LazyHackers.in — Checklist
📱 Mobile App Pentest Checklist
Android + iOS (MASVS), item by item: scenario · command · steps · the finding · the fix
☰ How to use this guide
Mobile testing is four streams: static (decompile, read the code/manifest), dynamic (Frida/objection hooking on a rooted/jailbroken device), traffic (proxy + bypass cert pinning), and backend (the API the app talks to). The app is just a client — real damage is usually API-side, so pair this with the API checklist. Tags below: [A] Android, [i] iOS, [A/i] both.
# Pull + decompile (Android)
adb shell pm path com.target ; adb pull /data/app/.../base.apk
jadx -d out base.apk ; apktool d base.apk -o smali_out
# Automated baseline (both platforms)
mobsf # upload APK/IPA -> static + some dynamic
# Dynamic instrumentation
frida-ps -Ua ; objection -g com.target explore0 Recon, static prep & tooling
Decompile and read the binary first. Hardcoded secrets, debug flags and known-vuln SDKs fall out immediately.
Static secrets & debug flags
# Secrets / endpoints / keys in code
grep -rEi 'api[_-]?key|secret|password|token|http://|https://|firebaseio|s3\.amazonaws' out/
# Android manifest red flags
grep -E 'android:debuggable|allowBackup|exported|usesCleartextTraffic' out/resources/AndroidManifest.xml
# iOS: entitlements + strings
codesign -d --entitlements - App.app ; strings App.app/App | grep -Ei 'key|secret|http'Recon & static prep — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A] APK decompiled, manifest/smali reviewed | jadx + apktool | Static review baseline |
| [i] IPA extracted, class-dump/Ghidra review | class-dump / Hopper | Static review baseline (iOS) |
| [A/i] Hardcoded secrets/endpoints | grep code | Hardcoded secret |
| [A/i] Hardcoded crypto keys/IV/salt | grep crypto constants | Hardcoded crypto material |
| [A/i] SDK with known CVE | dependency check | Vulnerable SDK |
| [A/i] Debug strings/internal URLs | strings/grep | Debug info in binary |
| [A] Firebase/GCS/S3 endpoints → open store | grep + test bucket | Open backend store |
| [A] BuildConfig.DEBUG true in release | inspect BuildConfig | Debug flag in release |
| [A] android:debuggable=true | manifest check | Debuggable release |
| [i] get-task-allow in release | entitlements check | Debug entitlement in release |
| [A/i] Source maps/symbols shipped | inspect package | Symbols shipped |
| [A] Janus / v1-only signature | apksigner verify | Weak signature scheme |
| [A/i] Accepts repackaged binary | resign + run | No integrity check |
1 Data storage (MASVS-STORAGE)
MASVS-STORAGE: sensitive data written to insecure local stores. Exercise the app, then inspect its sandbox.
# Android: dump app sandbox and grep for sensitive data
adb shell run-as com.target ls -R /data/data/com.target
adb pull /data/data/com.target/shared_prefs ; cat *.xml # plaintext tokens?
adb logcat | grep -i com.target # secrets in logcat?
# iOS (objection): inspect Keychain / files
objection -g com.target explore
ios keychain dump ; env ; ios nsuserdefaults getData storage — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A] Sensitive in SharedPreferences | cat shared_prefs | Plaintext SharedPreferences |
| [A] Sensitive in SQLite | pull & open DB | Unencrypted SQLite |
| [A] Sensitive in external storage | check /sdcard | World-readable storage |
| [A] Sensitive in logcat | adb logcat | Sensitive data in logs |
| [A] allowBackup=true leak | adb backup | Backup data leak |
| [i] Sensitive in NSUserDefaults/plist | objection nsuserdefaults | Plaintext NSUserDefaults |
| [i] Unencrypted Core Data/SQLite | inspect files | Unencrypted iOS DB |
| [i] Keychain weak accessibility | keychain dump | Weak Keychain accessibility |
| [i] Keychain not ThisDeviceOnly | inspect attrs | Keychain accessibility too broad |
| [i] Data to iCloud/iTunes backup | check backup attrs | Sensitive data in backup |
| [A/i] Creds not cleared on logout | logout, re-inspect | Credentials persist after logout |
| [A/i] Sensitive in cache/temp/WebView | inspect caches | Sensitive data cached |
| [A/i] Sensitive in crash/analytics | inspect payloads | Sensitive data in analytics |
| [A/i] Clipboard leaks (OTP/card) | check clipboard | Clipboard leak |
| [A/i] Screenshot/snapshot leaks screen | background app, check snapshot | Task-switcher snapshot leak |
| [i] Snapshot in /Library/Caches/Snapshots | inspect snapshots | iOS snapshot leak |
| [A/i] Keyboard cache stores input | inspect keyboard cache | Keyboard cache leak |
| [A/i] Autofill exposes fields | test autofill | Insecure autofill |
2 Cryptography (MASVS-CRYPTO)
MASVS-CRYPTO: weak algorithms, static keys/IVs and non-CSPRNG. Find usage in the decompiled code.
Cryptography — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Weak algorithm (DES/RC4/MD5/SHA1) | grep crypto usage | Weak cryptographic algorithm |
| [A/i] ECB mode | grep "ECB" | ECB mode usage |
| [A/i] Hardcoded/static key | grep key constants | Hardcoded encryption key |
| [A/i] Static/predictable IV | grep IV | Static IV |
| [A/i] Insecure random | grep Math.random/Random/rand | Insecure randomness |
| [A/i] Weak KDF | review key derivation | Weak key derivation |
| [A] Key not in Keystore | review key storage | Key not in Android Keystore |
| [i] Key not in Secure Enclave/Keychain | review key storage | Key not in Secure Enclave |
| [A/i] Home-grown crypto | review crypto code | Custom cryptography |
| [A/i] Hash without salt | review hashing | Unsalted hash |
| [A/i] Keys retrievable from memory | frida memory dump | Key recoverable from memory |
3 Authentication & session (MASVS-AUTH)
MASVS-AUTH: client-side auth and biometric trust. The killer is a biometric/PIN result trusted client-side with no crypto binding — hookable with Frida.
# Biometric bypass — force the success callback (Android)
objection -g com.target explore
android hooking watch class_method com.target.BiometricCallback.onAuthenticationSucceeded
# or a Frida script overriding evaluatePolicy (iOS) / onAuthenticationSucceeded (Android)
frida -U -f com.target -l bypass-biometric.jsAuthentication & session — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Auth validated client-side only | hook/inspect | Client-side authentication |
| [A/i] Token stored insecurely | see §1 | Insecure token storage |
| [A/i] Token not invalidated server-side | reuse after logout | Server-side logout missing |
| [A/i] Biometric result trusted client-side | Frida hook (above) | Biometric bypass |
| [A] onAuthenticationSucceeded patchable | objection hook | Patchable biometric callback |
| [i] evaluatePolicy patchable | Frida hook | Patchable LocalAuthentication |
| [A/i] PIN brute force (no lockout) | brute PIN | PIN brute force |
| [A/i] PIN stored locally/comparable | inspect storage | Local PIN comparison |
| [A/i] Remember-me long-lived/non-revocable | inspect token | Persistent remember-me token |
| [A/i] OTP autofill leaks | check clipboard/notification | OTP autofill leak |
| [A/i] 2FA not enforced at backend | call API post-factor-1 | 2FA not enforced server-side |
| [A/i] JWT issues | see API checklist | JWT weakness |
| [A/i] Step-up auth missing | do sensitive action | Missing step-up auth |
4 Network communication (MASVS-NETWORK)
MASVS-NETWORK: TLS and certificate pinning. The test is can you MITM — and if pinned, can you bypass the pin.
# Proxy traffic; if pinned, bypass with objection/frida
objection -g com.target explore
android sslpinning disable # (ios sslpinning disable on iOS)
# or universal Frida script
frida -U -f com.target -l frida-multiple-unpinning.js
# Then read traffic in Burp; flag cleartext, weak TLS, accepted invalid certsNetwork communication — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Cleartext HTTP allowed | proxy & observe | Cleartext traffic |
| [A] cleartextTrafficPermitted true | manifest/NSC check | Cleartext permitted (Android) |
| [i] NSAllowsArbitraryLoads true | Info.plist ATS check | ATS disabled (iOS) |
| [A/i] No certificate pinning | MITM succeeds | No certificate pinning |
| [A/i] Pinning bypassable | objection/frida bypass | Weak certificate pinning |
| [A/i] Accepts self-signed/invalid cert | present bad cert | Broken TLS validation |
| [A/i] TrustManager/verifier accepts all | review code | Trust-all TLS |
| [A/i] Weak TLS version/cipher | inspect handshake | Weak TLS |
| [A/i] Sensitive data in URL/query | inspect requests | Sensitive data in URL |
| [A/i] MITM exposes full traffic | MITM test | No transport defense-in-depth |
| [A/i] WebSocket unencrypted/no origin | inspect WS | Insecure WebSocket |
5 Platform interaction (MASVS-PLATFORM)
MASVS-PLATFORM: exported components, deep links and WebView. Exported components let other apps invoke your code; WebView bridges JS to native.
# Android: enumerate & invoke exported components
grep -B2 'android:exported="true"' out/resources/AndroidManifest.xml
adb shell am start -n com.target/.SecretActivity # exported Activity
adb shell content query --uri content://com.target.provider # exported ContentProvider
drozer console connect # then run app.provider.* / app.activity.* modules
# WebView red flags
grep -rE 'addJavascriptInterface|setAllowFileAccess|setJavaScriptEnabled' out/Platform interaction — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A] Exported Activity launchable | am start | Exported Activity |
| [A] Exported Service invokable | invoke service | Exported Service |
| [A] Exported BroadcastReceiver | send broadcast | Exported Receiver |
| [A] Exported ContentProvider r/w | content query/insert | Exported ContentProvider |
| [A] ContentProvider SQLi/traversal | inject in provider query | ContentProvider injection |
| [A] Implicit intent leaks data | review intents | Implicit-intent leak |
| [A] Intent redirection → privesc | craft forwarded intent | Intent redirection |
| [A] Mutable PendingIntent hijack | review PendingIntent flags | Mutable PendingIntent |
| [A] Deep link param injection | adb start deep link | Deep-link injection |
| [A] Deep link → WebView arbitrary URL | deep link to WebView | WebView open-redirect |
| [A] Weak custom permission protectionLevel | review manifest | Weak custom permission |
| [A] Task hijacking / StrandHogg | review taskAffinity/launchMode | Task hijacking |
| [A] setResult/returned intent spoofable | review result handling | Spoofable result intent |
| [i] Custom URL scheme param injection | open custom scheme | URL-scheme injection |
| [i] Weak Universal Link validation | test universal link | Universal-Link hijack |
| [i] General pasteboard shared | inspect pasteboard | Pasteboard leak |
| [i] App/share extension data leak | review extensions | Extension data leak |
| [i] Insecure inter-app comms | review IPC | Insecure IPC |
| [A/i] WebView JS enabled w/ untrusted content | review WebView | Unsafe WebView JS |
| [A] addJavascriptInterface exposes native | grep + test bridge | JS bridge exposure |
| [A] setAllowFileAccess / file:// | review WebView | WebView file access |
| [A] setAllowUniversalAccessFromFileURLs | review WebView | Universal file access |
| [i] WKWebView allowFileAccessFromFileURLs | review WebView | WKWebView file access |
| [A/i] XSS in WebView → bridge abuse | inject XSS | WebView XSS to native |
| [A/i] Mixed content / untrusted URL | review loads | Mixed/untrusted content |
| [A/i] No URL allowlist on navigation | navigate off-domain | Missing WebView allowlist |
6 Resilience / anti-reversing (MASVS-RESILIENCE)
MASVS-RESILIENCE: anti-reversing controls. Defense-in-depth, not core vulns — severity depends on context (high for banking).
Resilience / anti-reversing — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] No root/jailbreak detection | run on rooted device | No root/JB detection |
| [A/i] Detection trivially bypassable | objection/frida bypass | Bypassable root/JB detection |
| [A/i] No anti-debugging | attach debugger | No anti-debug |
| [A/i] No anti-hooking | attach Frida | No anti-hooking |
| [A/i] No code obfuscation | review decompiled clarity | No obfuscation |
| [A/i] No runtime integrity check | tamper & run | No tamper detection |
| [A/i] No emulator detection | run on emulator | No emulator detection |
| [A] Repackaging possible | resign + run | Repackaging possible |
| [A/i] Sensitive logic client-side | review logic location | Sensitive logic on client |
7 Privacy & permissions (MASVS-PRIVACY)
MASVS-PRIVACY: over-collection and leakage of PII to third parties.
Privacy & permissions — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Over-requested permissions | review manifest/plist | Excessive permissions |
| [A/i] PII without consent | review data flows | PII collected without consent |
| [A/i] PII to third-party SDKs | inspect traffic | PII shared with trackers |
| [A/i] Device identifiers misused | review usage | Device identifier misuse |
| [A/i] Location collected unnecessarily | review location use | Unnecessary location collection |
| [A/i] Sensitive data to analytics/crash | inspect payloads | Sensitive data to third party |
| [A/i] EXIF/metadata in uploads | exiftool on uploads | Metadata leak |
8 Runtime / dynamic
Cross-cutting dynamic attacks: hook the app to change auth/payment outcomes, edit local values, and tamper responses.
# Hook a method to flip an outcome (e.g. isPremium / verifyPin)
frida -U -f com.target -l hook.js
# hook.js: Java.use('com.target.Auth').verifyPin.implementation = function(){ return true; }
# Response tampering: edit the app's API response in Burp (success:false -> true)Runtime / dynamic — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Hooking changes auth/payment | Frida PoC | Client-side decision bypass |
| [A/i] Sensitive values in memory | frida memory scan | Sensitive data in memory |
| [A/i] Local data tamper alters logic | edit local store | Client data tampering |
| [A/i] Response tamper accepted | flip response in Burp | Response tampering accepted |
| [A/i] Local price/balance/flag editable | edit & observe | Client-side value trusted |
| [A] Logcat leaks runtime data | adb logcat | Runtime log leak |
| [A/i] Works normally on rooted/JB for sensitive ops | run sensitive flow rooted | No root/JB enforcement on sensitive flow |
A Banking / fintech mobile
Banking weights storage, pinning, biometric/PIN, root detection and device binding as high — and the backend transaction integrity (pair with the API checklist).
Banking / fintech mobile — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Card/CVV/account stored on device | inspect storage | Financial data on device |
| [A/i] MPIN/TPIN stored/comparable | inspect storage | Local PIN comparison |
| [A/i] MPIN brute (no server lockout) | brute PIN | PIN brute force |
| [A/i] OTP autofill leaks | check clipboard/notification | OTP leak |
| [A/i] Biometric/PIN bypass → txn | Frida hook | Auth bypass to transaction |
| [A/i] No cert pinning on banking API | MITM | No certificate pinning |
| [A/i] Pinning bypass → interception | objection bypass | Pinning bypass |
| [A/i] Amount/beneficiary tamperable | tamper request | Transaction tampering |
| [A/i] Local transaction limit only | exceed via API | Client-side limit |
| [A/i] Device binding bypass | move session | Device-binding bypass |
| [A/i] No root/JB block on banking flow | run rooted | Missing root enforcement |
| [A/i] Snapshot leaks account/txn | background app | Snapshot leak |
| [A/i] Sensitive data in logs/crash | inspect logs | Sensitive log leak |
| [A/i] KYC cached unencrypted | inspect storage | KYC stored insecurely |
| [A/i] Session not killed on background/timeout | background & resume | Missing session timeout |
B E-commerce mobile
Price/payment tampering and BOLA via the mobile API — the app is just the entry point.
E-commerce mobile — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Price/total tamperable | tamper request | Price tampering |
| [A/i] Coupon/loyalty client-side | tamper logic | Client-side commerce logic |
| [A/i] Payment callback tamper | forge callback | Payment bypass |
| [A/i] Stored payment method cached | inspect storage | Insecure payment cache |
| [A/i] Order/wishlist/address BOLA | swap IDs via API | BOLA via mobile API |
| [A/i] Refund/cancel tamper | tamper flow | Refund/cancel manipulation |
| [A/i] Deep link to checkout w/ params | craft deep link | Deep-link parameter injection |
C SaaS / enterprise mobile
Enterprise mobile: tenant isolation, token caching/scope, and OAuth handled over insecure URL schemes.
SaaS / enterprise mobile — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] Cross-tenant via tamperable tenant ID | swap tenant via API | Cross-tenant access |
| [A/i] Token cached insecurely/over-scoped | inspect storage | Insecure/over-scoped token |
| [A/i] Token not revoked on logout/removal | reuse after logout | Token not revoked |
| [A/i] SSO/OAuth via insecure URL scheme | review redirect | Insecure OAuth redirect |
| [A/i] OAuth token leak via scheme hijack | register colliding scheme | URL-scheme hijack |
| [A/i] MDM/work-profile data to personal | review data boundary | Work/personal data leak |
| [A/i] Offline cache exposes other-tenant data | inspect cache | Offline cross-tenant cache |
D Healthcare mobile
PHI on the device: unencrypted caches, world-readable/iCloud-synced reports, and snapshot/log leaks.
Healthcare mobile — full coverage
| Checklist item | How to test | Report as |
|---|---|---|
| [A/i] PHI cached unencrypted | inspect storage | PHI stored insecurely |
| [A/i] Reports in world-readable/iCloud storage | inspect storage | PHI in insecure storage |
| [A/i] PHI in logs/analytics/crash | inspect logs/payloads | PHI in logs |
| [A/i] Snapshot leaks medical data | background app | Snapshot leak (PHI) |
| [A/i] BOLA on patient records via API | swap IDs | BOLA on PHI |
| [A/i] No consent/access enforcement | access without consent | Consent/access gap |
✓ Coverage map & how to run it
Run sections 0–8 per platform tag (Android block on Android, iOS block on iOS), then the category block. Weight resilience higher for banking.
| Section | Run on | Focus |
|---|---|---|
| Universal 0–8 | Every mobile target | Static, storage, crypto, auth, network, platform, resilience, privacy, runtime |
| Banking | Fintech apps | Storage, pinning, biometric/PIN, root detection, device binding |
| E-commerce | Shopping apps | Price/payment tamper, BOLA via API |
| SaaS | Enterprise apps | Tenant isolation, token caching, OAuth scheme hijack |
| Healthcare | Health apps | PHI storage, snapshot/log leaks, BOLA |
The reminder that pays off: a mobile pentest is static + dynamic + traffic + backend. The app is a client — most real damage is on the API it calls, so always pair this with the API checklist. Tick a box only when you've actually run the test on a device you control.