Testing Mobile Applications

When to Use

• Android APK analysis and exploitation
• iOS application pentesting
• Mobile app security assessment
• Bypassing security controls (SSL pinning, root detection)
• Testing mobile-specific vulnerabilities

Android Pentesting

APK Analysis Tools

# Decompile APK
apktool d app.apk -o app_decompiled

# Convert DEX to JAR
d2j-dex2jar app.apk

# View JAR with JD-GUI
jd-gui app-dex2jar.jar

# Automated analysis
mobsf  # Mobile Security Framework
jadx app.apk  # APK to Java decompiler

ADB (Android Debug Bridge)

# List devices
adb devices

# Connect over network
adb connect 192.168.1.100:5555

# Install APK
adb install app.apk

# Uninstall
adb uninstall com.package.name

# List packages
adb shell pm list packages
adb shell pm list packages | grep -i "keyword"

# Get APK path
adb shell pm path com.package.name

# Pull APK from device
adb pull /data/app/com.package.name-xxx/base.apk

# Start activity
adb shell am start -n com.package.name/.MainActivity

# View logs
adb logcat

# Shell access
adb shell

Static Analysis

Search for Sensitive Data:

# Extract strings
strings app.apk | grep -i password
strings app.apk | grep -i api
strings app.apk | grep -i token
strings app.apk | grep -i key

# Search in decompiled code
grep -r "password" app_decompiled/
grep -r "http://" app_decompiled/
grep -r "api_key" app_decompiled/

Check AndroidManifest.xml:

# Decompile and view
apktool d app.apk
cat app_decompiled/AndroidManifest.xml

# Look for:
# - android:debuggable="true"
# - android:allowBackup="true"
# - Exported activities/services
# - Custom permissions
# - URL schemes

Dynamic Analysis

Frida (Runtime Instrumentation):

# List running apps
frida-ps -U

# Attach to app
frida -U -n "App Name"
frida -U -f com.package.name

# Load script
frida -U -f com.package.name -l script.js

# Common scripts
# - Bypass SSL pinning
# - Bypass root detection
# - Hook functions
# - Dump memory

SSL Pinning Bypass:

// Frida script - Universal SSL pinning bypass
Java.perform(function() {
    var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    TrustManager.checkServerTrusted.implementation = function() {};

    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(a,b,c) {
        this.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').call(this, a, null, c);
    };
});

Root Detection Bypass:

// Frida - Bypass root detection
Java.perform(function() {
    var RootClass = Java.use('com.package.name.RootDetection');
    RootClass.isRooted.implementation = function() {
        return false;
    };
});

Intercepting Traffic

Burp Suite Setup:

# 1. Install Burp CA certificate
# Download from http://burp:8080 on device
# Install in Settings -> Security -> Install from storage

# 2. Configure proxy
adb shell settings put global http_proxy 192.168.1.100:8080

# 3. For apps with SSL pinning, use Frida bypass

# 4. Clear proxy when done
adb shell settings put global http_proxy :0

mitmproxy:

# Start mitmproxy
mitmproxy --listen-port 8080

# Install certificate on device
# http://mitm.it

# Set device proxy to attacker IP:8080

Modifying and Repackaging APK

# 1. Decompile
apktool d app.apk -o app_mod

# 2. Modify smali code
# Edit files in app_mod/smali/

# 3. Recompile
apktool b app_mod -o app_modified.apk

# 4. Sign APK
# Generate keystore (first time only)
keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

# Sign
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-key.keystore app_modified.apk alias_name

# Or use uber-apk-signer
java -jar uber-apk-signer.jar -a app_modified.apk

# 5. Install
adb install app_modified.apk

Common Vulnerabilities

Insecure Data Storage:

# Check shared preferences
adb shell
cd /data/data/com.package.name/shared_prefs/
cat *.xml

# Check databases
cd /data/data/com.package.name/databases/
sqlite3 database.db
.tables
SELECT * FROM users;

# Check files
cd /data/data/com.package.name/files/
ls -la
cat *

Exported Components:

# List exported activities
adb shell dumpsys package com.package.name | grep -A 20 "Activity"

# Start exported activity
adb shell am start -n com.package.name/.ExportedActivity

# Call exported service
adb shell am startservice -n com.package.name/.ExportedService

# Broadcast to receiver
adb shell am broadcast -a com.package.name.ACTION

Insecure WebView:

# Check for JavaScript enabled
# Look in code for:
webView.getSettings().setJavaScriptEnabled(true);

# Check for addJavascriptInterface
# Can lead to RCE if exposed

iOS Pentesting

Setup

Jailbreak Tools:

• checkra1n (iOS 12-14)
• unc0ver (iOS 11-14.8)
• Taurine (iOS 14-14.3)

SSH Access:

# Default credentials
ssh root@<device-ip>
# password: alpine

# Change default password!
passwd

IPA Analysis

# Extract IPA
unzip app.ipa

# View binary
otool -L Payload/App.app/App
strings Payload/App.app/App

# Class dump
class-dump Payload/App.app/App > classes.txt

# Decrypt binary (on jailbroken device)
frida-ios-dump -u App

# Static analysis with Hopper/Ghidra

Runtime Analysis

Frida on iOS:

# List apps
frida-ps -Ua

# Attach
frida -U -n "App Name"
frida -U -f com.company.app

# SSL pinning bypass (iOS)
objection -g "App Name" explore
ios sslpinning disable

Objection:

# Launch objection
objection -g com.company.app explore

# Common commands
ios info binary
ios hooking list classes
ios hooking search methods MainActivity
ios sslpinning disable
ios jailbreak disable
ios keychain dump
ios nsuserdefaults get

File System Access

# Connect via SSH
ssh root@device-ip

# App data location
cd /var/mobile/Containers/Data/Application/<UUID>/

# Find app UUID
ipainstaller -l  # List apps
ls /var/mobile/Containers/Data/Application/

# Common paths
Documents/
Library/
Library/Preferences/  # plist files
Library/Caches/
tmp/

Keychain Access

# Using objection
ios keychain dump

# Manual (requires keychain-dumper on device)
./keychain_dumper

# Specific item
security find-generic-password -s "ServiceName"

Common iOS Vulnerabilities

Insecure Data Storage:

# Check plist files
plutil -p Info.plist

# Check UserDefaults
ios nsuserdefaults get

# Check SQLite databases
sqlite3 database.db
.tables
SELECT * FROM sensitive_table;

Binary Protections:

# Check for PIE
otool -hv App | grep PIE

# Check for stack canaries
otool -I App | grep stack_chk

# Check for ARC
otool -I App | grep objc_release

Mobile-Specific Attacks

Deep Link Exploitation:

# Android
adb shell am start -a android.intent.action.VIEW -d "app://open?param=value"

# iOS
xcrun simctl openurl booted "app://open?param=value"

Intent Injection:

# Send malicious intent
adb shell am start -n com.package/.Activity --es "extra_key" "malicious_value"

Backup Extraction:

# Android backup
adb backup -f backup.ab com.package.name
# Extract
java -jar abe.jar unpack backup.ab backup.tar

# iOS backup
idevicebackup2 backup --full backup_directory

Tools

Android:

• APKTool - Decompile/recompile APKs
• dex2jar - Convert DEX to JAR
• JADX - APK to Java decompiler
• Frida - Dynamic instrumentation
• Objection - Frida-based toolkit
• MobSF - Automated analysis
• Drozer - Android security framework

iOS:

• Frida - Dynamic instrumentation
• Objection - Frida toolkit
• class-dump - Extract class info
• Hopper/Ghidra - Disassemblers
• frida-ios-dump - Decrypt binaries
• iproxy - Forward ports

Quick Testing Workflow

1. Static Analysis - Decompile, search strings, analyze manifest/Info.plist
2. Install - Install on emulator/device
3. Intercept Traffic - Set up Burp/mitmproxy, bypass SSL pinning
4. Dynamic Analysis - Use Frida to hook functions, bypass protections
5. Test Components - Test exported components, deep links, intents
6. Data Storage - Check for insecure data storage in files/DB/keychain
7. Repackage - Modify and recompile to test additional scenarios

References

• https://book.hacktricks.xyz/mobile-pentesting
• https://github.com/OWASP/owasp-mstg
• https://mobile-security.gitbook.io/