Mandatory skills:

8–10-years of manual penetration testing experience

Manual pen test experience on mobile application at least 20+ apps. The ability to notice “odd” behavior and able to take the initiative to investigate it.

Manual Web application and Web Services, API experience more then 300+ Applications.

Very good in reporting as per the best practices.

Person should know the vulnerability and the remediation in depth so that he can suggest the same to all the stakeholders.

Expert in Burp Suite tool.

Technical Skills:

• Knowledge of how to put into practice the OWASP Security Testing Standard.
• Fair understanding of testing the applications behind the Web Application Firewall and the evasion techniques.
• Good pen testers have the drive to keep digging and enjoy solving puzzles.
• Tools and procedures can be learned, but the “knack” or “hacker gene” is something that the person must have developed on their own or they will never be a top-level tester.
• As far as tools, the baseline is the same as web app pen testing, e.g., Kali, Burp, Python, Wireshark, radar, etc.
• For mobile app specific tools, there’s Frida, MARA, Cydia, and others – there are multiple platforms that can accomplish the same thing, so to an extent it’s the tester’s preferences.
• In addition to the basic scripting skills necessary for most pen testing, a mobile pen tester should have experience with Java and Objective-C as those are the main languages for app development, as well as JavaScript since that’s how Frida interactions are done (as mini-JS scripts to control the app and hook function calls).
• Ideally a tester will have experience as a mobile app developer, since it’s easier to understand the disassembly of an app if you understand how it was put together in the first place.
• A good understanding of jailbreaking, certificate management, and MITM operations are also necessary since natively the mobile application and the device will not allow MITM.
• Banking and financial domain experience would be addon to the existing skillsets.
• Last but not the least the person should have the excellent soft skill and a good team player.