Pentest Mobile App

Purpose

Mobile apps are completely absent from Shannon (web-only) and all existing skills. Mobile apps often share backend APIs but introduce unique attack surfaces: local storage, pinning, intent handling, binary protections.

Prerequisites

Authorization Requirements

• Written authorization with mobile app testing scope
• APK/IPA files or access to app store downloads
• Test devices or emulators (rooted Android, jailbroken iOS preferred)
• Backend API documentation if available

Environment Setup

• Frida for runtime instrumentation
• Objection for quick mobile security testing
• MobSF for automated static/dynamic analysis
• jadx for Android decompilation, Hopper for iOS
• Burp Suite configured as mobile proxy

Core Workflow

1. Static Analysis: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
2. Insecure Data Storage: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
3. Certificate Pinning Bypass: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
4. Auth & Session on Mobile: Token storage security, biometric bypass, session timeout, deep link auth bypass.
5. IPC Testing: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
6. Binary Protections: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
7. Mobile-Context API Testing: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.

Tool Categories

References

• references/tools.md - Tool function signatures and parameters
• references/workflows.md - Attack pattern definitions and test vectors