Mobile apps run on the client's device, which means the client (the attacker) has full control over the environment. You can modify the memory, hook functions, and inspect file storage. The number one rule of mobile security: Never trust the client.
The Toolkit
- ADB (Android Debug Bridge): Command interface for Android.
- Frida: Dynamic Instrumentation. Inject JS into native apps to hook methods.
- Objection: Runtime exploration toolkit (powered by Frida).
- MobSF: Automated static analysis of APK/IPA files.
- Jadx-GUI: Decompiler for Android (Dalvik bytecode to Java).
1. Static Analysis
Before running the app, we look at the code.
AndroidManifest.xml: Look for android:debuggable="true", exported activities, and permission requests.
Hardcoded Secrets: Strings command is your friend. Developers often leave API keys or AWS credentials in the `strings.xml` or compiled binaries.
2. Dynamic Analysis (SSL Pinning)
To inspect network traffic, we use Burp Suite. But apps use "SSL Pinning" to reject Burp's certificate.
Bypass: We use Frida.
frida -U -f com.example.app -l hooks.js
The script intercepts the `checkServerTrusted` function and forces it to return `true`. Now we can see the HTTPS traffic.
3. Root Detection Bypass
Apps often refuse to run on rooted phones.
They check for `/system/bin/su` or verify package signatures.
With Frida/Objection, we can hook `java.io.File.exists` and return `false` whenever the app asks "does 'su' exist?". The app thinks it's on a clean phone and runs.
4. iOS Specifics
iOS is harder because it's compiled Objective-C/Swift, not Java byte code.
You absolutely need a Jailbroken iPhone (checkra1n).
Tool: otool and class-dump to reverse headers.
Apps store sensitive data in `Info.plist` or the Keychain. Verify if data in Keychain is accessible after device unlock.