This chapter covers mobile application testing for the CompTIA PenTest+ PT0-002 exam, specifically under Domain 3.0 (Attacks and Exploits), Objective 3.5. Mobile app testing is a growing focus in penetration testing due to the ubiquity of smartphones and the sensitive data they handle. Expect approximately 5-7% of exam questions to touch on mobile testing techniques, tools, and common vulnerabilities. This chapter will equip you with the knowledge to identify, exploit, and report mobile app weaknesses, covering Android and iOS platforms, testing methodologies, and key tools like Drozer, Frida, and Burp Suite.
Jump to a section
Imagine you are a security inspector at a car import facility. Your job is to inspect each new car model for vulnerabilities before it can be sold. You have a checklist: you check the doors (input validation), the engine (backend logic), the infotainment system (local storage), and the wireless key fob (network communications). You use tools like a code reader (static analysis), a diagnostic scanner (dynamic analysis), and a signal jammer (proxy intercept). Some cars have aftermarket modifications (rooted devices) that bypass built-in security. You must test both the car as designed (stock) and with common modifications. If you only check the exterior, you miss hidden flaws in the software controlling the brakes. Similarly, mobile app testing must examine both the client-side app and the server-side API, because the app often trusts the server, but a malicious client can send crafted requests. The inspection is not complete until you have tested the car in various environments (Wi-Fi, cellular, offline) just as you test the app on different network conditions and device states.
What is Mobile Application Testing?
Mobile application testing is the process of evaluating the security of a mobile app (Android, iOS) and its backend services. It includes analyzing the app's binary, its runtime behavior, its network communications, and its storage mechanisms. The goal is to identify vulnerabilities that could lead to data leakage, unauthorized access, or privilege escalation.
Why Mobile App Testing Matters for PT0-002
The exam expects you to understand the unique attack surface of mobile apps: client-side logic, local storage, inter-process communication (IPC), and the mobile-specific threats like insecure data storage, improper platform usage, and insecure authentication/authorization. You must be able to choose appropriate testing tools and interpret their output.
Testing Methodologies
There are two primary approaches: static analysis and dynamic analysis.
Static Analysis: Reviewing the app's code without executing it. For Android, this means decompiling the APK using tools like apktool, dex2jar, or jadx. For iOS, you would analyze the IPA using class-dump or Hopper. Look for hardcoded keys, improper permissions, and insecure API calls.
Dynamic Analysis: Running the app in a controlled environment (emulator or real device) and monitoring its behavior. Use a proxy like Burp Suite to intercept traffic, monitor file system changes, and observe runtime memory using Frida or Xposed.
Key Components and Defaults
Android: APK file is a ZIP containing classes.dex (Dalvik bytecode), AndroidManifest.xml, and resources. The manifest declares permissions, activities, services, and content providers. Default: apps run in a sandbox with limited permissions unless explicitly granted.
iOS: IPA is a ZIP containing the app binary (Mach-O), Info.plist, and resources. The binary is encrypted (FairPlay) by default, requiring decryption for analysis (e.g., using dumpdecrypted or frida-ios-dump).
Common Vulnerabilities
Insecure Data Storage: Storing sensitive data in SharedPreferences (Android) or NSUserDefaults (iOS) without encryption. SQLite databases often contain plaintext credentials.
Improper Platform Usage: Misusing platform APIs like WebView (exposing JavaScript interfaces) or IPC (exposing content providers without permissions).
Insecure Authentication/Authorization: Weak token generation, missing certificate pinning, or improper session handling.
Side-Channel Data Leakage: Clipboard logging, keyboard caching, or app background snapshots.
Tools and Commands
- Drozer: Framework for Android security assessment. Commands:
- drozer console connect – connect to agent on device.
- run app.package.list – list installed packages.
- run app.activity.info -a <package> – enumerate activities.
- Frida: Dynamic instrumentation toolkit. Commands:
- frida-ps -U – list running processes.
- frida -U -l script.js <app> – inject script.
- Burp Suite: Web proxy for intercepting HTTP/HTTPS traffic. Configure device proxy and install CA certificate.
Interaction with Backend Services
Mobile apps often communicate with REST APIs. Test for: - Insecure Direct Object References (IDOR): Changing user ID in request to access another user's data. - Mass Assignment: Sending extra parameters to modify server-side objects. - Rate Limiting: Bypassing by rotating tokens or IPs.
Mobile-Specific Considerations
Root/Jailbreak Detection: Apps may refuse to run on compromised devices. Bypass using Frida scripts or Magisk (Android) / Substitute (iOS).
Certificate Pinning: SSL pinning prevents proxy interception. Bypass using Frida or Xposed modules (e.g., TrustMeAlready).
Emulator Detection: Some apps block emulators. Use a physical device or patch the app.
Reporting Findings
Each vulnerability should include:
Impact (e.g., data exposure, account takeover)
Steps to reproduce
Remediation (e.g., encrypt data, implement certificate pinning)
Summary of Exam-Relevant Points
Know the difference between static and dynamic analysis.
Understand how to decompile APK/IPA and what to look for.
Be able to identify insecure storage locations (SharedPreferences, SQLite, plist).
Recognize common mobile vulnerabilities like WebView XSS, insecure IPC, and broken authentication.
Know tools: Drozer (Android), Frida (both), Burp Suite (proxy).
Understand bypass techniques: root detection, SSL pinning, emulator detection.
Set Up Testing Environment
Prepare a test device (emulator or physical) with root/jailbreak if needed. Install Burp Suite CA certificate to intercept HTTPS. For Android, enable USB debugging and install Drozer agent. For iOS, install Frida and dumpdecrypted. Ensure the device is isolated from production networks.
Perform Static Analysis
Decompile the app using `apktool d app.apk` (Android) or `class-dump -H app.ipa` (iOS). Examine the manifest/plist for exported components and permissions. Search for hardcoded strings (API keys, tokens). Look for insecure API calls like `WebView.addJavascriptInterface` or `SQLiteDatabase.execSQL` with user input.
Perform Dynamic Analysis
Run the app on the device with Burp Suite proxy configured. Intercept all traffic. Modify requests (e.g., change user ID, tamper with parameters) to test for IDOR, injection, and authorization flaws. Monitor file system changes using `adb shell` or file monitoring tools. Capture memory dumps using Frida to find sensitive data in memory.
Test Authentication and Session Management
Analyze login flows. Check if tokens are stored securely (e.g., in Keychain on iOS, AccountManager on Android). Test for token expiration, reuse, and whether they are sent over HTTP. Try to bypass login by manipulating responses or using expired tokens. Check for weak password policies.
Test Local Storage and IPC
Inspect all local storage: SharedPreferences, SQLite databases, Realm, Core Data, plist files. Look for plaintext credentials, tokens, or PII. On Android, test exported content providers, services, and broadcast receivers using Drozer (e.g., `run app.provider.query`). On iOS, check for insecure URL schemes and keychain data.
Bypass Security Controls
If the app has root detection, SSL pinning, or emulator detection, bypass them using Frida scripts (e.g., `frida -U -l bypass-root.js com.example.app`). For SSL pinning, use Frida's `ssl-pinning-bypass.js` or Xposed module. For emulator detection, patch the binary or use a physical device.
Report Findings
Document each vulnerability with clear steps to reproduce, screenshots, and impact. Provide remediation advice (e.g., use encrypted storage, implement certificate pinning, sanitize input). Rank findings by severity (Critical/High/Medium/Low). Ensure the report is understandable to both developers and management.
In a typical enterprise engagement, a penetration tester is asked to assess a mobile banking app. The app handles sensitive financial transactions and personal data. The tester sets up a rooted Android device with a proxy (Burp Suite) and uses Drozer to enumerate attack surface. During static analysis, the tester finds that the app stores an API token in SharedPreferences without encryption. During dynamic analysis, the tester intercepts a login request and notices the password is sent in plaintext over HTTP. The tester then uses Frida to bypass SSL pinning and discovers that the app sends credit card numbers in the request body without encryption. The report includes these findings with high severity ratings.
Another scenario: a healthcare app for iOS. The tester uses a jailbroken iPhone with Frida and class-dump. Static analysis reveals that the app uses NSUserDefaults to store patient health records in plaintext. Dynamic analysis shows that the app communicates with a backend API that exposes patient IDs in URLs (IDOR). By changing the ID, the tester can access other patients' records. The tester also finds that the app does not implement certificate pinning, allowing easy interception. The report recommends encrypting local storage, implementing proper authorization checks, and adding certificate pinning.
A third scenario: a mobile game with in-app purchases. The tester uses an Android emulator with Xposed and Lucky Patcher to test for payment bypass. The app uses local validation for purchase receipts. The tester modifies the response from the Google Play store to fake a successful purchase. The app grants the item without server-side verification. The report flags this as a critical vulnerability, recommending server-side receipt validation.
Common misconfigurations: forgetting to disable debugging in release builds, leaving test accounts or backdoors, and using outdated libraries with known vulnerabilities (e.g., older versions of OkHttp). Performance considerations: testing on slow networks can reveal race conditions or timeout issues. Scale: for large apps with many endpoints, focus on high-risk areas like authentication and payment flows.
The PT0-002 exam tests mobile application testing under Objective 3.5 (Attacks and Exploits). Specific topics include:
Identifying mobile-specific vulnerabilities (OWASP Mobile Top 10)
Tools: Drozer, Frida, Burp Suite, apktool, class-dump
Static vs dynamic analysis techniques
Bypassing root/jailbreak detection, SSL pinning, emulator detection
Testing for insecure data storage, IPC, and WebView issues
Common wrong answers and why: 1. 'Use Nmap to scan the mobile app' – Nmap is for network scanning, not mobile app analysis. Candidates confuse network testing with application testing. 2. 'Always use a physical device, never an emulator' – While emulators have limitations, they are acceptable for many tests. The exam expects you to know when an emulator is appropriate (e.g., for static analysis) and when a physical device is needed (e.g., for hardware-specific features). 3. 'All mobile apps are vulnerable to SQL injection' – This is true only if the app uses local SQLite databases with unsanitized input. The exam tests your ability to identify specific conditions.
Key numbers and terms that appear verbatim:
OWASP Mobile Top 10 (e.g., M1: Improper Platform Usage, M2: Insecure Data Storage)
Android: AndroidManifest.xml, classes.dex, SharedPreferences, ContentProvider
iOS: Info.plist, Keychain, NSUserDefaults, UIWebView vs WKWebView
Tools: apktool, dex2jar, jadx, class-dump, Hopper, Frida, Drozer, Burp Suite
Edge cases the exam loves:
Apps that use WebView with JavaScript enabled and addJavascriptInterface – leads to XSS and RCE.
Apps that store data in external storage (SD card) – world-readable.
Apps that use NSURLConnection without SSL pinning – susceptible to MITM.
Elimination strategy: If a tool is listed that is not mobile-specific (e.g., Nmap, Metasploit without mobile context), it is likely a distractor. Focus on tools that interact with the app binary or runtime.
Mobile app testing includes both static and dynamic analysis; static finds hardcoded issues, dynamic finds runtime issues.
Android APKs can be decompiled using apktool and jadx; iOS IPAs require decryption first using dumpdecrypted or frida-ios-dump.
Common vulnerabilities: insecure data storage (SharedPreferences, NSUserDefaults, SQLite), improper WebView usage, insecure IPC, broken authentication.
Tools to know: Drozer (Android), Frida (both), Burp Suite (proxy), apktool, class-dump.
Bypass root detection using Frida scripts or Magisk; bypass SSL pinning using Frida or Xposed modules.
Always test backend APIs for IDOR, mass assignment, and rate limiting issues.
OWASP Mobile Top 10 is the key reference for mobile vulnerabilities; M1-M10 cover platform misuse, data storage, authentication, etc.
For iOS, WKWebView is more secure than UIWebView; the exam may test this distinction.
Certificate pinning can be bypassed using Frida's ssl-pinning-bypass.js script.
Report findings with clear impact, reproduction steps, and remediation advice.
These come up on the exam all the time. Here's how to tell them apart.
Static Analysis
Reviews code without executing the app
Uses tools like apktool, jadx, class-dump
Finds hardcoded secrets, insecure API calls, misconfigurations
Cannot test runtime behavior or network traffic
Faster and can be automated
Dynamic Analysis
Executes the app and monitors behavior
Uses tools like Frida, Burp Suite, Drozer
Finds runtime issues like insecure data transmission, memory leakage
Can bypass security controls like SSL pinning
Requires a device or emulator and is more time-consuming
Mistake
Mobile app testing is the same as web application testing.
Correct
Mobile apps have unique components like IPC, local storage, and platform-specific APIs that require specialized testing beyond standard web testing. You must analyze the app binary and runtime behavior.
Mistake
You must always jailbreak/root the device to test an iOS/Android app.
Correct
While root/jailbreak helps bypass security controls, many tests can be performed on non-rooted devices using proxies like Burp Suite for network analysis. Root is needed for runtime manipulation and file system access.
Mistake
Static analysis is enough to find all vulnerabilities.
Correct
Static analysis can find hardcoded secrets and configuration issues, but dynamic analysis is required to test runtime behavior, network communications, and bypass mechanisms like SSL pinning.
Mistake
Emulators are useless for mobile testing.
Correct
Emulators are useful for static analysis and basic dynamic testing, but they lack hardware features (e.g., GPS, NFC) and may have detection by apps. They are acceptable for initial analysis but not for final verification.
Mistake
All mobile vulnerabilities are in the client-side app.
Correct
Many critical vulnerabilities exist in the backend APIs that the app communicates with, such as IDOR, broken authentication, and mass assignment. Server-side testing is essential.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Static analysis involves examining the app's code without running it, using tools like apktool or jadx to decompile the binary and look for hardcoded secrets, insecure API calls, and misconfigurations. Dynamic analysis runs the app on a device or emulator and monitors its behavior, including network traffic (via a proxy like Burp Suite), file system changes, and runtime memory (using Frida). Static analysis is faster and can find issues early, but dynamic analysis reveals runtime vulnerabilities like insecure data transmission and bypass mechanisms.
SSL pinning can be bypassed using dynamic instrumentation tools like Frida. A common script is `ssl-pinning-bypass.js`, which hooks into the app's certificate validation methods and always returns true. For Android, you can also use Xposed modules like TrustMeAlready. For iOS, Frida scripts can bypass TrustKit or NSURLSession pinning. After bypassing, you can intercept traffic with Burp Suite.
The OWASP Mobile Top 10 is a list of the most critical mobile security risks, such as M1: Improper Platform Usage, M2: Insecure Data Storage, M3: Insecure Communication, etc. The PT0-002 exam references this list to categorize vulnerabilities. You should be familiar with each category and be able to identify examples. For instance, M2 includes storing passwords in SharedPreferences, and M4 includes insecure authentication.
Emulators are useful for static analysis and basic dynamic testing, but they have limitations: some apps detect emulators and refuse to run, and emulators lack hardware features like GPS or NFC. For thorough testing, use a physical device, especially for testing hardware-related features and bypassing emulator detection. The exam may test scenarios where emulator detection is a challenge.
Drozer is a security testing framework for Android that allows you to interact with apps and the Android system. It uses an agent installed on the device. Commands include `run app.package.list` to list packages, `run app.activity.info` to enumerate activities, and `run app.provider.query` to query content providers. Drozer helps identify exported components and IPC vulnerabilities.
To test for insecure data storage in iOS, examine the app's data directory using tools like iFunBox or by SSHing into a jailbroken device. Check NSUserDefaults, plist files, SQLite databases, and Core Data stores. Look for plaintext credentials, tokens, or PII. Also check the Keychain for weak access controls. Dynamic analysis with Frida can reveal data written to memory or files.
WebView is a component that allows apps to display web content. If improperly configured, it can lead to XSS attacks, especially if JavaScript is enabled and `addJavascriptInterface` is used (Android) or if the WebView has access to sensitive data. On iOS, UIWebView is deprecated and less secure than WKWebView. The exam tests your ability to identify WebView-related vulnerabilities.
You've just covered Mobile Application Testing — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?