Mobile penetration testing is a relatively new addition to the cybersecurity world when compared with infrastructure or website testing. It involves taking an app that has been built (or updated) by a client and seeing what vulnerabilities lie within the app or what vulnerabilities it creates on the phone itself simply by being installed.

Numerous tools can assist with a mobile penetration test, and some of those are listed below. But the point of this blog is to discuss in broad terms what is required for a penetration tester to complete a test on a mobile application. These requirements are listed here with some examples:

1. A rooted Android device and jailbroken iPhone (or emulators). These allow full manipulation of the phone, including adding proxy server certificates, browsing the full file system and, on iOS, installing third-party applications which are otherwise forbidden.
   
2. Ideally, a special app is built for each platform with certain protections removed, such as SSL Pinning. These protections are possible to bypass but can take time, which means less time for testing more important things or a longer test window.
3. Static Analysis Tools. These tools are used to decompile the application files to varying degrees and scan the code for various issues. These scans are much more successful with Android.apk files than with iOS .ipa files due to the way the applications are written and packaged. This means that the code in .ipa files is much harder to analyse. This step can return some vulnerabilities and can also provide some information that is useful or worth double-checking during the dynamic analysis phase. Some examples of static analysis tools are listed below:
   1. MobSF (Mobile Security Framework) https://github.com/MobSF/Mobile-Security-Framework-MobSF
   2. Androbugs https://github.com/AndroBugs/AndroBugs_Framework
   3. APKTool https://github.com/iBotPeaches/Apktool
   4. Qark (Quick Android Review Kit) https://github.com/linkedin/qark
4. Dynamic Analysis Tools. These are used to interact with the software while it is running on the phone. The main parts of this step are proxying the traffic from the phone to allow observing/manipulating of the traffic from the application (this step is very much like a web application test, interacting with API calls etc), and interacting with the processes within the software itself, usually using Frida which injects a javascript engine into the application and allows for prewritten or custom scripting to be used for actions such as bypassing a login screen or removing root detection. Some examples of dynamic analysis tools are listed below:
   1. Burp Professional (or other proxying software) https://portswigger.net/burp/pro
   2. Frida https://frida.re/
   3. Objection https://github.com/sensepost/objection
   4. MobSF (Mobile Security Framework) https://github.com/MobSF/Mobile-Security-Framework-MobSF

All of these sections will be delved into with greater detail in further posts. The purpose of this is simply to give a broad overview of what a mobile application penetration test entails and examples of tools that can be used to carry out the test and complete the objective of ensuring that the application is secure, both on the platform it is installed upon and in the way in which it interacts with its APIs.