All articles
TUTORIAL · 7 min read

Mobile App Pentest: The Checklist I Actually Use

Mobile pentests fail when the tester treats them like a web app. The runtime is different, the attack surface is different, and so is the toolchain.

Static first

Decompile the APK / IPA. Hunt hardcoded secrets, weak crypto, exported components and insecure URL schemes.

Dynamic with Frida

Bypass root/jailbreak detection, hook SSL pinning, dump runtime memory. Frida + Objection is 80% of the workflow.

Storage & IPC

SharedPreferences in cleartext, world-readable files, exported Activities/Receivers, insecure deeplinks — every release ships at least one.

  • adb backup / iOS file dump
  • Test deeplinks with crafted intents
  • Inspect Keychain / Keystore usage

Tools mentioned

MobSFFridaObjectionBurp SuiteapktoolGhidra
⟩ takeaway

Mobile bugs hide in the platform glue: storage, IPC, deeplinks. Static + Frida wins the engagement.

⟩ keep reading

Related articles