What a Capacitor app pentest actually tests
Ionic apps are web applications packaged into native iOS and Android containers via Capacitor. This architecture means the security testing process overlaps both web application testing and mobile application testing. We conduct both in a single engagement so you are not paying for two separate assessments with gaps between them.
1. JavaScript bundle extraction and analysis
Ionic Capacitor bundles your Angular, React, or Vue application into a set of JavaScript files packed inside the native binary. We extract these files directly from the APK or IPA without needing a device. What we look for:
- Hardcoded API keys and secrets: Payment gateway keys, third-party SDK tokens, and internal endpoint URLs frequently appear in bundled JS files that anyone can extract with a single
apktool dcommand. - Authentication logic in client-side code: Role checks, tier-gate logic, and admin flag comparisons implemented in JavaScript are trivially bypassable because the attacker controls the runtime.
- Source maps in production builds: Source maps that should only exist in development are sometimes shipped in production, giving attackers a fully readable version of your TypeScript source.
2. Capacitor plugin bridge testing
Capacitor uses a JavaScript-to-native bridge to allow web code to call native device APIs (camera, filesystem, biometrics, secure storage). We audit every registered Capacitor plugin in your app for bridge injection vulnerabilities. The attack pattern is: if a malicious third-party script running in the WebView can call a Capacitor plugin that accesses the filesystem or the Keychain, the entire native isolation model collapses.
We verify that your Content Security Policy (CSP) prevents inline script execution and restricts which external origins can inject JavaScript into the WebView context.
3. WebView local data storage
Ionic apps running in a WebView have access to all standard web storage APIs: localStorage, sessionStorage, IndexedDB, and cookies. None of these are encrypted on the device. We inspect the full storage context at runtime using an instrumented device to confirm what is persisted after login. Authentication tokens in localStorage survive app restart and are readable by any other app that can read the WebView's data directory on a rooted device.
The correct storage pattern for sensitive data in Ionic Capacitor is the @capacitor/preferences plugin (which writes to native Keychain on iOS and EncryptedSharedPreferences on Android), not browser localStorage.
4. Cordova legacy plugin risks
Many Ionic apps started on Cordova before migrating to Capacitor. If the migration was incomplete, legacy Cordova plugins may still be installed. We audit for Cordova plugins with known CVEs, plugins with excessive Android permissions declared in plugin.xml, and Cordova plugins that disable WebView security flags (like allowNavigation and allow-intent wildcards that permit arbitrary page navigation).
API key extracted from production JS bundle
During a pentest of a Nigerian lending platform built on Ionic Angular, we extracted the APK and decompressed the web assets. Inside the bundled main.js, we found the production Paystack secret key, the Flutterwave secret key, and the internal admin API base URL hardcoded as environment constants. The secret keys allowed us to initiate refunds and list all customer transactions on both payment gateways. Fix priority: critical. Remediated by moving all secrets to a backend proxy endpoint and removing all secret material from the client bundle.
Shipping an Ionic or Capacitor app in Nigeria? Book a penetration test before go-live.
Book an Ionic PentestFrequently asked questions
What is the security difference between Ionic Capacitor and Cordova?
Capacitor is Ionic's modern replacement for Cordova. Both use a WebView to run HTML/JavaScript, but Capacitor's plugin bridge has stricter type validation. The core WebView attack surface is identical: JavaScript running inside the WebView can call native device APIs through the bridge if the plugin permissions are not restricted.
Can Ionic apps be reverse engineered easily?
Yes. Ionic apps ship as web assets bundled inside the native container. Extracting the APK or IPA and decompressing it gives access to the raw HTML, CSS, and JavaScript source including any API keys, hardcoded endpoints, and business logic embedded in the bundle.
Does Ionic Capacitor support certificate pinning?
Native certificate pinning is available through community plugins like capacitor-community/http. We test that pinning is active, correctly configured on all API hostnames, and that the fallback HTTP client (XMLHttpRequest/fetch inside the WebView) also routes through the pinned transport.
Related reading
Blog: Expo security checklist · React Native penetration testing · Mobile app pentest checklist
Services: Penetration testing · API security testing