Mobile App Security Testing: A Practical Guide for 2025

Why Mobile App Security Matters More Than Ever

Mobile apps handle sensitive data — banking, healthcare, authentication, personal communications. Yet 80% of mobile apps we audit have at least one critical vulnerability.

The OWASP Mobile Top 10 (2024) lists the most critical mobile security risks:

---

Testing Area #1: Insecure Data Storage

Mobile apps frequently store sensitive data in insecure locations.

What to Check (Android)

# Check SharedPreferences for sensitive data
adb shell cat /data/data/com.example.app/shared_prefs/*.xml

# Check SQLite databases
adb shell sqlite3 /data/data/com.example.app/databases/app.db ".dump"

# Check for sensitive data in logs
adb logcat | grep -i "password\|token\|api_key\|secret"

# Check external storage (world-readable!)
adb shell ls /sdcard/Android/data/com.example.app/

What to Check (iOS)

# Check Keychain (using objection)
objection -g com.example.app explore
> ios keychain dump

# Check NSUserDefaults (plist files)
> ios plist cat NSUserDefaults

# Check for sensitive data in Core Data / SQLite
> sqlite connect Library/Application\ Support/app.sqlite

❌ Vulnerable (Android — Storing token in SharedPreferences)

// INSECURE — SharedPreferences is stored in plain XML
val prefs = getSharedPreferences("auth", MODE_PRIVATE)
prefs.edit().putString("access_token", token).apply()
prefs.edit().putString("refresh_token", refreshToken).apply()

✅ Fixed (Android — Using EncryptedSharedPreferences)

import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKey

val masterKey = MasterKey.Builder(context)
    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
    .build()

val securePrefs = EncryptedSharedPreferences.create(
    context,
    "secure_auth",
    masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)

securePrefs.edit().putString("access_token", token).apply()

---

Testing Area #2: Certificate Pinning Bypass

If your app doesn't pin certificates, attackers on the same network can intercept HTTPS traffic.

Test with Frida

// frida-ssl-pin-bypass.js
Java.perform(function () {
  var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
  var SSLContext = Java.use('javax.net.ssl.SSLContext');

  // This script bypasses certificate pinning
  // If it works, your app is vulnerable
  var TrustAllManager = Java.registerClass({
    name: 'com.frida.TrustAllManager',
    implements: [TrustManager],
    methods: {
      checkClientTrusted: function (chain, authType) {},
      checkServerTrusted: function (chain, authType) {},
      getAcceptedIssuers: function () { return []; },
    },
  });
});

✅ Fix: Implement Certificate Pinning

// Android — OkHttp Certificate Pinning
val client = OkHttpClient.Builder()
    .certificatePinner(
        CertificatePinner.Builder()
            .add("api.example.com",
                "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") // Primary
            .add("api.example.com",
                "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=") // Backup
            .build()
    )
    .build()

---

Testing Area #3: Reverse Engineering & Hardcoded Secrets

Android APK Analysis

# Decompile APK
apktool d app.apk -o app_decompiled

# Search for hardcoded secrets
grep -r "api_key\|secret\|password\|token" app_decompiled/
grep -r "https://\|http://" app_decompiled/smali/

# Use jadx for Java source
jadx -d output app.apk
grep -r "API_KEY\|SECRET" output/

iOS IPA Analysis

# Extract IPA
unzip app.ipa -d app_extracted

# Check for hardcoded strings
strings app_extracted/Payload/App.app/App | grep -i "key\|secret\|password"

# Check Info.plist for sensitive configs
plutil -p app_extracted/Payload/App.app/Info.plist

---

Testing Area #4: Insecure API Communication

# Intercept traffic with mitmproxy
mitmproxy --mode transparent --listen-port 8080

# Check for:
# - Sensitive data sent over HTTP (not HTTPS)
# - Tokens in URL query parameters (logged by proxies)
# - Missing authentication on sensitive endpoints
# - Excessive data in API responses

---

Testing Area #5: Authentication Flaws

Common Mobile Auth Vulnerabilities

1. Biometric bypass — Fallback to weak PIN
2. Token stored insecurely — Plain text in SharedPreferences
3. No session expiration — Tokens valid for months
4. Missing re-authentication — Sensitive actions without password confirmation
5. Client-side auth checks — Easily bypassed with Frida

// Frida — Bypass client-side auth check
Java.perform(function () {
  var AuthManager = Java.use('com.example.app.AuthManager');
  AuthManager.isAuthenticated.implementation = function () {
    console.log('Bypassed isAuthenticated');
    return true;  // Always return authenticated
  };
});

---

Free Tools for Mobile Security Testing

---

Mobile Security Testing Checklist

---

Need a Mobile App Security Audit?

We do hands-on security testing for Android and iOS applications. Request a free consultation →

---

Published by the SecureCodeReviews.com team — mobile application security specialists.