BIPI
BIPI

Mobile App Pentesting: Android and iOS Assessment Methodology

Cybersecurity

End-to-end mobile application security testing — static analysis, dynamic instrumentation with Frida, traffic interception, and common vulnerability classes in Android and iOS apps.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 3, 2025 · 15 min read

#mobile-pentesting#android#ios#frida#owasp-masvs

Mobile applications handle sensitive data — banking credentials, health records, OAuth tokens — yet are tested far less rigorously than web apps. OWASP MASVS provides the framework; Frida, apktool, and objection provide the toolkit.

Setting up the test environment

  • Android: rooted device or emulator (AVD with Google APIs), disable certificate pinning via Magisk TrustUserCerts
  • iOS: jailbroken device (palera1n for A12+ on iOS 16/17) or corellium for cloud-based testing
  • HTTP proxy: Burp Suite with system-wide proxy set on device
  • Frida server pushed to /data/local/tmp and launched as root

Static analysis: Android APK

Decompile the APK with apktool for smali and jadx-gui for Java source. Look for hardcoded API keys, insecure data storage in SharedPreferences, and exported components that can be triggered by third-party apps.

  1. apktool d app.apk && jadx-gui app.apk
  2. grep -r 'api_key\|secret\|password' smali/
  3. Review AndroidManifest.xml for exported activities/providers
  4. MobSF automated scan for CVSS-scored issues

Static analysis: iOS IPA

Extract the IPA, locate the Mach-O binary, and run class-dump or dwarfdump to recover class names and method signatures. Look for ATS (App Transport Security) exceptions in Info.plist and hardcoded URLs pointing to non-production backends.

Dynamic analysis with Frida

Frida's JavaScript API lets you hook any method at runtime, modify return values, and trace argument flows. Bypass SSL pinning, dump encryption keys from memory, and enumerate all classes loaded at runtime without modifying the binary.

Traffic interception and API testing

Once pinning is bypassed, all app traffic flows through Burp. Test every API endpoint the app calls: check for IDOR by replacing user IDs, test mass assignment by adding extra JSON fields, and replay authentication tokens to check expiry enforcement.

Common vulnerability classes

  • Insecure data storage: cleartext SQLite databases, SharedPreferences, NSUserDefaults
  • Broken authentication: long-lived JWT tokens without refresh rotation
  • Excessive permissions: location/contacts access not required for functionality
  • Insecure deeplink handling: intent injection via exported activities
  • Tapjacking: missing FLAG_SECURE on sensitive screens
6 to 12
OWASP MASVS L1 failures in average app audit
most
Apps with SSL pinning bypassable in under 5 minutes
30% of total
Critical findings from static analysis alone
The mobile app is the thinnest client and the richest source of hardcoded secrets.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.