CG
SkillsConducting Mobile Application Penetration Test
Start Free
Back to Skills Library
Penetration Testing🔴 Advanced

Conducting Mobile Application Penetration Test

Perform a mobile application penetration test on Android and iOS apps to identify insecure data storage, certificate pinning bypass, API vulnerabilities, binary protections, and runtime manipulation using Frida, Objection, and MobSF.

4 min read7 code examples

Prerequisites

  • Application APK/IPA file or TestFlight/Play Store access
  • Rooted Android device or emulator (Genymotion, Android Studio AVD)
  • Jailbroken iOS device or Corellium cloud instance
  • Tools: Frida, Objection, MobSF, Jadx, Burp Suite, adb, Ghidra
  • OWASP MASTG checklist

Conducting Mobile Application Penetration Test

Overview

Mobile application penetration testing evaluates the security of Android and iOS applications following the OWASP Mobile Application Security Testing Guide (MASTG) and Mobile Application Security Verification Standard (MASVS). Testing covers static analysis of the application binary, dynamic runtime analysis, API communication security, data storage assessment, and reverse engineering resistance.

Prerequisites

  • Application APK/IPA file or TestFlight/Play Store access
  • Rooted Android device or emulator (Genymotion, Android Studio AVD)
  • Jailbroken iOS device or Corellium cloud instance
  • Tools: Frida, Objection, MobSF, Jadx, Burp Suite, adb, Ghidra
  • OWASP MASTG checklist

Android Testing

Static Analysis

# Decompile APK with jadx
jadx -d output_dir target.apk

# Search for hardcoded secrets
grep -rn "api_key\|secret\|password\|token\|firebase" output_dir/sources/

# Check AndroidManifest.xml
# Look for: exported components, debuggable=true, allowBackup=true
grep -i "exported\|debuggable\|allowBackup\|android:permission" output_dir/resources/AndroidManifest.xml

# MobSF automated static analysis
# Upload APK to MobSF web interface (http://localhost:8000)
# Or use REST API:
curl -F "file=@target.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <api_key>"

# Check for insecure network security config
cat output_dir/resources/res/xml/network_security_config.xml
# Look for: cleartextTrafficPermitted="true", trust-anchors with user certs

# Analyze native libraries
find output_dir/resources/lib -name "*.so" -exec strings {} \; | grep -i "key\|secret"

Dynamic Analysis

# Install on device via adb
adb install target.apk

# Start Frida server on device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

# Objection — runtime exploration
objection -g com.target.app explore

# Inside Objection:
# List activities and services
android hooking list activities
android hooking list services

# Bypass root detection
android root disable

# Bypass SSL pinning
android sslpinning disable

# Dump keystore
android keystore list

# Enumerate shared preferences
android hooking search classes SharedPreferences

# Monitor clipboard
android clipboard monitor

# Explore filesystem
env
ls /data/data/com.target.app/
file download /data/data/com.target.app/shared_prefs/
file download /data/data/com.target.app/databases/

Data Storage Testing

# Check shared preferences for sensitive data
adb shell cat /data/data/com.target.app/shared_prefs/*.xml

# Check SQLite databases
adb pull /data/data/com.target.app/databases/app.db
sqlite3 app.db ".dump" | grep -i "password\|token\|session"

# Check for data in external storage
adb shell ls /sdcard/Android/data/com.target.app/

# Check for sensitive data in logs
adb logcat -d | grep -i "token\|password\|session\|api_key"

# Backup extraction
adb backup -apk -shared com.target.app -f backup.ab
java -jar abe.jar unpack backup.ab backup.tar
tar xf backup.tar

Network Traffic Analysis

# Configure Burp proxy on device
# Settings > WiFi > Proxy > Manual > 192.168.1.100:8080
# Install Burp CA certificate on device

# For apps with certificate pinning:
# Method 1: Objection
objection -g com.target.app explore
android sslpinning disable

# Method 2: Frida script
frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause

# Method 3: Patch APK
# Use apktool to decompile, modify network_security_config.xml, repack
apktool d target.apk -o decompiled/
# Edit res/xml/network_security_config.xml to trust user CAs
apktool b decompiled/ -o patched.apk
jarsigner -keystore my.keystore patched.apk alias_name

iOS Testing

Static Analysis

# Decrypt IPA (from jailbroken device)
# Using frida-ios-dump
python3 dump.py com.target.app

# Or using Clutch on device
Clutch -d com.target.app

# Analyze binary with class-dump
class-dump -H TargetApp -o headers/
grep -rn "password\|token\|secret\|apiKey" headers/

# Check Info.plist
plutil -p Payload/TargetApp.app/Info.plist
# Look for: ATS exceptions, URL schemes, exported UTIs

# Check for insecure API connections
grep -i "http://" headers/*.h
grep -i "NSAllowsArbitraryLoads" Payload/TargetApp.app/Info.plist

Dynamic Analysis (iOS)

# Frida on iOS
frida -U -f com.target.app -l ios_bypass.js --no-pause

# Objection for iOS
objection -g com.target.app explore

# Inside Objection:
ios sslpinning disable
ios jailbreak disable
ios keychain dump
ios plist cat NSUserDefaults
ios cookies get
ios nsurlcredentialstorage dump

# Check Keychain for stored secrets
objection -g com.target.app explore --startup-command 'ios keychain dump'

# Check for data protection classes
objection -g com.target.app explore --startup-command 'ios info binary'

API Testing

# Through Burp Suite, test captured API calls:

# Authentication bypass
# Modify JWT tokens, test for algorithm confusion (none, HS256 vs RS256)

# IDOR testing
# Change user identifiers in API requests

# Rate limiting
# Brute force OTP/PIN endpoints

# Input validation
# Test for injection in API parameters

# Business logic
# Manipulate prices, quantities, subscription tiers in requests

OWASP MASVS Checklist

CategoryTestStatus
MASVS-STORAGE-1Sensitive data in system logs[ ]
MASVS-STORAGE-2Sensitive data in backups[ ]
MASVS-STORAGE-3Sensitive data in IPC[ ]
MASVS-CRYPTO-1Proper cryptographic APIs[ ]
MASVS-AUTH-1Local authentication bypass[ ]
MASVS-NETWORK-1TLS with trusted CA[ ]
MASVS-NETWORK-2Certificate pinning[ ]
MASVS-PLATFORM-1Exported components secured[ ]
MASVS-CODE-1Code obfuscation[ ]
MASVS-RESILIENCE-1Root/jailbreak detection[ ]

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
  • ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
  • NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
  • NIST CSF: ID.RA (Risk Assessment)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add conducting-mobile-application-penetration-test

# Or load dynamically via MCP
grc.load_skill("conducting-mobile-application-penetration-test")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

References

  • OWASP MASTG: https://mas.owasp.org/MASTG/
  • OWASP MASVS: https://mas.owasp.org/MASVS/
  • Frida: https://frida.re/
  • Objection: https://github.com/sensepost/objection
  • MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF
  • JADX: https://github.com/skylot/jadx

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add conducting-mobile-application-penetration-test
// Or via MCP
grc.load_skill("conducting-mobile-application-penetration-test")

Tags

mobile-pentestAndroidiOSFridaObjectionMobSFOWASP-MASTGcertificate-pinning

Related Skills

Penetration Testing

Conducting Mobile App Penetration Test

7m·intermediate
Penetration Testing

Conducting Network Penetration Test

7m·advanced
Penetration Testing

Executing Active Directory Attack Simulation

8m·advanced
Penetration Testing

Exploiting SQL Injection Vulnerabilities

7m·advanced
Penetration Testing

Performing Active Directory Penetration Test

5m·advanced
Penetration Testing

Performing External Network Penetration Test

6m·advanced

Skill Details

Domain
Penetration Testing
Difficulty
advanced
Read Time
4 min
Code Examples
7

On This Page

OverviewPrerequisitesAndroid TestingiOS TestingOWASP MASVS ChecklistReferencesCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →