Penetration Test – Mobile Health App (iOS/Android) & Web Survey Platform
We are looking for an experienced penetration tester to conduct a security assessment of two production systems used in clinical research: Target 1 — Mobile health tracking app (iOS & Android) Cross-platform mobile application (Flutter) with a Laravel/PHP backend and PostgreSQL database Includes REST API communication between app and server Hosted on a European VPS (Germany) behind Cloudflare Target 2 — Customized LimeSurvey instance Self-hosted LimeSurvey deployment used for clinical research questionnaires Hosted on a separate European VPS behind Cloudflare Context Both systems handle sensitive health data. The penetration test report will be used for compliance and audit documentation. Scope At minimum, testing must cover: OWASP Top 10 (web) and OWASP Mobile Top 10 API security (authentication, authorization, input validation, rate limiting) Data storage and transmission security (encryption at rest and in transit) Session management and authentication flows Server configuration and hardening review LimeSurvey-specific vulnerabilities (known CVEs, plugin security, access controls) Deliverables & milestones Milestone 1 — Initial penetration test & report Full security assessment of both targets Technical report including: findings, severity classification (CVSS), proof of concept, and recommended remediation steps Debrief call to walk through findings Milestone 2 — Retest after remediation Verification test after our development team has implemented fixes Updated report confirming resolved issues and any remaining risks Milestone 3 — Final report & certificate Formal penetration test certificate / letter of attestation stating both systems have been tested and passed Final report suitable for inclusion in compliance/audit documentation
Requirements
Must have: Recognized penetration testing certification (OSCP, CREST CRT/CCT, or CEH) Demonstrated experience with mobile app penetration testing (iOS and Android) Demonstrated experience with web application penetration testing Familiarity with OWASP testing methodologies Ability to produce professional, audit-ready reports in English Willingness to sign an NDA before receiving any access credentials or technical documentation Nice to have: Experience with Flutter/Dart mobile applications Experience with LimeSurvey or similar PHP-based survey platforms Experience with Laravel/PHP backends Timeline Ready to start immediately (both systems are in their final, production-ready state) Expected duration: 2–3 weeks for initial test, then retest after our remediation window How to apply Please include in your proposal: Your relevant penetration testing certification(s) 2–3 examples of previous pentest engagements (anonymized is fine) Your approach / methodology for this type of engagement Estimated timeline and fixed-price quote per milestone Confirmation you are willing to sign an NDA before project start Apply tot his job Apply To this Job