Mobile applications present a security testing challenge that web applications don't: the client is in the hands of the attacker. On a mobile device, an attacker can run the app in a controlled environment, manipulate its runtime, intercept its network traffic, and reverse-engineer its binary. A mobile VAPT engagement is designed to test the application as an attacker would — from the device outward.
The Mobile Threat Model
Mobile security testing assumes two threat actors: the untrusted network (attacker intercepting traffic between the app and the server) and the compromised device (attacker with physical or logical access to the device and app). Most mobile vulnerabilities are exploitable by one or both.
Static Analysis
Before running the app, a mobile pentester decompiles or disassembles the binary to examine its code, configuration, and embedded assets.
- Hardcoded credentials and API keys — credentials embedded in the binary or in bundled configuration files are visible to anyone who decompiles the app.
- Sensitive data in strings — PII, server endpoints, debug information, cryptographic keys.
- Insecure cryptography — weak algorithms (MD5, SHA1 for passwords), hardcoded IV values, misused encryption APIs.
- Exported components (Android) — activities, services, broadcast receivers, and content providers exported without permission requirements can be invoked by any app on the device.
Dynamic Analysis
Dynamic analysis tests the app's runtime behaviour on a physical device or emulator.
Certificate Pinning Bypass
Certificate pinning prevents MITM attacks by validating the server's certificate against a hardcoded value inside the app. Pentesters attempt to bypass pinning using Frida hooks, custom Xposed modules (Android), or SSL Kill Switch (iOS) to intercept encrypted traffic and inspect API communications.
Network Traffic Interception
With pinning bypassed, all API traffic is proxied through Burp Suite and inspected for authentication flaws, IDOR vulnerabilities, sensitive data exposure, and insecure transport configuration — the same tests as a web application pentest, but against the mobile API surface.
Runtime Manipulation
Frida and Objection allow pentesters to hook into running app processes to bypass authentication checks, modify application logic, dump memory, and extract decrypted data at runtime. This is particularly effective for exposing business logic vulnerabilities that aren't visible in static analysis.
Local Data Storage
Mobile apps frequently cache sensitive data locally without adequate protection. Common findings include:
- Authentication tokens stored in SharedPreferences (Android) or NSUserDefaults (iOS) in plaintext.
- SQLite databases containing PII, session data, or cached API responses without encryption.
- Sensitive data appearing in device logs accessible to other apps.
- Clipboard leakage — sensitive form fields that allow clipboard access expose data to clipboard-reading apps.
- Sensitive data in screenshots — not marking authentication screens as FLAG_SECURE (Android) or ignoreSnapshotOnNextApplicationLaunch (iOS) exposes credentials in the app switcher.
iOS-Specific Testing Areas
- Keychain storage — are sensitive items using the correct accessibility constants (kSecAttrAccessibleWhenUnlockedThisDeviceOnly)?
- Data Protection API usage — are files classified with the correct NSFileProtection level?
- Jailbreak detection robustness — can bypass be achieved trivially?
- URL scheme handling — do custom URL schemes accept and process untrusted input?
Android-Specific Testing Areas
- AndroidManifest.xml — exported components, dangerous permissions, backup enabled.
- Content providers — are they accessible to other apps? Do they enforce read/write permissions?
- WebView configuration — is JavaScript enabled? Is addJavascriptInterface used unsafely?
- Root detection — can the app be run on a rooted device to bypass controls?
- Broadcast receivers — are they protected against intent spoofing from third-party apps?
API Security (Backend)
The mobile app is the client; the real data lives on the backend. The API surface — typically REST or GraphQL — is tested in parallel using the same methodology as a web application pentest. Authentication, authorisation (IDOR), rate limiting, and sensitive data handling are all assessed with the mobile app as the authenticated client.
Reporting
A mobile VAPT report covers findings across all test areas with device-specific reproduction steps, proof-of-concept evidence, CVSS severity ratings, and remediation guidance keyed to the specific iOS or Android API and framework in use. Vynox provides both iOS and Android testing in a single engagement.
Key Takeaways
- This post covers practical, actionable guidance for security and engineering teams.
- All findings and techniques are mapped to recognised frameworks (OWASP, NIST, ISO).
- Contact Vynox Security to test your systems against the vulnerabilities described here.