ENNAENNA
📱
Intermediate4-6 hours|6 steps, 13 tools

Mobile App Penetration Test

Testing Android and iOS applications for security vulnerabilities including insecure data storage, weak cryptography, hardcoded secrets, and exploitable API endpoints. Covers both static analysis of the application binary and dynamic analysis of runtime behavior.

mobileandroidiosapp-security
1

Static Analysis and Decompilation

Decompile the application to recover source code (or close to it) and analyze it without running the app. For Android, extract the APK and decompile it to Java/Smali. For iOS, decrypt the IPA if necessary. Run automated static analysis to identify common vulnerabilities, insecure API usage, and code-level issues like weak cryptography or missing certificate pinning.

Tools for this step

MobSFJADXAPKTool

Tip: MobSF provides a comprehensive automated static analysis with a web interface showing all findings. JADX produces readable Java from Android APKs and is excellent for manual code review. APKTool decompiles to Smali which preserves more detail than JADX for obfuscated apps. Start with MobSF for the overview, then use JADX for targeted code review.

2

Secret and Credential Extraction

Search the decompiled code for hardcoded API keys, authentication tokens, database credentials, encryption keys, and other secrets. Check configuration files, string resources, native libraries, and build artifacts. Developers frequently embed secrets directly in mobile apps, assuming the binary is opaque to users.

Tools for this step

APKLeaksMobSF

Tip: APKLeaks uses regex patterns to find URLs, API keys, tokens, and other sensitive strings in APK files. MobSF also extracts secrets during its static analysis. Check for Firebase URLs, AWS credentials, and third-party API keys. Any secret found in a mobile app should be considered compromised since the binary is fully accessible to any user.

3

Dynamic Analysis and Runtime Hooking

Install the app on a rooted/jailbroken test device or emulator and analyze its runtime behavior. Use Frida to hook into functions, bypass certificate pinning, disable root detection, and modify app behavior on the fly. Monitor network traffic, file system access, inter-process communication, and data storage during active use of the app.

Tools for this step

FridaObjectionBurp Suite Community

Tip: Objection is built on Frida and provides ready-made scripts for common tasks like SSL pinning bypass, root detection bypass, and keychain dumping. Set up Burp Suite as a proxy to intercept all HTTP/HTTPS traffic. Use Frida scripts to hook crypto functions and log plaintext before encryption or after decryption.

4

API Endpoint Testing

With the app's network traffic flowing through your proxy, test every API endpoint the app communicates with. Check for broken authentication, missing authorization checks (IDOR), excessive data exposure, mass assignment vulnerabilities, and rate limiting issues. Mobile APIs often have weaker security controls than their web counterparts because developers assume the app enforces business logic.

Tools for this step

Burp Suite CommunityFrida

Tip: Replay API requests with modified user IDs, tokens, and parameters to test for authorization flaws. Check if the API returns more data than the mobile UI displays - this is excessive data exposure. Test whether API rate limiting exists by automating requests. Use Frida to extract the API authentication mechanism if it's not obvious from network traffic.

5

Device-Level Forensic Checks

Examine what the app stores on the device itself. Check local databases, shared preferences, keychain/keystore entries, cache files, log files, and clipboard data for sensitive information. Many apps store authentication tokens, personal data, or even credentials in plaintext on the device file system.

Tools for this step

DrozerObjectionMVT

Tip: Drozer can query content providers and interact with app components on Android. Objection provides commands to dump the keychain (iOS) or keystore (Android) and list files in the app sandbox. MVT (Mobile Verification Toolkit) checks for indicators of compromise from known spyware. Check if sensitive data persists after logout.

6

Report and Risk Assessment

Document all findings with reproduction steps, screenshots, and risk ratings. Map findings to the OWASP Mobile Top 10. Include the impact of each vulnerability in the context of the specific application and its data sensitivity. Provide remediation guidance tailored to the mobile platform (Android-specific vs iOS-specific fixes).

Tip: Include screenshots from MobSF, Burp Suite, and Frida console output as evidence. Prioritize findings that lead to data exposure or account compromise. Note whether vulnerabilities require physical device access or can be exploited remotely via the API layer.

Other Workflows

🔎

OSINT Investigation Workflow

A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.

🕸

Web Application Penetration Test

A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.

🔥

Active Directory Attack Path

From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.