Comment by franga2000
1 day ago
This is exactly how I recognise bad "pentest" firms and tell all my friends and clients the same. If the pentest contains report any mention of [screenshot, obfuscation, root detection, attestation] it's bullshit and you should demand your money back (you won't get it, but still, you should demand it) and tell everyone in your circle to not give another cent to them.
I don't know if anything has changed but 10 years ago I was part of an effort to make the base OS of our product FIPS-compliant. FIPS was both prescriptive and outdated. And it turned out that the changes required to make everything FIPS-compliant actually made our product demonstrably less secure.
But we had to ship it anyway, otherwise a non-negligible portion of our customers could not legally buy our product.
Unfortunately the point of a pentest/audit isn't to do one, but merely to check the box saying you did one, and I'm sure bad ones must be cheaper and still allow you to check the box.