---
name: pentest-mobile-app
description: OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.
---

# Pentest Mobile App

## Purpose
Mobile apps are completely absent from Shannon (web-only) and all existing skills. Mobile apps often share backend APIs but introduce unique attack surfaces: local storage, pinning, intent handling, binary protections.

## Prerequisites

### Authorization Requirements
- **Written authorization** with mobile app testing scope
- **APK/IPA files** or access to app store downloads
- **Test devices** or emulators (rooted Android, jailbroken iOS preferred)
- **Backend API documentation** if available

### Environment Setup
- Frida for runtime instrumentation
- Objection for quick mobile security testing
- MobSF for automated static/dynamic analysis
- jadx for Android decompilation, Hopper for iOS
- Burp Suite configured as mobile proxy

## Core Workflow
1. **Static Analysis**: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
2. **Insecure Data Storage**: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
3. **Certificate Pinning Bypass**: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
4. **Auth & Session on Mobile**: Token storage security, biometric bypass, session timeout, deep link auth bypass.
5. **IPC Testing**: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
6. **Binary Protections**: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
7. **Mobile-Context API Testing**: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Runtime Instrumentation | Frida, Objection | Hook functions, bypass protections |
| Static Analysis | MobSF, jadx, Hopper | Decompile and analyze binaries |
| Traffic Interception | Burp Suite, mitmproxy | HTTPS interception with pinning bypass |
| Android Testing | adb, drozer | Component testing, IPC analysis |
| iOS Testing | Objection, cycript | Runtime manipulation, keychain dump |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors