Penetration Test – Mobile Health App (iOS/Android) & Web Survey Platform

We are looking for an experienced penetration tester to conduct a security assessment of two production systems used in clinical research:

Target 1 — Mobile health tracking app (iOS & Android)

Cross-platform mobile application (Flutter) with a Laravel/PHP backend and PostgreSQL database

Includes REST API communication between app and server

Hosted on a European VPS (Germany) behind Cloudflare

Target 2 — Customized LimeSurvey instance

Self-hosted LimeSurvey deployment used for clinical research questionnaires

Hosted on a separate European VPS behind Cloudflare

Context

Both systems handle sensitive health data. The penetration test report will be used for compliance and audit documentation.

Scope

At minimum, testing must cover:

OWASP Top 10 (web) and OWASP Mobile Top 10

API security (authentication, authorization, input validation, rate limiting)

Data storage and transmission security (encryption at rest and in transit)

Session management and authentication flows

Server configuration and hardening review

LimeSurvey-specific vulnerabilities (known CVEs, plugin security, access controls)

Deliverables & milestones

Milestone 1 — Initial penetration test & report

Full security assessment of both targets

Technical report including: findings, severity classification (CVSS), proof of concept, and recommended remediation steps

Debrief call to walk through findings

Milestone 2 — Retest after remediation

Verification test after our development team has implemented fixes

Updated report confirming resolved issues and any remaining risks

Milestone 3 — Final report & certificate

Formal penetration test certificate / letter of attestation stating both systems have been tested and passed

Final report suitable for inclusion in compliance/audit documentation

Requirements

Must have:

Recognized penetration testing certification (OSCP, CREST CRT/CCT, or CEH)

Demonstrated experience with mobile app penetration testing (iOS and Android)

Demonstrated experience with web application penetration testing

Familiarity with OWASP testing methodologies

Ability to produce professional, audit-ready reports in English

Willingness to sign an NDA before receiving any access credentials or technical documentation

Nice to have:

Experience with Flutter/Dart mobile applications

Experience with LimeSurvey or similar PHP-based survey platforms

Experience with Laravel/PHP backends

Timeline

Ready to start immediately (both systems are in their final, production-ready state)

Expected duration: 2–3 weeks for initial test, then retest after our remediation window

How to apply

Please include in your proposal:

Your relevant penetration testing certification(s)

2–3 examples of previous pentest engagements (anonymized is fine)

Your approach / methodology for this type of engagement

Estimated timeline and fixed-price quote per milestone

Confirmation you are willing to sign an NDA before project start

Apply tot his job