iOS Security Audits & Mobile App Penetration Testing

OWASP MASVS reviews, Secure Enclave and Keychain hardening, jailbreak and instrumentation defence, regulated-environment compliance. The output is a prioritised remediation list with reproduction steps and the specific code change for each finding.

OWASP MASVS L1 / L2 / R reviews aligned to your app's sensitivity
Secure Enclave, Keychain, and File Protection configuration audits
jailbreak detection and anti-Frida hardening for apps with real adversaries

Recognition

App Store Best New Apps 2026 Product Hunt Product of the Day 2025 CES Best of Innovation 2021 CES Innovation Award 2021 Webby Honoree 2021 Google Material Design 2020

Credentials

Member of British Computer Society 2024 BEng (Hons) 2017 Apple WWDC Scholarship 2015

Tell me what you're working on, or grab a free 30-min scoping call. I reply within 48 hours.

work@drobinin.com Free 30-min call →

Related work

What clients say

"Vadim was instrumental to the success Epsy enjoyed on iOS, taking it from an idea on a Miro board to the highest rated and most downloaded app of its kind on the store."

James C. · Mobile Engineering Lead, Epsy

"We had a strict deadline, and Vadim managed to complete the job in time. He gave us meaningful feedback and suggested better approaches, not trying to blindly stick to our specification."

Founder · Pre-seed streaming service

"I can say with confidence that it will be difficult to find a better developer. Vadim is achievement-oriented, highly organized, with very good communication skills."

Alex Z. · Co-Founder, eda.so

Common engagements

Full iOS security audit

A MASVS-aligned report. Every finding includes reproduction steps on a real device, severity scored against your threat model, and the exact code change to ship.

Pre-submission review

Half-day to two days. I find what App Review, enterprise IT, or an external assessor will flag, before it costs you a cycle.

Remediation sprint

I pair with you (or your engineers if you have them) and ship the fixes from the audit. Works when a client audit flagged issues and the timeline is tight.

Areas I cover

Data at restKeychain access groups, accessibility flags, biometric-bound items, File Protection classes, Core Data / SQLite encryption, Pasteboard and screenshot-on-backgrounding leaks.

Data in transitcertificate pinning with rotation plan, ATS configuration and exceptions, custom-protocol security, deep-link origin validation.

Runtime integritylayered jailbreak detection (not a single /Applications/Cydia.app check), anti-Frida and anti-Objection, binary protection trade-offs.

Authentication & authorizationtoken storage and refresh, biometric binding via LAContext, session lifetime, WebAuthn and passkeys where applicable.

Third-party attack surfaceSDK audit: what each one reads, sends, and phones home. Privacy Manifest coverage (iOS 17+). Supply-chain review of Swift packages.

Regulated overlaysHIPAA, SOC 2, GDPR, FDA requirements mapped to specific app behaviours. MASVS alignment chosen to match data sensitivity.

Pricing

Advisory

£110

per hour

Architecture reviews, hiring help, second opinions on that thing that's been bugging you.

Available now

Do you sign NDAs before the audit?

Yes, always. Signed before I see any code. Mutual NDAs if you'd like reciprocity.

Can you test the backend too?

iOS is my specialty, client-side specifically. If the backend work is entangled with iOS security posture (token minting, cert pinning rotation, webview origin handling), I'll cover that boundary. For deep server-side pentesting, I pair with partners or hand off.

How long does a typical audit take?

Small consumer app: 3–5 days. Medium app with SDKs in a regulated domain: 8–12 days. Large enterprise app with significant attack surface: 3–4 weeks. Send a detailed brief and I'll quote from it. If you'd rather talk first, a free 30-minute scoping call usually gets us to a number faster.

How do I get a quote?

Two paths. If you need speed, send me a detailed brief and I'll quote from it (usually within 48 hours). If you'd rather talk first, book a free 30-minute scoping call and I'll quote after. Most clients who pick the brief path land on the call anyway once we get into the specifics, but the door is open either way.

How quickly can you start?

Advisory calls can happen within days. For project work, I typically need 1-2 weeks notice to clear the calendar, though I keep some buffer for urgent firefighting. Check the availability badges above for current openings.

Do you work with early-stage startups?

Yes, from pre-seed to Series C and beyond. For very early teams, the advisory tier often makes more sense than project work: you get architecture guidance without committing to a large engagement before you've validated the product.

What's included in the day rate?

Everything: code, architecture decisions, code review, documentation, async Slack availability during working hours. No surprise add-ons. I bill for time spent working on your project, not for "thinking about it in the shower."

How do you handle timezone differences?

Currently in Vancouver (PST) with full overlap for North American teams. For UK and Europe, I'm online by their afternoon. For Gulf or APAC, we'd agree on overlap hours and handle the rest async. I've worked with teams from San Francisco to Dubai.

Where I've worked CV · LinkedIn

Drobinin Limited Founder · 2025–present 12+ apps from idea to App Store. Featured by Apple in EMEA & Americas.

LivaNova (NASDAQ: LIVN) Senior iOS · 2020–2025 Epsy, an epilepsy management app. Shipped inside an FDA-regulated medical-device company. HIPAA, CES Innovation Award.

Sphere (acquired by Twitter/X) Senior iOS · 2017–2020 Early Employee. $30M funding to acquisition.

VK.com iOS Consultant · 2016–2017 Authored & delivered an onsite course on iOS development.

ToBox Lead iOS · 2015–2016 Built team, MVVM architecture, full Swift rewrite.

Need an iOS security audit?

Describe what you're working on, or book a free 30-min scoping call. I reply within 48 hours.

work@drobinin.com Book a free call →