pentest-mobile-app

OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-mobile-app" with this command: npx skills add jd-opensource/joysafeter/jd-opensource-joysafeter-pentest-mobile-app

Pentest Mobile App

Purpose

Mobile apps are completely absent from Shannon (web-only) and all existing skills. Mobile apps often share backend APIs but introduce unique attack surfaces: local storage, pinning, intent handling, binary protections.

Prerequisites

Authorization Requirements

  • Written authorization with mobile app testing scope
  • APK/IPA files or access to app store downloads
  • Test devices or emulators (rooted Android, jailbroken iOS preferred)
  • Backend API documentation if available

Environment Setup

  • Frida for runtime instrumentation
  • Objection for quick mobile security testing
  • MobSF for automated static/dynamic analysis
  • jadx for Android decompilation, Hopper for iOS
  • Burp Suite configured as mobile proxy

Core Workflow

  1. Static Analysis: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
  2. Insecure Data Storage: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
  3. Certificate Pinning Bypass: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
  4. Auth & Session on Mobile: Token storage security, biometric bypass, session timeout, deep link auth bypass.
  5. IPC Testing: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
  6. Binary Protections: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
  7. Mobile-Context API Testing: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.

Tool Categories

CategoryToolsPurpose
Runtime InstrumentationFrida, ObjectionHook functions, bypass protections
Static AnalysisMobSF, jadx, HopperDecompile and analyze binaries
Traffic InterceptionBurp Suite, mitmproxyHTTPS interception with pinning bypass
Android Testingadb, drozerComponent testing, IPC analysis
iOS TestingObjection, cycriptRuntime manipulation, keychain dump

References

  • references/tools.md - Tool function signatures and parameters
  • references/workflows.md - Attack pattern definitions and test vectors

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

pentest-ai-llm-security

No summary provided by upstream source.

Repository SourceNeeds Review
31-jd-opensource
General

pentest-osint-recon

No summary provided by upstream source.

Repository SourceNeeds Review
39-jd-opensource
General

pentest-exploit-validation

No summary provided by upstream source.

Repository SourceNeeds Review
35-jd-opensource
Coding

pentest-whitebox-code-review

No summary provided by upstream source.

Repository SourceNeeds Review
32-jd-opensource