pentest-mobile-app

Original：🇺🇸 English

Translated

OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.

2installs

Sourcejd-opensource/joysafeter

Added on2026-02-26

NPX Install

npx skill4agent add jd-opensource/joysafeter pentest-mobile-app

SKILL.md Content

View Translation Comparison →

Pentest Mobile App

Purpose

Mobile apps are completely absent from Shannon (web-only) and all existing skills. Mobile apps often share backend APIs but introduce unique attack surfaces: local storage, pinning, intent handling, binary protections.

Prerequisites

Authorization Requirements

Written authorization with mobile app testing scope
APK/IPA files or access to app store downloads
Test devices or emulators (rooted Android, jailbroken iOS preferred)
Backend API documentation if available

Environment Setup

Frida for runtime instrumentation
Objection for quick mobile security testing
MobSF for automated static/dynamic analysis
jadx for Android decompilation, Hopper for iOS
Burp Suite configured as mobile proxy

Core Workflow

Static Analysis: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
Insecure Data Storage: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
Certificate Pinning Bypass: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
Auth & Session on Mobile: Token storage security, biometric bypass, session timeout, deep link auth bypass.
IPC Testing: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
Binary Protections: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
Mobile-Context API Testing: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.

Tool Categories

Category	Tools	Purpose
Runtime Instrumentation	Frida, Objection	Hook functions, bypass protections
Static Analysis	MobSF, jadx, Hopper	Decompile and analyze binaries
Traffic Interception	Burp Suite, mitmproxy	HTTPS interception with pinning bypass
Android Testing	adb, drozer	Component testing, IPC analysis
iOS Testing	Objection, cycript	Runtime manipulation, keychain dump

References

```
references/tools.md
```
- Tool function signatures and parameters
```
references/workflows.md
```
- Attack pattern definitions and test vectors