Mobile App Security Testing: A Pentest Guide for iOS and Android
Unlike the web, mobile apps run in a hostile environment where the attacker has full access to the device. That is why mobile pentest requires a different architecture and toolkit from web pentest. This guide presents an end-to-end, OWASP MASVS-aligned audit flow for iOS and Android.
Static Analysis (SAST): Deep Inspection of APK and IPA
Opening an Android APK with apktool exposes AndroidManifest.xml, decompiled source code and embedded certificates. For iOS IPA files you inspect Info.plist, frameworks and the compiled binary similarly. MobSF, Qark and Objection are industry-standard SAST tools.
The most common findings: hardcoded API keys and secrets, debug mode left enabled, JavaScript interface in WebView exposing native functions, and unencrypted sensitive data in SharedPreferences.
Dynamic Analysis and Runtime Inspection with Frida
Frida lets you hook into running apps to observe method calls, modify arguments and bypass functions. Community-maintained Frida scripts cover SSL pinning bypass, jailbreak/root detection bypass and license-check evasion.
Objection, built on top of Frida, is a CLI tool that simplifies 70% of mobile pentesting. With 'objection explore' you attach to the device and with 'android hooking list classes' you map the app's internals in minutes.
API Endpoint Testing and Network Traffic Inspection
Mobile apps mostly communicate with REST or GraphQL APIs in the background. Set up Burp Suite or OWASP ZAP as a proxy and capture all device traffic. If SSL pinning is enabled, bypass it with Frida and inspect requests one by one.
IDOR (Insecure Direct Object Reference), BOLA (Broken Object Level Authorization) and authentication bypass are the vulnerabilities we most often find in mobile APIs. Token lifetime, refresh flow and device fingerprint validation must be tested thoroughly.
Certificate Pinning and Hardening
Certificate pinning makes the app trust only a specific CA or public key and blocks Man-in-the-Middle attacks. When done incorrectly, though, the app breaks the moment the certificate is rotated. Pinning two keys (primary + backup) eliminates that risk.
On iOS, App Transport Security (ATS); on Android, Network Security Config can enforce pinning at the manifest level. Biometric authentication (Face ID, Touch ID, BiometricPrompt) provides a second security layer for sensitive operations.
OWASP MASVS Checklist and Reporting
OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile security and defines audits across 8 categories: Storage, Cryptography, Authentication, Network, Platform, Code and Resilience. Each category has L1 (baseline) and L2 (for high-value apps) levels.
The VefaSec mobile pentest package includes MASVS L1 by default, with L2 available for finance and healthcare apps. Reports contain an executive summary, CVSS-scored findings, screenshot-backed PoC evidence and a priority-sorted remediation guide. A free retest after fixes is built into the process.
Talk to VefaSec about your project or audit needs.
Our Diyarbakır-based team delivers end-to-end software development, penetration testing and cybersecurity advisory to enterprise clients. The discovery call is free and non-binding.