pentest-mobile-app
Pentest Mobile App
Purpose
Mobile apps are completely absent from Shannon (web-only) and all existing skills. Mobile apps often share backend APIs but introduce unique attack surfaces: local storage, pinning, intent handling, binary protections.
Prerequisites
Authorization Requirements
- Written authorization with mobile app testing scope
- APK/IPA files or access to app store downloads
- Test devices or emulators (rooted Android, jailbroken iOS preferred)
- Backend API documentation if available
Environment Setup
- Frida for runtime instrumentation
- Objection for quick mobile security testing
- MobSF for automated static/dynamic analysis
- jadx for Android decompilation, Hopper for iOS
- Burp Suite configured as mobile proxy
Core Workflow
- Static Analysis: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
- Insecure Data Storage: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
- Certificate Pinning Bypass: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
- Auth & Session on Mobile: Token storage security, biometric bypass, session timeout, deep link auth bypass.
- IPC Testing: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
- Binary Protections: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
- Mobile-Context API Testing: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.
Tool Categories
| Category | Tools | Purpose |
|---|---|---|
| Runtime Instrumentation | Frida, Objection | Hook functions, bypass protections |
| Static Analysis | MobSF, jadx, Hopper | Decompile and analyze binaries |
| Traffic Interception | Burp Suite, mitmproxy | HTTPS interception with pinning bypass |
| Android Testing | adb, drozer | Component testing, IPC analysis |
| iOS Testing | Objection, cycript | Runtime manipulation, keychain dump |
References
references/tools.md- Tool function signatures and parametersreferences/workflows.md- Attack pattern definitions and test vectors
More from jd-opensource/joysafeter
pentest-osint-recon
Open Source Intelligence gathering and attack surface management for external reconnaissance.
85pentest-api-deep
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
55pentest-exploit-validation
Proof-driven exploitation with 4-level evidence system, bypass exhaustion protocol, mandatory evidence checklists, and strict EXPLOITED/POTENTIAL/FALSE_POSITIVE classification.
53pentest-secrets-exposure
Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
50pentest-ai-llm-security
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
49pentest-ctf-binary
Binary exploitation (Pwn) and reverse engineering tools for CTF challenges and software analysis.
49