Tooling

Mobile Pentesting — MobSF, Frida, Drozer

Android & iOS app teardown, dynamic instrumentation, MASTG.

Mobile pentesting splits into static (decompile and read), dynamic (run with hooks), and traffic (intercept the API). The 2024–26 reference framework is OWASP MASTG (formerly MASVS). For binary RE see Reverse Engineering (Ghidra). For traffic interception see Web App Testing (Burp / ZAP / Caido).

All-in-one platform

  • ★ ★ MobSF (Mobile Security Framework) — automated static + dynamic Android / iOS / Windows analysis; web UI; Docker-deployable; CI integration. The one-tool default for app triage. Free.
    • Static: decompile, manifest analysis, secrets, dependency CVEs, MASTG checks.
    • Dynamic: emulator-based runtime hooks (Android), Frida integration, traffic capture.
    • REST API for CI.

Dynamic instrumentation (the runtime workhorse)

  • ★ ★ Frida — JS-driven hooks; Android / iOS / Win / Mac / Linux. The dominant runtime tool. Free. See Reverse Engineering.
  • objection (SensePost) — Frida wrapper; one-liner mobile shortcuts: SSL pinning bypass, root detection bypass, keychain dump, file system browse, jailbreak detection bypass. Free.
  • RMS-Runtime-Mobile-Security — Frida-based GUI for Android dynamic analysis.
  • Medusa (Frida helper) — Frida script collection.

Android-specific

  • jadx / jadx-gui — APK → Java decompiler. Default. Free.
  • apktool — APK unpack / repack / rebuild.
  • dex2jar — older.
  • MARA — combined static framework.
  • Drozer (WithSecure) — IPC / content-provider attack framework; classic.
  • adb / Android Debug Bridge — bread and butter.
  • Genymotion — virtualised Android; free Personal, paid Business.
  • Android Studio AVD — official Google emulator; free.
  • Magisk + Zygisk — root + module ecosystem (LSPosed for Xposed-API).
  • frida-gadget — inject Frida into apps without root (repack APK).
  • apk-mitm — auto-rewrite an APK to allow user-installed CA certs.
  • House (NCC) — Frida-driven dynamic analysis.

iOS-specific

  • Hopper / IDA / Ghidra — Mach-O reversing. See Reverse Engineering.
  • frida-ios-dump — pull decrypted IPA from a jailbroken device.
  • class-dump / class-dump-z — Objective-C headers.
  • Cycript / Frida REPL — runtime probing.
  • iOS Reverse Engineering by Tielei Wang / textbook references.
  • objection iOS commands — keychain dump, sandbox, plists.
  • palera1n / unc0ver / checkra1n — jailbreak utilities (device-dependent).
  • Corellium — paid; virtualised iOS for security research; the only realistic non-jailbreak workflow for modern iOS.
  • 3uTools / iMazing — convenience for IPA install / device management.

Cross-platform / network

  • Burp / ZAP / Caido + system CA install — see Web App Testing.
  • HTTP Toolkit — clean Android / iOS interception UX (paid Pro).
  • mitmproxy — best for scripted MitM and mobile.
  • Frida hooks for SSL pinning — universal-ssl-pinning-bypass scripts in Frida CodeShare.

Standards / methodology

  • ★ ★ OWASP MASTG (Mobile App Security Testing Guide) — replaces the old MSTG; the reference. Free.
  • OWASP MASVS — Mobile App Security Verification Standard; checklists.
  • NIST SP 800-163 — federal-flavour guidance.
  • OWASP Mobile Top 10 (2024) — refreshed.

Cert pinning bypass cookbook

  • Frida + universal pinning bypass script (CodeShare).
  • objection android sslpinning disable / ios sslpinning disable.
  • apk-mitm — repack the APK with network_security_config.xml allowing user CAs.
  • Magisk module: TrustUserCerts — install user CAs as system on Android 7+.

CI / scaling

  • MobSF Docker — drop-in CI service.
  • Bitbar / Sauce Labs — paid device farms with security plugins.
  • Genymotion SaaS — automated mobile CI runs.

Pick this if…

  • Default static + dynamic Android / iOS triage: MobSF.
  • Runtime hooking everything: Frida + objection.
  • Android decompile and read: jadx + apktool.
  • iOS without a jailbreak: Corellium (paid).
  • Cert pinning blocking your Burp: objection or universal-pinning-bypass Frida script.
  • Methodology / checklist: OWASP MASTG + MASVS.

On this page