulnerability assessments.
Recognized by Gartner for its focus on 2025 AppSec trends, it’s designed to be CI/CD-ready and AI-powered, making it easy for developers to integrate security into their workflow.
The platform is especially strong in compliance, helping businesses meet standards like OWASP Mobile Top 10 and GDPR.
Reason to Buy:
A user-friendly, developer-centric platform that simplifies mobile application security testing and compliance for teams of all sizes.
Features:
AI-powered and CI/CD ready; Manual vulnerability assessment; Streamlined compliance management; Detailed, user-friendly reports; Integrates with Jira and other dev tools;
Pros:
Easy to use and set up; Mobile-first focus; Strong compliance features; AI-augmented remediation;
Cons:
Less known for general web application security; Manual testing is an add-on; May have a smaller team of manual testers; Focus is more on platform than pure service;
Best For: Development teams and startups that need a fast, user-friendly, and compliance-focused mobile security platform.
Pradeo is a mobile security company that leverages AI-based technology to deliver robust mobile application security testing (MAST).
Their primary focus is on automated, deep analysis of mobile apps to detect vulnerabilities and data leakage, providing a 360-degree view of an application’s security posture.
Their solution is particularly effective at scanning binary files, making it a valuable tool for examining off-the-shelf applications.
Reason to Buy:
An AI-driven solution that offers rapid and comprehensive automated analysis of mobile apps, even without access to source code.
Features:
AI-based security testing; Fast analysis of binary files; Data leakage prevention; Mobile Threat Defense (MTD); Integration with enterprise mobility management (EMM);
Pros:
Highly automated and fast; Excellent for third-party app analysis; Focus on mobile-specific threats; Clear, comprehensive reporting;
Cons:
Lacks a manual penetration testing service; May not uncover complex business logic flaws; Primarily a tool-based approach; Less suitable for deeply custom tests;
Best For: Businesses that need a powerful, automated solution for quick, continuous security assessments of both internally developed and third-party apps.
Cyserch is a cybersecurity firm offering comprehensive mobile application penetration testing services. They utilize a blend of OWASP methodology and a hybrid approach to create tailored test cases for each application’s unique business logic.
Their process includes static and dynamic analysis, reverse engineering, and in-depth testing of data storage and authentication mechanisms, delivering detailed and actionable reports.
Reason to Buy:
A trusted partner for customized, end-to-end security evaluations with a strong emphasis on detailed, developer-friendly reporting.
Features:
OWASP methodology; Hybrid testing approach; Static and dynamic analysis; In-depth data storage testing; Comprehensive vulnerability reports;
Pros: Tailored testing methodology; Focus on business logic; High-quality, detailed reports; Cost-effective solutions;
Cons: Less integrated into modern CI/CD pipelines; May not offer the same scale as larger firms; Lacks some of the automated features of platform-based competitors; Primarily a service provider;
Best For: Companies that require a bespoke, detailed security assessment and a clear, developer-friendly report from a dedicated team.
Software Secured specializes in human-led security services, providing an Application Penetration Testing as a Service (PTaaS) model.
Their methodology emphasizes manual testing and a consultative approach to find business logic vulnerabilities.
They integrate with client teams to provide expert guidance and ensure that remediation efforts are effective. While they have a platform, their core strength lies in their expert-driven service model.
Reason to Buy:
For organizations that prioritize a consultative, human-led approach over a purely automated solution, focusing on business logic and custom-built applications.
Features:
Human-led security testing; PTaaS model; Expert-driven services; Seamless team integration; Proactive and continuous security;
Pros: Deep expertise in manual testing; Highly consultative approach; Uncovers complex business logic flaws; Strong focus on remediation;
Cons: Not a fully automated solution; Not ideal for teams needing high-volume, continuous scanning; No automated reports and compliance checks; Services are project-based;
Best For: Businesses with complex, custom-built applications that require a hands-on, expert-led security partner.
NowSecure offers a comprehensive mobile app security platform that combines automated and manual testing. Their platform provides continuous security testing within the SDLC, with capabilities for static, dynamic, interactive, and API analysis.
They are particularly well-regarded for their ability to integrate with CI/CD pipelines and their commitment to standards-based testing, such as OWASP MASVS. NowSecure also provides expert-led penetration testing as a service.
Reason to Buy:
The most comprehensive and scalable solution for integrating continuous, standards-based mobile application security testing into a DevSecOps pipeline.
Features:
DevSecOps integration; Automated and manual testing; OWASP MASVS compliance; Mobile App Risk Intelligence (MARI); Expert-led penetration testing services;
Pros:
Excellent for continuous testing; Highly scalable platform; Strong compliance focus; Combines automation with human expertise;
Cons:
Platform can be complex to navigate; Can be expensive for smaller teams; Requires a good understanding of the platform to maximize its value;
Best For: Large enterprises and organizations committed to a mature DevSecOps model, needing a scalable and integrated mobile security solution.
Microminder CS is a CREST-certified infosec consultancy that offers comprehensive mobile application testing services. Their methodology involves a four-stage process: intelligence gathering, app analysis, exploitation, and reporting.
They simulate real-world attacks to find vulnerabilities in data transmission, storage, authentication, and session management, providing both executive and technical reports with actionable remediation advice.
Reason to Buy:
A trustworthy, CREST-certified consultancy that provides a holistic and professional approach to mobile application penetration testing with a strong focus on remediation.
Features:
CREST-certified experts; Four-stage methodology; Real-world attack simulation; Executive and technical reports; Global presence and service;
Pros:
High level of expertise and certification; Holistic and professional approach; Delivers clear, actionable reports; Strong reputation for quality;
Cons:
Service-based model, less focused on automation; May be more expensive than platform-based tools; Not ideal for continuous testing needs; Primarily a service provider, not a tool vendor;
Best For: Organizations that need a full-service, expert-led engagement from a highly certified and globally respected security firm.
Checkmarx provides a comprehensive application security testing platform with a strong focus on static analysis (SAST).
While its core is source code analysis, it offers solutions that help identify and fix vulnerabilities in mobile applications by integrating security into the development workflow.
The platform also provides DAST, IAST, and SCA capabilities to offer a more complete view of application risk.
Reason to Buy:
For organizations that want to “shift left” and embed security testing directly into the development pipeline, using a platform with a global reputation.
Features:
SAST, DAST, and SCA; Source code analysis; DevSecOps integration; Detailed reports with remediation advice; Aligned with OWASP Top 10;
Pros:
Strong reputation and industry presence; Deep source code analysis capabilities; Integrates with many dev tools; Helps with compliance;
Cons:
Can be slow on large codebases; High number of false positives can be an issue; Not a specialized mobile pentesting service; Pricing can be complex;
Best For: Large-scale software development teams that need to integrate robust, automated security scanning early in the development lifecycle.
Acunetix is a widely-used web vulnerability scanner that also offers a robust solution for securing mobile applications that rely on web APIs and back-end services.
While it’s a DAST-focused tool, its ability to crawl and scan complex web applications, single-page apps, and password-protected pages makes it a valuable asset in the mobile security toolkit.
Acunetix helps organizations comply with standards like PCI-DSS and HIPAA by generating detailed compliance reports.
Reason to Buy:
A powerful, automated DAST solution that is easy to set up and provides high-accuracy vulnerability detection for web services that power mobile apps.
Features:
High-accuracy DAST scanning; Integrates with CI/CD tools; Supports many compliance standards; Detailed, actionable reports; API vulnerability testing;
Pros:
High detection rate and low false positives; Easy to use and set up; Good for API-driven mobile apps; Robust reporting features;
Cons:
Not a pure mobile application security tool; Lacks manual, human-led pentesting; Primarily focuses on the web components of an app; Less suited for on-device vulnerabilities;
Best For: Teams primarily concerned with securing the web APIs and back-end infrastructure that their mobile applications rely on.
Choosing the best mobile application penetration testing company is a critical decision for any organization today. The right partner can not only identify hidden vulnerabilities but also help you build a more secure development process.
The companies listed here represent a diverse range of services, from highly specialized manual testing to comprehensive, automated platforms.
By evaluating your specific needs—whether it’s a deep, one-time audit or a continuous security program—you can select the provider that offers the most effective solution for protecting your mobile applications and your users.
Content creators and small businesses are facing a sophisticated new threat targeting their Facebook accounts through deceptive advertisements promising free Meta verification badges. A new malvertising campaign is targeting Facebook users with malicious ads that promise to unlock Meta’s coveted blue verification tick through a seemingly legitimate browser extension. These ads, accompanied by instructional videos, […]
A newly disclosed vulnerability in Apple’s CarPlay ecosystem enables remote code execution with root privileges, posing a serious risk to connected vehicles. Discovered by the Oligo Security Research team and tracked as CVE-2025-24132, the flaw resides within the AirPlay protocol implementation used by CarPlay systems. CVE ID Affected Components Versions Impacted CVE-2025-24132 AirPlay Audio SDK < 2.7.1 […]
Sofia, Bulgaria, September 10th, 2025, CyberNewsWire Kikimora, a cybersecurity specialist and a product developer, has announced the launch of Kikimora Agent, a new AI-powered platform providing accessible cybersecurity management, vulnerability detection, and asset monitoring for businesses, individuals, and students. Kikimora Agent combines conversational AI with automated security workflows, reducing the workload for small and medium-sized […]
A security vulnerability has been found in the Google Drive Desktop application for Windows. It allows a logged-in user on a shared machine to access another user’s Drive files completely without needing their credentials.
This vulnerability stems from a broken access control mechanism in how the application handles cached data.
While Google Drive is widely trusted for its security and convenience by millions for storing sensitive data, this vulnerability challenges those assumptions.
The issue lies within the app’s local caching system, known as DriveFS, which fails to properly isolate cached files between different user profiles on a Windows system.
Vulnerability And Exploitation
According to Abdelghani Alhijawi, the Google Drive Desktop app caches synchronized files in a local directory (DriveFS).
Due to improper isolation, an attacker can access a victim’s cached DriveFS folder, copy its contents, and replace their own DriveFS folder with the victim’s data.
Upon restarting the application, Google Drive loads the victim’s entire drive, including “My Drive” and “Shared Drives,” as if it belonged to the attacker, without any re-authentication prompts.
Google Drive Desktop Windows Vulnerability
This exploit directly contravenes fundamental security principles:
Zero Trust: The application incorrectly trusts the copied cache without verifying the user identity.
Encryption at Rest: Cached files are not individually encrypted for each user, allowing them to be reused across different accounts.
Re-authentication: The application does not require a password or any form of re-login when a different user’s cache is loaded.
This vulnerability presents a classic insider threat scenario, particularly dangerous in environments with shared workstations like offices, universities, or co-working spaces.
An employee or any user on a shared system can covertly copy another person’s Drive cache, gaining access to sensitive files such as contracts, financial records, HR documents, or proprietary source code, Abdelghani Alhijawi said.
The potential for data exfiltration, modification, or deletion is substantial, posing risks of privacy violations, compliance failures under regulations like GDPR and HIPAA, and significant reputational damage.
Insider threats are a known and costly problem, accounting for 22% of security breaches according to the 2024 Verizon DBIR and costing companies an average of $15.38 million annually, as reported by a 2022 Ponemon/IBM study.
The vulnerability places the Google Drive Desktop app out of alignment with major global security standards like NIST SP 800-53, ISO 27001, and SOC 2.
These frameworks mandate strict data isolation, least privilege access, encryption of data at rest, and robust session management all of which are compromised by this flaw.
The researcher who discovered the issue reported it to Google’s vulnerability program but was told, “This is not considered a security bug.”
This response is concerning, as the flaw represents a failure to adhere to Zero Trust principles and leaves users exposed to significant risks.
Recommendations For Users
Until Google addresses this issue, users and organizations are advised to take precautions:
Avoid using Google Drive Desktop on shared or multi-user computers.
Enforce strict permissions on separate Windows user profiles.
Use the application only on dedicated and managed endpoints to minimize insider threat risks.
Ultimately, the responsibility for securing user data lies with the service provider.
By failing to implement per-user encryption, requiring re-authentication for cached sessions, and adhering to Zero Trust principles, Google Drive Desktop currently falls short of essential security expectations.
Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.
Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to
The Amp’ed RF BT-AP 111 Bluetooth Access Point has been discovered to expose its HTTP-based administrative interface entirely without authentication controls, enabling unauthenticated attackers with network access to seize full administrative privileges. This critical security oversight undermines fundamental defensive measures and places deployments at risk of unauthorized configuration changes, data interception, and network compromise. The […]
Millions of people and businesses trust Google Drive every day to store important files like contracts, reports, photos, and research papers. The desktop app for Windows promises secure and seamless syncing of files between local folders and the cloud. Yet a serious flaw in Google Drive Desktop for Windows breaks these promises. Any user on […]
Yes
No
