A penetration testing firm is hired to assess a mobile banking application. The client wants to test both Android and iOS versions, but only the production environment. Which of the following is the MOST important scoping consideration to include in the rules of engagement?
Rooting/jailbreaking enables deep testing that is often necessary for comprehensive mobile app security assessments.
Why this answer
Requiring jailbroken or rooted devices is the most important scoping consideration because mobile banking applications often implement runtime integrity checks (e.g., MagiskHide, Frida detection) that prevent the app from running on compromised devices. Without explicit authorization to bypass these controls, the penetration tester cannot perform deep dynamic analysis, such as hooking API calls or inspecting encrypted local storage, which is essential for a thorough security assessment of the production environment.
Exam trap
The trap here is that candidates often confuse operational scheduling (Option C) with technical feasibility, overlooking that without a jailbroken/rooted device, the tester cannot bypass runtime integrity checks and thus cannot perform the most critical parts of the mobile app assessment.
How to eliminate wrong answers
Option B is wrong because specifying the number of concurrent users is irrelevant for a mobile application penetration test; load testing is a performance concern, not a security scoping consideration, and the rules of engagement focus on authorization boundaries, not throughput metrics. Option C is wrong because defining the test window to avoid peak hours is an operational consideration to minimize business impact, but it is not the most important scoping factor; the core technical constraint for mobile app testing is the device's integrity state, as production apps often refuse to run on jailbroken/rooted devices, making authorization to use such devices a prerequisite for any meaningful testing.