Skip to main content
The mobile-application agent is a mobile security specialist covering both Android and iOS platforms. It follows the OWASP Mobile Application Security Testing Guide (MASTG) and the Mobile Application Security Verification Standard (MASVS) v2.

Activating the agent

Press Tab until mobile-application appears in the status bar, then describe your target application.

Tools

ToolPlatformUse
apktoolAndroidAPK decompilation and repackaging
jadxAndroidDEX to Java source decompiler
fridaBothDynamic instrumentation and hooking
objectionBothRuntime mobile exploration (Frida-based)
drozerAndroidAndroid security assessment framework
adbAndroidAndroid Debug Bridge for device interaction
apksignerAndroidAPK signature verification
MobSFBothAutomated static and dynamic analysis
class-dumpiOSExtract class information from Mach-O binaries
otool / jtool2iOSBinary analysis
mitmproxyBothHTTP/HTTPS proxy for traffic interception
nucleiBothVulnerability scanning on discovered API endpoints
ffufBothAPI endpoint fuzzing

Testing methodology

The agent runs five sequential phases, moving from static analysis through to business logic testing.
1

Static analysis

Extract and decompile the application binary. For Android: apktool d app.apk followed by jadx -d output app.apk. Review AndroidManifest.xml or Info.plist for permissions, exported components, backup settings, and debug flags. Search for hardcoded secrets, API keys, URLs, and insecure configuration values in decompiled source.
2

Network analysis

Set up a proxy (mitmproxy or Burp Suite), install the CA certificate on the test device, and bypass certificate pinning if present using Objection (objection --gadget "AppName" explore) or Frida scripts. Capture all API traffic during manual app usage and analyze authentication flows, token handling, and data in transit.
3

Dynamic analysis

Install the application on a rooted Android device or jailbroken iOS device, or use an emulator. Hook with Frida/Objection to bypass root and jailbreak detection, monitor filesystem changes, watch logs and clipboard, and instrument crypto functions, auth checks, and API calls at runtime.
4

API security

Extract API endpoints from decompiled code. Test authentication and authorization on each endpoint. Check for IDOR, mass assignment, and rate limiting. Test input validation on all parameters. Search for hidden debug or internal API endpoints not exposed in the UI.
5

Business logic

Test payment flows for price and quantity tampering. Test subscription and license bypass. Test referral and reward system abuse. Test offline functionality security. Test data synchronization between device and server for integrity issues.

MASVS categories

Verifies that credentials are not stored in plaintext in SharedPreferences (Android) or unprotected Keychain items (iOS). Checks for sensitive data in logcat output, analytics SDKs, and crash reporters. Verifies the allowBackup flag is disabled. Tests for data in keyboard cache, clipboard exposure during sensitive operations, and screenshot prevention with FLAG_SECURE or iOS equivalents.
Checks for weak cryptographic algorithms (ECB mode, DES, MD5) and hardcoded encryption keys via static analysis. Verifies key storage uses Android Keystore or iOS Keychain. Confirms appropriate algorithms for each use case: AES-GCM for at-rest data, PBKDF2 or Argon2 for passwords, HTTPS for transit.
Verifies that sensitive operations (payments, profile changes) require re-authentication via biometrics or PIN. Tests session token expiration, rotation on re-authentication, and invalidation on logout. Confirms tokens are stored in secure enclaves, not SharedPreferences or UserDefaults.
Confirms all connections use TLS — no plaintext HTTP endpoints or mixed content. Reviews TLS version and cipher suite configuration. Tests certificate pinning bypass using Objection (android sslpinning disable) and Frida scripts. Reviews custom TrustManager implementations for validation flaws.
Reviews permissions in AndroidManifest.xml and Info.plist for over-permission. Tests deep link handlers and URL scheme processors for injection and auth bypass using adb shell am start. Tests exported Content Providers for SQL injection via Drozer. Reviews WebView configuration for JavaScript, file access, and mixed content settings.
Verifies APK is signed with a valid certificate. Confirms release build flags — no android:debuggable=true, no StrictMode in production, no test endpoints. Reviews error handling for verbose error messages or stack traces exposed to users.
Tests root and jailbreak detection bypass using objection --gadget "AppName" explore followed by android root disable or ios jailbreak disable. Tests anti-debugging protections. Tests file integrity and signature verification bypass. Reviews obfuscation quality via ProGuard/R8 and string encryption.

Example workflows

cyberstrike run --agent mobile-application \
  "Perform a full MASVS assessment of the Android APK at /tmp/target-app.apk"

Finding output format

Each finding the agent reports includes:
  • MASVS-ID — e.g., MASVS-STORAGE-1
  • Title — e.g., Plaintext credentials in SharedPreferences
  • Severity — Critical / High / Medium / Low with CVSS score
  • CWE — e.g., CWE-312
  • Platform — Android / iOS / Both
  • Evidence — Code snippet, screenshot, or traffic capture
  • Impact — What an attacker could achieve
  • Remediation — Specific fix recommendations
Dynamic analysis requires a rooted Android device or jailbroken iOS device, or a compatible emulator. Some MASVS-RESILIENCE checks are only fully verifiable on physical hardware.

Build docs developers (and LLMs) love

Get started for freeTalk to us