Mobile penetration testing
📚 Books
Title
Author(s)
Focus
OWASP Mobile Security Testing Guide (MASTG)
OWASP Community
The definitive free testing methodology — maps directly to MASVS
OWASP Mobile App Security Verification Standard (MASVS)
OWASP Community
Security requirements standard for mobile apps
The Mobile Application Hacker's Handbook
Dominic Chell et al.
Deep technical Android + iOS internals, still foundational
Mobile Application Penetration Testing
Vijay Kumar Velu (Packt)
End-to-end intro: Android + iOS, static/dynamic analysis
Android Hacker's Handbook
Joshua J. Drake et al.
Deep Android internals, exploitation, and security model
Android Security Internals
Nikolay Elenkov
In-depth Android framework: Binder, permissions, exploitation
iOS Application Security
David Thiel
Definitive guide for attacking and defending iOS binaries
Hacking Android
Dwivedi & Tiwari
Android system/app/network hacking, exploitation mindset
Android App Penetration Testing
Sood & Velu
Practical Android: SQLi, XSS, auth issues
Penetration Testing with Kali NetHunter
Gerald Roybal
Mobile-focused pentesting with NetHunter platform
💡 Start with OWASP MASTG (free) as your bible, then The Mobile Application Hacker's Handbook for deep internals.
🎓 Courses
Provider
Course
Level
TCM Security Academy
Practical Mobile Application Penetration Testing
Beginner → Intermediate
SANS Institute
SEC575: iOS and Android Application Security Analysis & Pentesting
Professional
8ksec Academy
Practical Mobile Application Exploitation (30 hrs, 170 videos)
Intermediate → Advanced
INE / eLearnSecurity
Mobile Application Penetration Testing (eMAPT aligned)
Intermediate
Hack The Box Academy
Android Fundamentals + Android Pentesting Automation
Beginner → Intermediate
7ASecurity
Advanced iOS and Android Exploitation
Advanced
TutorialsPoint Market
Mobile App Pentesting & Bug Bounty Hunting 2025
Beginner → Intermediate
HackerOne / Hacker101
Mobile Hacking / iOS & Android Hacking (Free)
Beginner
PortSwigger Academy
Web & API Security (Mobile Traffic)
Free, All Levels
Recon Cyber Security
Dedicated Mobile Application Pentesting Training
Structured / Practical
Udemy
Learn Mobile Pentesting From Scratch
Beginner → Intermediate
Udemy
Mobile Application Hacking and Pentesting (Android Security)
Intermediate
Udemy
Mobile Hacking & Security Complete Course: Android & iOS
All Levels
Udemy
The Complete Android Ethical Hacking Course – Zaid Sabih
Beginner → Intermediate
Cybrary
Mobile Device Security
Foundational
Cyberbugs
Mobile Application Penetration Testing Course
Android & iOS Labs
💼 LinkedIn Learning
LinkedIn Learning is best for foundational concepts, compliance mapping, and corporate-level understanding. For hands-on depth, prioritize dedicated pentest platforms.
Course
Best For
Android App Penetration Testing
Structured Android security testing approach
Penetration Testing and Ethical Hacking
Intermediate ethical hacking including mobile components
Learning Mobile Device Security
Beginner-friendly MDM and hardware security
Mobile Security: Defend the Devices That Move the World
OS architecture and forensic analysis
Android App Security
Android-specific security fundamentals
iOS App Development: Security
iOS security implementation and testing
OWASP Mobile Security (search term)
OWASP framework overview and compliance
API Security for Mobile Applications (search term)
Backend API security for mobile apps
▶️ YouTube Channels
Channel
Focus / Content
HackerSploit
Android security tutorials, Linux, Docker, pentesting fundamentals
TCM Security (The Cyber Mentor)
Practical methodology, general and mobile pentesting
LiveOverflow
Deep-dive reverse engineering, CTF walkthroughs, binary exploitation
IppSec
HackTheBox walkthroughs including mobile challenges
NahamSec
Bug bounty, live hacking streams, web and mobile hunting
STÖK
Hacker mindset, real-world testing, bug bounty including mobile
CryptoCat
CTF walkthroughs, binary exploitation, malware analysis, Android pentesting
John Hammond
CTF, malware reversing, educational content
13Cubed
Mobile forensics and security
Wilson Security Group / Aaron Wilson
Mobile app pentesting, certification reviews
Hacking Simplified
Android pentesting tutorials, GraphQL, interviews
Rana Khalil
Web Security Academy labs, methodical vulnerability explanations
AllSafe (Hadi Alnablsi)
Mobile security challenges and tool walkthroughs
OWASP Global
Conference talks on MASVS/MASTG and mobile security
NullByte (WonderHowTo)
Android/iOS hacking tutorials
💡 Filter channels by: regular uploads in last 1–2 years + dedicated playlists for 'Android App Hacking', 'Mobile Bug Bounty', 'Frida for Android'.
🏆 Certifications
Certification
Provider
Focus
Level
eMAPT — Mobile Application Penetration Tester
INE / eLearnSecurity
Only cert solely focused on mobile (Android & iOS); practical exam requiring working exploit submission
Intermediate
GMOB — GIAC Mobile Device Security Analyst
GIAC / SANS
Mobile device & application security analysis; follows SEC575
Professional
Practical Mobile Pentest Associate (PMPA)
TCM Security
Hands-on 2-day test + 2-day report exam
Intermediate
CMSE — Certified Mobile Security Engineer
8ksec
Comprehensive mobile exploitation cert
Advanced
Certified Mobile Penetration Tester – Android
RedTeam 360
Focused Android app pentesting, full toolchain
Intermediate
GWAPT — GIAC Web App Penetration Tester
GIAC / SANS
Web + mobile web app pentesting
Intermediate
BSCP — Burp Suite Certified Practitioner
PortSwigger
API and mobile traffic interception skills
Intermediate
OSCP — Offensive Security Certified Professional
Offensive Security
Advanced pentesting; includes mobile API surface
Advanced
CEH — Certified Ethical Hacker
EC-Council
Foundational ethical hacking; includes mobile module
Foundational
CPENT — Certified Penetration Testing Professional
EC-Council
Broad pentesting with mobile sections
Intermediate
💡 Recommended path: eMAPT → GMOB → OSCP. eMAPT is the strongest dedicated mobile credential.
🧪 Labs & Practice Environments
Vulnerable Practice Apps
Lab / App
Platform
Link
OWASP GoatDroid
Android
Intentionally vulnerable Android banking app
Online Platforms & Environments
Platform
Type
Details
Hack The Box
CTF / Labs
Mobile track: Android Fundamentals, Static/Dynamic Analysis, Automation
TryHackMe
Guided Rooms
Mobile-specific rooms for hands-on practice
Corellium
Virtual Devices
Arm-native virtual iOS/Android devices, one-click jailbreak/root, built-in Frida
Mobexler VM
Virtual Machine
Pre-configured mobile pentesting VM with Ghidra, Radare2, MobSF, Frida, Palera1n
PentesterLab
Web / Mobile Labs
Real vulnerabilities, certificates of completion
NowSecure Academy Labs
Hands-on
Free and paid labs for mobile appsec
EJN Labs
Aligned Labs
Testing aligned to OWASP Top 10
MobSF + Vulnerable Apps (Self-hosted)
Self-hosted
Use DIVA, InsecureBank with MobSF for static/dynamic practice
🧰 Udemy
Course
Instructor
Focus
Android Bug Bounty Hunting: Hunt Like a Rat
Zaid Sabih
Bug bounty methodology, Android hacking
The Complete Android Ethical Hacking Course
Zaid Sabih
System hacking to app vulnerabilities
Mobile Application Hacking & Pentesting (Android Security)
Various
Full pentest on Android apps, architecture deep-dive
Advanced Mobile Pentesting of Android Applications
Various
Real-world attacks, auditing techniques
Mobile Hacking & Security Complete Course: Android & iOS
Various
Lab setup for both platforms using Kali Linux
Learn Mobile Pentesting From Scratch
Various
OWASP Mobile Top 10, reverse engineering, traffic interception
Practice Mobile Application Hacking (4.2/5)
Various
Real-world mobile app testing scenarios
Mobile App Pentesting — iOS & Android
Yogesh Ojha
iOS and Android methodology
iOS App Pentesting
Sunny Wear
iOS-focused security testing
API Penetration Testing (mobile APIs)
Corey Ball
Backend API security for mobile apps
Frida for Beginners / Frida Android
Various
Dynamic instrumentation, SSL pinning bypass
💡 Filter Udemy searches by: courses mentioning Burp, MobSF, Frida, Objection, APKTool, JADX. Prefer 4.5+ rating, updated recently, with live device + emulator labs.
🧰 GitHub / Tools
All-in-One Frameworks
Tool
Purpose
Link
MobSF (Mobile Security Framework)
Automated static + dynamic analysis for Android/iOS/Windows
Objection
Runtime mobile exploration toolkit powered by Frida (no root/jailbreak needed)
Android-Specific Tools
Tool
Purpose
APKTool
Reverse engineering, decompiling & repackaging Android APK files
JADX
DEX to Java decompiler — read Java source from APKs
Drozer
Android attack framework, IPC security testing
QARK
Android static analysis and vulnerability detection
APKLeaks
Scanning APKs for hardcoded secrets, URLs, and sensitive data
Genymotion / Android AVD
Android emulation for testing
Quark Engine
Malware detection using rule-based analysis
Applist Detector / Momo
Check root detection bypass status
Shamiko
Magisk module to hide root status from apps
Movecert
Move user certificates to system store (for HTTPS interception)
Dex2Jar / JD-GUI
Convert DEX to JAR and decompile to readable Java
ADB (Android Debug Bridge)
Core Android device control and shell access
iOS-Specific Tools
Tool
Purpose
Frida (iOS)
Dynamic instrumentation for iOS apps
Objection (iOS)
Runtime iOS exploration, jailbreak detection bypass
iblessing
iOS security testing framework and binary analysis
Palera1n
iOS jailbreak tool for newer device versions
Grapefruit
iOS app black-box testing tool
SSL Kill Switch 2
Disable SSL certificate validation in iOS apps
Xcon
Jailbreak detection bypass for iOS
class-dump
Extract Objective-C class information from Mach-O binaries
Hopper / Ghidra / IDA Pro
Reverse engineering iOS/Android binaries
Corellium
ARM-native virtual iOS device platform
Proxy & Traffic Interception
Tool
Purpose
Burp Suite
Intercept and manipulate mobile HTTPS traffic
mitmproxy
Open-source man-in-the-middle proxy
OWASP ZAP
Free web/mobile app security scanner
Testing Distributions / VMs
Distribution
Type
Mobexler
Pre-configured mobile pentesting VM (Ghidra, Frida, MobSF, Palera1n)
Androl4b
VM for Android reverse engineering
Appie
Portable Android pentesting package
Android Tamer
VM for Android security professionals
Santoku
Standalone mobile security OS
📋 Cheatsheets
Resource
Coverage
Link
OWASP Mobile Security Testing Guide (MASTG)
The gold standard — 'How-To' for every mobile security test
OWASP Mobile App Security Cheat Sheet
Concise reference for common commands and vulnerabilities
MobileApp-Pentest-Cheatsheet (tanprathan)
Concise notes aligned to OWASP Mobile Top 10; typical payloads and approaches
Burp + Mobile Setup Guide
Configure Burp Suite for mobile traffic interception
Essential Command Reference
Android ADB
adb devices # List connected devices
adb shell # Access device shell
adb install app.apk # Install APK
adb pull /data/app/com.example/ # Extract APK from device
adb logcat | grep 'com.example' # Filter device logs
APK Analysis
apktool d app.apk # Decompile APK (resources + manifest)
jadx -d output/ app.apk # Decompile APK to Java source
apkleaks -f app.apk # Scan for hardcoded secrets/URLs
Frida & Objection
frida -U -f com.package.name # Spawn and attach to app
frida-trace -U -i 'SSL*' # Trace SSL-related calls
objection -g com.package explore # Open Objection interactive shell
objection -g com.package run ... # SSL pinning bypass
iOS (Jailbroken)
ssh root@ # SSH into jailbroken device
frida -U -p # Attach Frida to iOS process
frida-ps -Ua # List running apps on device
✅ Pentesting Checklist (OWASP MASVS/MASTG)
This checklist is based on OWASP MASVS and MASTG standards. Use alongside the dedicated checklist tools listed below.
1️⃣ Information Gathering & Recon
☐ Decompile APK (apktool) / extract IPA and analyze plist / AndroidManifest.xml
☐ Identify permissions, exported components, and broadcast receivers
☐ Scan for hardcoded API keys, secrets, tokens (apkleaks, MobSF)
☐ Identify and assess third-party libraries and SDKs
☐ Review build configuration for debug flags and security weaknesses
☐ Check for sensitive data in logs (adb logcat)
2️⃣ Static Analysis
☐ Hardcoded credentials, API keys, private keys in source
☐ Weak or deprecated cryptographic algorithms (MD5, SHA1, DES, ECB mode)
☐ Insecure random number generation
☐ Debug flags enabled in production build
☐ Backup enabled (android:allowBackup=true in manifest)
☐ Exported activities, services, or content providers that are unprotected
☐ Insecure WebView configurations (JavaScript enabled, file access)
☐ Deep link / URL scheme handler analysis for injection
3️⃣ Dynamic Analysis & Traffic Interception
☐ Set up Burp Suite proxy and install certificate on device
☐ Intercept and replay HTTPS traffic
☐ Test SSL/TLS pinning bypass (Objection / Frida scripts)
☐ Test root / jailbreak detection bypass
☐ Authentication bypass and parameter tampering
☐ Session token analysis (expiry, replay, predictability)
☐ Test error messages for information disclosure
4️⃣ Runtime Manipulation (Frida / Objection)
☐ Frida hook sensitive functions (crypto, auth, storage)
☐ Bypass root/jailbreak detection via Frida
☐ Bypass SSL certificate pinning dynamically
☐ Dump memory for sensitive data at runtime
☐ Test anti-debugging and anti-tampering controls
☐ Verify emulator detection bypass
5️⃣ Data Storage Security
☐ SharedPreferences / NSUserDefaults — check for plaintext sensitive data
☐ SQLite databases — check for unencrypted sensitive records
☐ Keychain (iOS) / Keystore (Android) — verify correct usage
☐ External storage / SD card data exposure
☐ Temporary files, caches, clipboard data exposure
☐ Keyboard cache storing sensitive inputs
☐ Screenshots of sensitive screens (backgrounding)
6️⃣ API & Network Security
☐ IDOR (Insecure Direct Object Reference) in API endpoints
☐ Rate limiting and brute-force protection
☐ JWT token tampering and signature bypass
☐ Token replay attacks
☐ Certificate validation and hostname verification
☐ Sensitive data transmitted over HTTP (not HTTPS)
☐ IPC exposure — Intents, URL schemes, deep links
7️⃣ Reverse Engineering & Resilience
☐ Assess code obfuscation effectiveness (ProGuard/R8/others)
☐ Check file integrity verification mechanisms
☐ Test detection of reverse engineering tools
☐ Verify app behavior on modified/tampered devices
☐ Assess anti-debugging implementation
Dedicated Checklist Tools
Tool
Coverage
Link
OWASP MASTG Checklist
Full official OWASP test case checklist — the definitive reference
Mobile-App-Security-Checklist (a6k8s4)
Browser-based OWASP Top 10 checklist — tick/untick and export report
Android App Pentesting Checklist (Hrishikesh7665)
Deep technical Android runbook: static, dynamic, network, permissions + tooling setup
Android App Security Checklist (muellerberndt)
Design/testing/release security checklist based on OWASP MASVS
OWASP Mobile Top 10
High-level list of the 10 most critical mobile security risks
iOS Pentesting Checklist (ivRodriguezCA)
iOS-specific reverse engineering and testing checklist
💡 Recommended Workflow: OWASP MASVS + MASTG → MobSF (static analysis) → Frida + Objection (runtime) → Burp Suite (traffic) → Practice on DIVA (Android) + DVIA (iOS) → Real bug bounty targets
Last updated