
Mobile App Penetration Testing: Android & iOS
Comprehensive guide to identifying and exploiting vulnerabilities in Android and iOS mobile applications
Introduction to Mobile App Penetration Testing
Mobile app penetration testing involves assessing the security of Android and iOS applications to identify vulnerabilities that could be exploited by attackers. With mobile apps handling sensitive data like financial information, personal details, and authentication credentials, securing them is critical. This guide covers common vulnerabilities, testing methodologies, and tools for Android and iOS platforms.
If you’re new to penetration testing, check out our guide to penetration testing certifications to build your foundational knowledge.
Common Mobile App Vulnerabilities
Vulnerability | Description | Risk |
---|---|---|
Insecure Data Storage | Sensitive data stored unencrypted in app sandbox or external storage | Data theft |
Insecure Communication | Unencrypted network traffic or weak TLS configurations | Man-in-the-middle (MITM) attacks |
Improper Session Handling | Poorly managed session tokens or authentication mechanisms | Session hijacking |
Broken Cryptography | Weak encryption algorithms or hardcoded keys | Data exposure |
Insecure Authentication | Weak or bypassable authentication checks | Unauthorized access |
Android Penetration Testing
Testing Methodology
Android apps run on a Linux-based OS with a sandboxed environment. Testing involves analyzing the app’s APK, runtime behavior, and interactions with the device and backend. For more on Android security, see our Android Security Best Practices guide.
Key Areas to Test
- APK Analysis: Decompile the APK to inspect code and resources.
- Data Storage: Check SharedPreferences, SQLite databases, and external storage.
- Network Traffic: Intercept HTTP/HTTPS traffic for insecure communication.
- Components: Test Activities, Services, Broadcast Receivers, and Content Providers for unauthorized access.
- Root Detection: Bypass root detection mechanisms to test app behavior on rooted devices.
Tools
- Frida: Dynamic instrumentation for runtime manipulation.
- MobSF: Mobile Security Framework for static and dynamic analysis.
- Burp Suite: Intercept and modify network traffic.
- APKTool: Decompile and recompile APKs.
- Drozer: Assess Android app components.
# Frida script to hook root detection
Java.perform(function() {
var RootChecker = Java.use("com.example.app.RootChecker");
RootChecker.isRooted.implementation = function() {
console.log("Bypassing root detection");
return false;
};
});
// Run with Frida
frida -U -f com.example.app -l bypass_root.js
# Access SharedPreferences on a rooted device
adb shell
cd /data/data/com.example.app/shared_prefs
cat preferences.xml
# Example output (unencrypted sensitive data)
iOS Penetration Testing
Testing Methodology
iOS apps run in a tightly controlled environment with strict sandboxing and code signing. Testing focuses on the app binary, runtime behavior, and interactions with the device and backend. Learn more about iOS Security Fundamentals in our dedicated guide.
Key Areas to Test
- IPA Analysis: Inspect the IPA file for hardcoded secrets or misconfigurations.
- Data Storage: Check Keychain, NSUserDefaults, and plists for unencrypted data.
- Network Traffic: Analyze for SSL pinning or insecure protocols.
- Jailbreak Detection: Bypass jailbreak checks to test app behavior on jailbroken devices.
- Runtime Manipulation: Hook methods to alter app behavior.
Tools
- Frida: Runtime instrumentation for iOS apps.
- Objection: Runtime mobile exploration toolkit.
- Burp Suite: Intercept network traffic.
- iFunBox: Access app sandbox on jailbroken devices.
- Cycript: Runtime manipulation for Objective-C/Swift apps.
# Frida script to bypass jailbreak detection
var NSFileManager = ObjC.classes.NSFileManager;
Interceptor.attach(NSFileManager['- fileExistsAtPath:'], {
onLeave: function(retval) {
if (retval.toInt32() == 1) {
console.log("Bypassing jailbreak detection");
retval.replace(0);
}
}
});
// Run with Frida
frida -U -f com.example.app -l bypass_jailbreak.js
# Dump Keychain on a jailbroken device
objection -g com.example.app explore
keychain dump
# Example output (unencrypted sensitive data)
[
{
"service": "com.example.app",
"key": "user_token",
"data": "sensitive_token"
}
]
Common Exploitation Techniques
1. Intercepting Network Traffic
Use a proxy like Burp Suite to intercept and analyze network traffic for insecure communication. Our Burp Suite for Mobile Testing guide provides detailed setup instructions.
# Frida script to disable SSL pinning (Android/iOS)
Java.perform(function() {
var CertificatePinner = Java.use("okhttp3.CertificatePinner");
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(host, certs) {
console.log("Bypassing SSL pinning for " + host);
};
});
// Run with Frida
frida -U -f com.example.app -l bypass_ssl.js
2. Reverse Engineering
Decompile Android APKs or iOS IPAs to identify hardcoded credentials, API keys, or logic flaws.
# Decompile APK with APKTool
apktool d app.apk
# Inspect smali code or resources
cat app/smali/com/example/app/MainActivity.smali
# Example finding (hardcoded key)
const-string v0, "API_KEY"
const-string v1, "12345-abcdef"
3. Runtime Manipulation
Use tools like Frida or Objection to modify app behavior at runtime, bypassing authentication or restrictions. Learn more about Frida for Mobile Pentesting in our detailed tutorial.
# Frida script to bypass login check
Java.perform(function() {
var LoginActivity = Java.use("com.example.app.LoginActivity");
LoginActivity.validateCredentials.implementation = function(username, password) {
console.log("Bypassing login for " + username);
return true;
};
});
// Run with Frida
frida -U -f com.example.app -l bypass_login.js
Mitigation Techniques
For Developers:
- Encrypt sensitive data using platform-specific mechanisms (e.g., Android Keystore, iOS Keychain).
- Implement secure communication with TLS and certificate pinning.
- Use secure session management with short-lived tokens.
- Validate and sanitize all inputs to prevent injection attacks.
- Implement robust root/jailbreak detection and anti-tampering measures.
- Obfuscate code to hinder reverse engineering.
- Regularly audit apps with tools like MobSF or QARK.
For Pentesters:
Test all app components, network interactions, and storage mechanisms. Use both static and dynamic analysis to uncover vulnerabilities. Ensure compliance with legal and ethical guidelines during testing.
Conclusion
Mobile app penetration testing for Android and iOS requires a deep understanding of platform-specific security mechanisms and vulnerabilities. By leveraging tools like Frida, MobSF, and Burp Suite, pentesters can identify and exploit weaknesses, while developers can implement robust mitigations to protect users.
For more security resources, explore our Mobile Security category on cybersamir.com.