TUTORIAL · 7 min read
Mobile App Pentest: The Checklist I Actually Use
Mobile pentests fail when the tester treats them like a web app. The runtime is different, the attack surface is different, and so is the toolchain.
Static first
Decompile the APK / IPA. Hunt hardcoded secrets, weak crypto, exported components and insecure URL schemes.
Dynamic with Frida
Bypass root/jailbreak detection, hook SSL pinning, dump runtime memory. Frida + Objection is 80% of the workflow.
Storage & IPC
SharedPreferences in cleartext, world-readable files, exported Activities/Receivers, insecure deeplinks — every release ships at least one.
- adb backup / iOS file dump
- Test deeplinks with crafted intents
- Inspect Keychain / Keystore usage
Tools mentioned
MobSFFridaObjectionBurp SuiteapktoolGhidra
⟩ takeaway
Mobile bugs hide in the platform glue: storage, IPC, deeplinks. Static + Frida wins the engagement.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.