API & Mobile Security
Mobile Application Testing
3 min read
Mobile apps often have security weaknesses their web counterparts don't. They store data locally, trust client-side validation, and expose APIs meant for internal use.
Mobile Bug Bounty Programs
| Platform | Competition | Skill Required |
|---|---|---|
| Android | Higher | Medium |
| iOS | Lower | Medium-High |
| Both | Medium | High |
Many programs now explicitly include mobile apps in scope.
Android Testing Setup
Environment
# Emulator (Genymotion or Android Studio)
# Physical device (rooted preferred)
# ADB configured
adb devices
# Tools needed:
# - apktool (decompilation)
# - jadx (Java decompilation)
# - Frida (dynamic analysis)
# - Objection (Frida wrapper)
APK Extraction
# From device
adb shell pm list packages | grep example
adb shell pm path com.example.app
adb pull /path/to/base.apk
# Or download from APKPure, APKMirror
Decompilation
# Using apktool (resources + smali)
apktool d app.apk -o decompiled/
# Using jadx (Java source)
jadx app.apk -d jadx-output/
# Check for sensitive data
grep -rn "api_key\|secret\|password\|token" jadx-output/
iOS Testing Setup
Environment
# Jailbroken device (preferred)
# Or: Corellium (cloud-based)
# Tools: Frida, objection, Hopper/IDA
# For non-jailbroken:
# - Use network proxy
# - Limited static analysis
IPA Analysis
# Extract IPA
unzip app.ipa -d extracted/
# Binary analysis
otool -L Payload/App.app/App # Libraries
strings Payload/App.app/App | grep -i "api\|key\|secret"
Static Analysis
Hardcoded Secrets
# Common patterns
API_KEY=
api_secret=
password=
token=
private_key
-----BEGIN RSA PRIVATE KEY-----
# Firebase URLs
grep -r "firebaseio.com" ./decompiled/
# If found, test for open database:
curl https://project.firebaseio.com/.json
Insecure Data Storage
# Android: Check SharedPreferences
cat /data/data/com.example.app/shared_prefs/*.xml
# Check for sensitive data in:
# - SQLite databases
# - Cache files
# - Log files
# - Backup files
Certificate Pinning
# If app uses certificate pinning:
# - Bypass needed for traffic interception
# - Use Frida/objection
objection -g com.example.app explore
# Then: android sslpinning disable
Dynamic Analysis
Traffic Interception
# Setup Burp proxy
# Configure device to use proxy
# Install Burp CA certificate
# For pinned apps:
# Use Frida to bypass pinning
frida -U -f com.example.app -l ssl-bypass.js
Runtime Manipulation
# Using objection
objection -g com.example.app explore
# Useful commands:
android hooking list activities
android hooking list services
android intent launch_activity <activity>
android keystore list
Common Mobile Vulnerabilities
Deeplink Vulnerabilities
# Find deeplinks
grep -r "scheme" AndroidManifest.xml
grep -r "CFBundleURLSchemes" Info.plist
# Test deeplink injection
adb shell am start -a android.intent.action.VIEW \
-d "myapp://callback?token=stolen"
WebView Vulnerabilities
# Check for JavaScript enabled
# Check for file:// access
# Test for XSS in WebView
# Malicious URL in WebView
myapp://webview?url=javascript:alert(document.domain)
Insecure Broadcasts
# Find broadcast receivers
grep -r "receiver" AndroidManifest.xml
# Send malicious broadcast
adb shell am broadcast -a com.example.INTENT \
--es data "malicious"
Mobile Testing Checklist
- Extract and decompile APK/IPA
- Search for hardcoded secrets
- Check data storage (SharedPrefs, SQLite, files)
- Intercept traffic (bypass pinning if needed)
- Test deeplinks for injection
- Check WebView configuration
- Test exported components
- Analyze backup data
Bounty Examples
| Company | Bug | Bounty |
|---|---|---|
| Uber | Hardcoded API key | $5,000 |
| Deeplink account takeover | $15,000 | |
| TikTok | WebView XSS | $10,000 |
| Certificate pinning bypass + data leak | $8,000 |
Pro Tip: Mobile apps are compiled from the same codebase as web apps but often have older, unpatched versions and exposed internal APIs.
Next, we'll cover automation and Nuclei templates. :::