Mobile apps are omnipresent—from social media and enterprise to payment wallets. But most are still open to attack. This handbook is your step-by-step tutorial on pentesting mobile apps in 2025 with code snippets, tool instructions, and advice. Tools Setup Below is a quick Android (Linux/macOS) setup: # Install ADB (Android Debug Bridge) sudo apt install android-tools-adb # Install MobSF (in a virtual environment) git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF ./setup.sh # Install ADB (Android Debug Bridge) sudo apt install android-tools-adb # Install MobSF (in a virtual environment) git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF ./setup.sh To decompile an Android APK: # Use JADX jadx openexploit.apk -d outputfolder # Use APKTool apktool d openexploit.apk -o decompiled # Use JADX jadx openexploit.apk -d outputfolder # Use APKTool apktool d openexploit.apk -o decompiled To capture HTTPS traffic (make sure Burp Suite is installed) Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide https://youtu.be/VwMd4fFFhs0?embedable=true https://youtu.be/VwMd4fFFhs0?embedable=true Information Gathering Simple reconnaissance on an APK file: # Show APK permissions aapt dump permissions openexploit.apk # Analyze the manifest unzip -p openexploit.apk AndroidManifest.xml # Show APK permissions aapt dump permissions openexploit.apk # Analyze the manifest unzip -p openexploit.apk AndroidManifest.xml Check for: android:debuggable="true" Exported activities, services, and receivers. android:debuggable="true" Exported activities, services, and receivers. Static Analysis Decompile and read the source code for hardcoded secrets: # Using JADX jadx-gui openexploit.apk # Using JADX jadx-gui openexploit.apk Look for: String apiKey = "openexploit_api_key"; String apiKey = "openexploit_api_key"; Scan res/values/strings.xml, assets/, and .so native libraries for secrets. Dynamic Analysis Intercept API calls: Use Burp Suite and manipulate app traffic. Set your proxy and monitor requests. Look for JWTs, session cookies, API parameters. Bypass SSL Pinning using Frida: # Android SSL pinning bypass (Frida script) frida -U -n com.target.openexploit -l frida-ssl-bypass.js # Android SSL pinning bypass (Frida script) frida -U -n com.target.openexploit -l frida-ssl-bypass.js Sample code snippet of frida-ssl-bypass.js: Java.perform(function () { var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); var SSLContext = Java.use('javax.net.ssl.SSLContext'); var TrustManager = Java.registerClass({ name: 'org.wooyun.TrustManager', implements: [X509TrustManager], methods: { checkClientTrusted: function () {}, checkServerTrusted: function () {}, getAcceptedIssuers: function () { return []; } } }); var TrustManagers = [TrustManager.$new()]; var SSLContextInit = SSLContext.init; SSLContext.init.implementation = function (keyManager, trustManager, secureRandom) { SSLContextInit.call(this, keyManager, TrustManagers, secureRandom); }; }); Java.perform(function () { var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); var SSLContext = Java.use('javax.net.ssl.SSLContext'); var TrustManager = Java.registerClass({ name: 'org.wooyun.TrustManager', implements: [X509TrustManager], methods: { checkClientTrusted: function () {}, checkServerTrusted: function () {}, getAcceptedIssuers: function () { return []; } } }); var TrustManagers = [TrustManager.$new()]; var SSLContextInit = SSLContext.init; SSLContext.init.implementation = function (keyManager, trustManager, secureRandom) { SSLContextInit.call(this, keyManager, TrustManagers, secureRandom); }; }); API Testing Utilize Burp Suite to fuzz and test API security. Bypass authentication: POST /api/user/profile HTTP/1.2 Host: www.openexploit.in Authorization: Bearer [XXXX-XXXX-XXXX-XXXX] POST /api/user/profile HTTP/1.2 Host: www.openexploit.in Authorization: Bearer [XXXX-XXXX-XXXX-XXXX] Try expired authentication tokens Remove token and validate if the endpoint still works Try Insure Direct Object Reference(changind IDs) Try expired authentication tokens Remove token and validate if the endpoint still works Try Insure Direct Object Reference(changind IDs) Use Curl for API testing: curl -X GET https://api.openexploit.in/user/123 \ -H "Authorization: Bearer authtoken-xxx-xx-xxx-xxx" curl -X GET https://api.openexploit.in/user/123 \ -H "Authorization: Bearer authtoken-xxx-xx-xxx-xxx" See if you are able to: View other user data Change roles Initiate admin endpoints View other user data Change roles Initiate admin endpoints Local Data Storage Analysis Pull data from Android emulator/device: # List app packages adb shell pm list packages # Pull openexploit app data (only if rooted) adb root adb shell cd /data/data/com.target.openexploit/ # List app packages adb shell pm list packages # Pull openexploit app data (only if rooted) adb root adb shell cd /data/data/com.target.openexploit/ Check these: shared_prefs/ – does any.xml contain credentials? databases/ – dump SQLite DBs using sqlite3: sqlite3 openexploit.db sqlite> .tables sqlite> SELECT * FROM users; shared_prefs/ – does any.xml contain credentials? shared_prefs/ – does any.xml contain credentials? databases/ – dump SQLite DBs using sqlite3: sqlite3 openexploit.db sqlite> .tables sqlite> SELECT * FROM users; databases/ – dump SQLite DBs using sqlite3: sqlite3 openexploit.db sqlite> .tables sqlite> SELECT * FROM users; Reverse Engineering and Code Injection Inject into runtime using Frida + Objection. # Install Objection pip install objection # Bypass root detection objection -g com.target.openexploit explore # Inside the shell android root disable # Install Objection pip install objection # Bypass root detection objection -g com.target.openexploit explore # Inside the shell android root disable Hooking methods using Frida: Java.perform(function () { var Login = Java.use("com.app.login.LoginActivity"); Login.checkCredentials.implementation = function (user, pass) { console.log("User: " + user + ", Pass: " + pass); return true; // force login success }; }); Java.perform(function () { var Login = Java.use("com.app.login.LoginActivity"); Login.checkCredentials.implementation = function (user, pass) { console.log("User: " + user + ", Pass: " + pass); return true; // force login success }; }); Reporting Write an organized report in OWASP MASVS standards. Here is a sample report format: Title: Hardcoded API Key in Source CodeRisk: HighAffected Component: openexploit.apk > MainActivity.javaProof: String apiKey = "XXXX-XXXX-XXXX-XXXX";Impact: Exposed API key can permit unauthorized API calls.Recommendation: Place API keys in a secure backend. Never store secrets in app code. You can use tools such as Dradis or Faraday to document findings. Mobile Common Vulnerabilities Insecure Storage SSL Pinning API Authentication Exported Components Hardcoded Secrets Debuggable Builds Code Injection Insecure Storage SSL Pinning API Authentication Exported Components Hardcoded Secrets Debuggable Builds Code Injection Resource Reference OWASP MASVS & MSTG Frida Mobile Security Testing Guide GitHub Android Pentesting Cheat Sheet TryHackMe OWASP MASVS & MSTG Frida Mobile Security Testing Guide GitHub Android Pentesting Cheat Sheet TryHackMe Conclusion Mobile app pentesting in 2025 is an most demanding skill for ethical hackers and security engineers. As digital identity moves towards mobile-based, AI-empowered apps, and sophisticated APIs, finding weaknesses is more critical than ever before. Begin small. Practice testing test apps. And always have legal consent prior to testing live apps.