In a mobile security assessment, what is the primary focus for penetration testers?

Testing in mobile security is about securing the entire stack that a mobile app relies on. The main emphasis should be on evaluating the client-side application, the server-side components it talks to, and the communication between them, because vulnerabilities can occur in any part of that chain. This end-to-end approach covers how data is stored and processed on the device, how APIs and back-end services enforce authentication and authorization, and how data moves over the network and is protected in transit. If you only test the backend API, you miss issues in the app or in the data transmitted; if you only test the mobile binary, you miss server logic and interface controls; device tamper resistance is relevant but does not address the full threat landscape. Together, this holistic focus yields the most accurate assessment of real-world risk.