Yea, I think a better term would be application security assessment where one tests the application for security flaws. Penetration testing stems originally from network security where one actually tries to penetrate a network. It's not a great term for software, I agree.
I think the intent here is to decrypt and then reverse engineer the network traffic, so they can then check for vulnerabilities server-side. So they aren't auditing the application, they're just trying to find a way in.
