Security is often an afterthought in the rapid cycle of mobile development, but as I’ve learned through years of building and breaking apps, a single leaked API key or an insecure local storage implementation can compromise millions of users. If you’re looking for a step by step guide to mobile app penetration testing, you’re in the right place. Whether you’re a developer wanting to harden your code or a QA engineer moving into security, this guide focuses on the practical, ‘real-world’ approach to finding vulnerabilities before the bad guys do.
Before we dive into the technical steps, it’s important to understand that mobile pentesting isn’t just about the app itself—it’s about the entire ecosystem: the client-side binary, the network communication, and the backend APIs. For those new to this, I highly recommend starting with our security testing for developers guide to get the foundational mindset right.
Prerequisites & Lab Setup
You can’t perform effective penetration testing on a retail device. You need a controlled environment where you have root or administrative access to the file system.
- Hardware: A rooted Android device (Pixel series are ideal) or a jailbroken iPhone.
- Emulator: Genymotion or Android Studio Emulator (with Google APIs, but not Play Store for easier rooting).
- Proxy Tool: Burp Suite Professional is the industry standard for intercepting traffic.
- Analysis Tools: Jadx-GUI (Android), MobSF (Mobile Security Framework), and Frida (Dynamic Instrumentation).
Step 1: Reconnaissance and Information Gathering
The first step in any penetration test is understanding what you’re dealing with. I start by analyzing the application’s manifest and metadata.
Analyzing the Manifest
For Android, I use jadx-gui to decompile the APK. I look for exported activities, broadcast receivers, and content providers that might be accessible to other apps on the device.
# Example: Checking for exported activities in AndroidManifest.xml
If android:exported="true" is set for a sensitive activity, any app on the device can launch it, potentially bypassing authentication screens.
Step 2: Static Analysis (SAST)
Static analysis involves examining the code without executing it. I typically run the APK/IPA through MobSF for a quick baseline, then dive manually into the decompiled Java/Kotlin or Swift code.
What to look for:
- Hardcoded Secrets: Search for strings like “API_KEY”, “SECRET”, “AWS_”, or “firebase”.
- Insecure Logging: Look for
Log.d()orprint()statements that might leak PII (Personally Identifiable Information) to the system log. - Weak Cryptography: Search for
AES/ECBorMD5, which are outdated and insecure.
Step 3: Dynamic Analysis and Traffic Interception
This is where the real magic happens. In this phase, we observe the app while it’s running. The goal is to intercept the communication between the mobile app and the server.
As shown in the image below, setting up your proxy is the most critical part of this stage. You must install the Burp Suite CA certificate on the device to decrypt HTTPS traffic.
Bypassing SSL Pinning
Many modern apps use SSL Pinning to prevent interception. To bypass this, I use Frida. Frida allows you to inject scripts into the app’s process at runtime to force the app to trust your proxy certificate.
# Example Frida command to run a pinning bypass script
frida -U -f com.example.app -l frida-ssl-bypass.js --no-pauseStep 4: Testing Local Storage and Permissions
Mobile apps often store data locally. If an attacker gains physical access to the device or if another app can read the data, it’s a vulnerability.
I check the following directories on Android:
/data/data/com.example.app/shared_prefs(XML files)/data/data/com.example.app/databases(SQLite files)
If I find a session token or a password stored in plaintext in a shared_prefs file, that’s a high-severity finding.
Step 5: Backend API Penetration Testing
The mobile app is just a frontend. The real vulnerabilities usually lie in the APIs. Now that we have the traffic flowing through Burp Suite, I test for:
- BOLA (Broken Object Level Authorization): Changing a user ID in a request (e.g.,
/api/user/123to/api/user/124) to see if I can access someone else’s data. - Injection: Testing input fields for SQL injection or NoSQL injection.
- Improper JWT Validation: Checking if the server actually validates the signature of the JSON Web Token.
Pro Tips for Better Results
- Automate the Boring Stuff: Use a CI/CD pipeline to run MobSF scans on every build. This prevents simple mistakes from reaching production.
- Test the ‘Forgot Password’ Flow: This is often the weakest link in mobile authentication.
- Check for Deep Link Vulnerabilities: If your app handles custom URLs (e.g.,
myapp://reset-password?token=...), ensure these cannot be manipulated to perform unauthorized actions.
Troubleshooting Common Issues
| Issue | Common Cause | Solution |
|---|---|---|
| Traffic not appearing in Burp | Incorrect Proxy settings or Firewall | Verify device IP and port 8080 are open. |
| App crashes after Frida injection | Version mismatch between Frida-server and Frida-tools | Ensure both versions match exactly (e.g., v16.1.4). |
| SSL Handshake Failed | Certificate not trusted by system | Move certificate to System Root store (requires root). |
What’s Next?
Once you’ve completed these steps, the process doesn’t end. Security is an iterative cycle. I recommend integrating these tests into your Sprint reviews. If you found that your API was the weakest point, it’s time to dive deeper into security testing for developers to implement better server-side guards.
Ready to scale your security? If you’re still using the Community edition of Burp, I highly suggest upgrading; the automated scanner in the Burp Suite Professional review 2026 highlights exactly why it’s worth the investment for professional pentesters.