ReddRadar
Agent skill
conducting-mobile-application-penetration-test
Perform a mobile application penetration test on Android and iOS apps to identify insecure data storage, certificate pinning bypass, API vulnerabilities, binary protections, and runtime manipulation using Frida, Objection, and MobSF.
Install this agent skill to your Project
npx add-skill https://github.com/autohandai/community-skills/tree/main/conducting-mobile-application-penetration-test
SKILL.md
Conducting Mobile Application Penetration Test
Overview
Mobile application penetration testing evaluates the security of Android and iOS applications following the OWASP Mobile Application Security Testing Guide (MASTG) and Mobile Application Security Verification Standard (MASVS). Testing covers static analysis of the application binary, dynamic runtime analysis, API communication security, data storage assessment, and reverse engineering resistance.
Prerequisites
- Application APK/IPA file or TestFlight/Play Store access
- Rooted Android device or emulator (Genymotion, Android Studio AVD)
- Jailbroken iOS device or Corellium cloud instance
- Tools: Frida, Objection, MobSF, Jadx, Burp Suite, adb, Ghidra
- OWASP MASTG checklist
Android Testing
Static Analysis
# Decompile APK with jadx
jadx -d output_dir target.apk
# Search for hardcoded secrets
grep -rn "api_key\|secret\|password\|token\|firebase" output_dir/sources/
# Check AndroidManifest.xml
# Look for: exported components, debuggable=true, allowBackup=true
grep -i "exported\|debuggable\|allowBackup\|android:permission" output_dir/resources/AndroidManifest.xml
# MobSF automated static analysis
# Upload APK to MobSF web interface (http://localhost:8000)
# Or use REST API:
curl -F "file=@target.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <api_key>"
# Check for insecure network security config
cat output_dir/resources/res/xml/network_security_config.xml
# Look for: cleartextTrafficPermitted="true", trust-anchors with user certs
# Analyze native libraries
find output_dir/resources/lib -name "*.so" -exec strings {} \; | grep -i "key\|secret"
Dynamic Analysis
# Install on device via adb
adb install target.apk
# Start Frida server on device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &
# Objection — runtime exploration
objection -g com.target.app explore
# Inside Objection:
# List activities and services
android hooking list activities
android hooking list services
# Bypass root detection
android root disable
# Bypass SSL pinning
android sslpinning disable
# Dump keystore
android keystore list
# Enumerate shared preferences
android hooking search classes SharedPreferences
# Monitor clipboard
android clipboard monitor
# Explore filesystem
env
ls /data/data/com.target.app/
file download /data/data/com.target.app/shared_prefs/
file download /data/data/com.target.app/databases/
Data Storage Testing
# Check shared preferences for sensitive data
adb shell cat /data/data/com.target.app/shared_prefs/*.xml
# Check SQLite databases
adb pull /data/data/com.target.app/databases/app.db
sqlite3 app.db ".dump" | grep -i "password\|token\|session"
# Check for data in external storage
adb shell ls /sdcard/Android/data/com.target.app/
# Check for sensitive data in logs
adb logcat -d | grep -i "token\|password\|session\|api_key"
# Backup extraction
adb backup -apk -shared com.target.app -f backup.ab
java -jar abe.jar unpack backup.ab backup.tar
tar xf backup.tar
Network Traffic Analysis
# Configure Burp proxy on device
# Settings > WiFi > Proxy > Manual > 192.168.1.100:8080
# Install Burp CA certificate on device
# For apps with certificate pinning:
# Method 1: Objection
objection -g com.target.app explore
android sslpinning disable
# Method 2: Frida script
frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause
# Method 3: Patch APK
# Use apktool to decompile, modify network_security_config.xml, repack
apktool d target.apk -o decompiled/
# Edit res/xml/network_security_config.xml to trust user CAs
apktool b decompiled/ -o patched.apk
jarsigner -keystore my.keystore patched.apk alias_name
iOS Testing
Static Analysis
# Decrypt IPA (from jailbroken device)
# Using frida-ios-dump
python3 dump.py com.target.app
# Or using Clutch on device
Clutch -d com.target.app
# Analyze binary with class-dump
class-dump -H TargetApp -o headers/
grep -rn "password\|token\|secret\|apiKey" headers/
# Check Info.plist
plutil -p Payload/TargetApp.app/Info.plist
# Look for: ATS exceptions, URL schemes, exported UTIs
# Check for insecure API connections
grep -i "http://" headers/*.h
grep -i "NSAllowsArbitraryLoads" Payload/TargetApp.app/Info.plist
Dynamic Analysis (iOS)
# Frida on iOS
frida -U -f com.target.app -l ios_bypass.js --no-pause
# Objection for iOS
objection -g com.target.app explore
# Inside Objection:
ios sslpinning disable
ios jailbreak disable
ios keychain dump
ios plist cat NSUserDefaults
ios cookies get
ios nsurlcredentialstorage dump
# Check Keychain for stored secrets
objection -g com.target.app explore --startup-command 'ios keychain dump'
# Check for data protection classes
objection -g com.target.app explore --startup-command 'ios info binary'
API Testing
# Through Burp Suite, test captured API calls:
# Authentication bypass
# Modify JWT tokens, test for algorithm confusion (none, HS256 vs RS256)
# IDOR testing
# Change user identifiers in API requests
# Rate limiting
# Brute force OTP/PIN endpoints
# Input validation
# Test for injection in API parameters
# Business logic
# Manipulate prices, quantities, subscription tiers in requests
OWASP MASVS Checklist
| Category | Test | Status |
|---|---|---|
| MASVS-STORAGE-1 | Sensitive data in system logs | [ ] |
| MASVS-STORAGE-2 | Sensitive data in backups | [ ] |
| MASVS-STORAGE-3 | Sensitive data in IPC | [ ] |
| MASVS-CRYPTO-1 | Proper cryptographic APIs | [ ] |
| MASVS-AUTH-1 | Local authentication bypass | [ ] |
| MASVS-NETWORK-1 | TLS with trusted CA | [ ] |
| MASVS-NETWORK-2 | Certificate pinning | [ ] |
| MASVS-PLATFORM-1 | Exported components secured | [ ] |
| MASVS-CODE-1 | Code obfuscation | [ ] |
| MASVS-RESILIENCE-1 | Root/jailbreak detection | [ ] |
References
- OWASP MASTG: https://mas.owasp.org/MASTG/
- OWASP MASVS: https://mas.owasp.org/MASVS/
- Frida: https://frida.re/
- Objection: https://github.com/sensepost/objection
- MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF
- JADX: https://github.com/skylot/jadx
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
autohandai/community-skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
autohandai/community-skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
autohandai/community-skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
autohandai/community-skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
autohandai/community-skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
autohandai/community-skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?