Ideally - just the mobile app. At Apptrusty, we believe in mimicking real life hackers. They have access only to your app's binaries and ideally that's all we expect from you. Once we are formally and professionally engaged with you to perform pentesting of your mobile app, we do ask few questions such as below
Mobile apps are not supposed to be static. Those will make calls to payment gateways, social media and other elements. We need to know that to test your app accurately.
We need app binaries for testing Android (.apk), iOS (.ipa) and Windows app (.xap)
We need to know if your app makes calls to backend web services or REST API stack
Need details if and how your app makes calls to social media portals such as facebook
If your app makes calls to payment gateways or money wallets, we need to know that.
to suite your organization's size and needs