Pentest_Notes

📱 Mobile Application Penetration Testing

Organized notes for mobile application penetration testing (Android & iOS). Last Updated: 2026-03-27

---

Overview

Mobile application pentesting involves analyzing Android and iOS applications for vulnerabilities in the client-side code, network communications, data storage, and backend APIs. This is less common in CPTS but valuable for comprehensive pentesting engagements.

---

Android Pentesting

Checklist

• Set up testing environment (emulator or rooted device)
• Install and configure Burp Suite proxy
• Install Frida for runtime manipulation
• Extract and decompile APK
• Review AndroidManifest.xml for exposed components
• Check for hardcoded credentials and API keys
• Test network communications (certificate pinning bypass)
• Check local data storage (SharedPreferences, SQLite, files)
• Test exported activities, services, broadcast receivers
• Check for WebView vulnerabilities
• Test API endpoints

APK Analysis

# Download APK from device
adb shell pm list packages | grep target
adb shell pm path com.target.app
adb pull /data/app/com.target.app/base.apk

# Decompile with apktool
apktool d base.apk -o decompiled/

# Decompile with JADX (Java source)
jadx base.apk -d jadx_output/

# Search for hardcoded secrets
grep -rni "api_key\|password\|secret\|token\|aws_access" jadx_output/
grep -rni "http://\|https://" jadx_output/

Dynamic Analysis with Frida

# Install Frida
pip install frida-tools

# Start Frida server on device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

# SSL pinning bypass
frida -U -l ssl_pinning_bypass.js -f com.target.app

# List running apps
frida-ps -U

ADB Useful Commands

# List connected devices
adb devices

# Shell access
adb shell

# Install APK
adb install app.apk

# Port forwarding for Burp
adb reverse tcp:8080 tcp:8080

# Logcat (app logs)
adb logcat | grep -i "password\|token\|error"

Tools

Tool	Purpose
apktool	APK decompilation/recompilation
JADX	APK to Java decompiler
Frida	Dynamic instrumentation
Objection	Runtime mobile exploration
MobSF	Automated mobile app analysis
Burp Suite	Network traffic interception
drozer	Android security assessment
adb	Android Debug Bridge

---

iOS Pentesting

Checklist

• Set up testing environment (jailbroken device recommended)
• Extract IPA file
• Analyze binary with class-dump or Hopper
• Check for hardcoded credentials
• Test network communications
• Check local storage (Keychain, plist, SQLite, Core Data)
• Test for jailbreak detection bypass
• Review URL schemes
• Test API endpoints

IPA Analysis

# Extract IPA contents
unzip app.ipa -d extracted/

# Analyze binary
class-dump extracted/Payload/App.app/App > headers.h

# Search for strings in binary
strings extracted/Payload/App.app/App | grep -i "password\|api\|token\|secret"

Objection (Cross-Platform)

# Connect to Android app
objection -g com.target.app explore

# Disable SSL pinning
android sslpinning disable

# Dump keychain (iOS)
ios keychain dump

# List files
env
ls

---

Common Pitfalls / Gotchas

• Not bypassing certificate pinning before testing network traffic
• Missing hardcoded secrets in decompiled code
• Not checking local storage for sensitive data
• Forgetting to test deep links and URL schemes
• Not testing on both rooted and non-rooted configurations

References & Further Reading

• OWASP Mobile Testing Guide
• HackTricks - Android
• HackTricks - iOS
• Frida Documentation ```