tob-wp-001 · public release rev 1.0 · 07 / 2026

tob (laboratory)

Applied security research for mobile applications and the devices that run them.

Abstract. tob is an independent laboratory studying the security of mobile applications and the devices they run on. The laboratory works on both sides of the problem: building identification and protection mechanisms, and demonstrating how they fail. Its practice covers device fingerprinting, anti-tampering, endpoint hardening, application penetration testing, and fraud prevention.

Keywords — device fingerprinting · anti-tampering · endpoint security · penetration testing · fraud prevention

fig. 1 specimen · this device
Fig. 1. A partial fingerprint of the requesting device, derived from passive signals available to any page you visit. Computed locally in your browser; nothing is stored or transmitted.

1Capabilities

1.1 Device fingerprinting. Design and evaluation of device-identification systems: signal selection, entropy analysis, stability across resets and OS updates, and resistance to spoofing and replay. We build fingerprints, and we break them.

1.2 Anti-tampering. Detection of jailbroken and rooted environments, hooking frameworks, debuggers, emulators, and repackaged binaries — and honest assessment of how such checks fail. We test commercial protections against the techniques real attackers use.

1.3 Endpoint security. Runtime hardening for mobile applications: integrity and device attestation, secure key handling, obfuscation strategy, and telemetry that separates hostile devices from merely unusual ones.

1.4 Penetration testing. Offensive assessments of iOS and Android applications and the services behind them: static and dynamic analysis, traffic and protocol inspection, and abuse of business logic. Findings are reproducible and ranked by consequence, not by count.

1.5 Fraud prevention. Advisory work on fraud and abuse at the device layer — emulator farms, device-ID resets, automation, multi-accounting. We help risk teams turn device signals into decisions they can defend.

2Engagement

The laboratory takes on a small number of engagements at a time. Work is scoped as fixed-term assessments, retained research programs, or short advisory reviews of designs you already have. Findings are delivered as written reports in this format — reproducible, referenced, and free of theater.

3Contact

For scoping, collaboration, or responsible disclosure: contact@toblaboratory.com. Sensitive material should be encrypted to the laboratory’s OpenPGP key.1 We reply within two business days.

1. OpenPGP key fingerprint: 5ABD 4DB2 76BC C012 433C  AD9A F231 48C8 B772 705D. Full key at /pgp-key.asc; machine-readable disclosure details at /.well-known/security.txt (RFC 9116).