Automatic blocking and pentesting for mobile apps
Silker protects the API behind your iOS and Android apps - blocking attacks the moment they happen - and runs an automated penetration test against the app itself, aligned to the OWASP Mobile Top 10.
Two layers of mobile protection
Client-side risk lives in the app; abuse arrives through the API. Silker covers both.
Runtime protection layer
Drop the Silker runtime in front of the backend your app calls. Malicious traffic is inspected and blocked in-process with roughly zero added latency, and it fails open so a Silker issue never breaks your app.
- Blocks API abuse with a 403
- Rate limits & bans abusive IPs
- Redacts leaking PII & secrets
App assessment layer
Scan the app itself for insecure storage, weak crypto, missing binary protections and more, so you fix client-side risk before it ships to the store.
- OWASP Mobile Top 10 coverage
- Security grade & 0-100 score
- Per-finding remediation
How we test your app
An automated static assessment pipeline - from intake to a prioritised report, in minutes.
Point Silker at your app
Give us the bundle ID / package name, platform and store listing. No source code and no binary upload required to start.
Metadata & package intake
We collect the app manifest, permissions, entitlements, network config and third-party SDK footprint for the target.
Static analysis engine
Heuristics inspect storage, cryptography, transport security, binary protections and exposed components against known weak patterns.
OWASP Mobile Top 10 mapping
Every signal is mapped to an OWASP Mobile Top 10 (2024) category and scored by severity and exploitability.
Prioritised report
You get a security grade, a 0-100 score, and per-finding remediation your mobile team can act on immediately.
Full OWASP Mobile Top 10 coverage
Every scan maps findings to the 2024 OWASP Mobile Top 10 - the industry standard for mobile risk.
Improper Credential Usage
Hardcoded keys, tokens and credentials embedded in the binary.
Inadequate Supply Chain Security
Outdated or vulnerable third-party SDKs and dependencies.
Insecure Authentication
Weak token handling, long-lived sessions, no revocation.
Insufficient Input/Output Validation
Unsafe WebView bridges and unvalidated deep links.
Insecure Communication
Cleartext traffic, weak ATS and missing certificate pinning.
Inadequate Privacy Controls
Excessive permissions and leakage of sensitive data.
Insufficient Binary Protections
Debuggable builds, no anti-tampering, no root/jailbreak checks.
Security Misconfiguration
Exported components and permissive backup settings.
Insecure Data Storage
Plaintext secrets in Keychain, Keystore, prefs and SQLite.
Insufficient Cryptography
MD5/SHA-1, ECB mode and predictable key handling.
Automatic blocking, the moment it happens
Your mobile app already sends every request through your backend. Put Silker in front of that API and malicious traffic is blocked in-process - no app store release needed.
What you get in every report
Findings your team can act on - not a wall of raw output.
Security grade & score
An at-a-glance A-F grade and 0-100 score for every scan.
Severity breakdown
Findings grouped by critical / high / medium / low with counts.
Remediation guidance
Each finding ships with a concrete fix your devs can apply.
Shareable history
Every scan is stored so you can track progress release over release.
Silker vs the alternatives
Continuous, automated coverage instead of a once-a-year manual engagement.
| Silker | Manual pentest | No testing | |
|---|---|---|---|
| Time to first result | Minutes | Days to weeks | - |
| OWASP Mobile Top 10 coverage | |||
| Repeatable on every release | |||
| Runtime blocking of API abuse | |||
| Cost per scan | Included in plan | $$$ | Free (unprotected) |
| Prioritised remediation report |
iOS
- App Transport Security checks
- Keychain storage review
- App Attest & anti-tampering
- Universal Links validation
Android
- Manifest & exported components
- Keystore & backup settings
- Cleartext traffic config
- Play Integrity & obfuscation
Frequently asked
Do I need to upload my APK or IPA?
No. The automated assessment runs from your app identifier and store listing - you can start a scan in seconds without shipping us a binary. Deeper binary analysis is on our roadmap for teams that want it.
How is this different from a WAF?
A WAF filters traffic at the edge. Silker does two things a WAF cannot: it blocks attacks inside the API your app talks to (runtime protection), and it assesses the mobile app itself for client-side weaknesses like insecure storage and weak crypto.
Which platforms are supported?
Both iOS and Android. The assessment adapts its checks per platform - for example App Transport Security on iOS, and exported components and allowBackup on Android.
Does the runtime protection require an app store release?
No. Runtime blocking runs on the backend your app calls, so you can turn it on today with zero changes shipped to the app store.
Secure your mobile app today
Turn on automatic blocking for your API and run your first mobile pentest from the dashboard - in minutes, not weeks.
Runtime protection runs on your API; the mobile pentest is an automated static assessment aligned to the OWASP Mobile Top 10.