Mobile Application Security
Mobile application penetration testing for Android and iOS, covering static and dynamic analysis, runtime instrumentation with Frida and Objection, and bypassing common protections like SSL pinning and root detection.
Overview
Mobile pentesting sits at an awkward intersection of reverse engineering, web testing, and platform-specific quirks. The same OWASP-style bugs you find in web apps show up in mobile apps too, but the attack surface includes the binary itself, the local storage, the inter-process communication, and the platform protections that the developers (sometimes) bolted on.
This section covers the workflows I actually use on Android and iOS engagements, the runtime tooling that makes everything tractable, and the specific techniques for getting past protections like SSL pinning and root detection.
Platforms
- Mobile Pentesting Fundamentals, the methodology, environment setup, and tooling overview
- Android App Analysis, static and dynamic analysis of APKs, Smali, and the Android runtime
- iOS App Analysis, working with IPA files, decrypted binaries, and the iOS sandbox
Runtime Instrumentation
- Frida, the dynamic instrumentation toolkit I rely on for almost everything
- Objection, a runtime exploration toolkit built on Frida that handles common tasks out of the box
Bypassing Protections
- SSL Pinning Bypass, techniques for getting your proxy in the middle of pinned connections on both platforms
Methodology
Phase 1: Reconnaissance and Setup
- Pull the APK or IPA from the device or store
- Identify the application framework (native, Flutter, React Native, Xamarin, etc.)
- Set up the test device, emulator or jailbroken physical
- Configure proxy and certificates
- Decompile and review the manifest, entitlements, and exported components
Phase 2: Static Analysis
- Hardcoded secrets, API keys, and endpoints
- Insecure cryptographic primitives
- Custom obfuscation, anti-debugging, and root checks
- Exported activities, services, content providers, and broadcast receivers
- Deep link handlers and URL scheme abuse
Phase 3: Dynamic Analysis
- Intercept and tamper with API traffic
- Inspect local storage, shared preferences, keychain, and SQLite databases
- Hook sensitive functions with Frida or Objection
- Test authentication and session handling
- Probe for IPC vulnerabilities and insecure exported components
Phase 4: Bypass and Escalate
- Defeat SSL pinning to inspect TLS traffic
- Bypass root or jailbreak detection
- Patch local checks if needed (Smali edits, Frida hooks, or static patching)
- Test for client-side authorization bypasses
Common Findings
| Finding | Where it usually lives |
|---|---|
| Hardcoded API keys | Strings in the binary, BuildConfig, plist files |
| Insecure data storage | Shared preferences, NSUserDefaults, unencrypted SQLite |
| Weak SSL pinning | OkHttp pinners, NSURLSession delegates |
| Exported component abuse | AndroidManifest.xml exported activities and providers |
| Auth tokens in logs | Logcat, Console.app, crash reports |
| Insecure deep links | Custom URL schemes without validation |
Toolkit
| Tool | Use |
|---|---|
| Frida | Dynamic instrumentation, hooking, function tracing |
| Objection | Frida wrapper for common runtime tasks |
| apktool | APK decompilation and rebuilding |
| jadx | Java decompilation for Android |
| MobSF | Automated static and dynamic analysis |
| Burp Suite | HTTP/S interception |
| Hopper / Ghidra | iOS binary disassembly |
| Magisk | Android root with hide capability |
| Corellium | Virtual iOS devices for research |
Related Notes
- Web Application Security, most mobile API findings are still web findings under the hood
- API Security, the backend is half the engagement
- Tools, the cross-cutting tooling reference
Last updated on
Wildcard Abuse in Linux: Exploiting Command-Line Injection Vectors
Comprehensive guide to wildcard abuse attacks in Linux, covering tar, rsync, and chown exploitation techniques for privilege escalation through command-line argument injection.
Frida
Frida is the dynamic instrumentation toolkit I use on almost every mobile engagement. This is a working reference for installation, attaching to processes, writing hooks, and the patterns I reach for most.