Skip to content

Security Testing Guide

Jump to bottom
Paul White edited this page Feb 7, 2026 · 1 revision

Security Testing Guide

End-to-end workflows for mobile application penetration testing with Mobilicustos.

Testing Methodology

Mobilicustos follows the OWASP Mobile Application Security Testing Guide (MASTG) methodology, organized around the MASVS (Mobile Application Security Verification Standard) categories:

MASVS Category Description Analyzers
MASVS-STORAGE Data storage and privacy Secure Storage, Backup, Data Leakage
MASVS-CRYPTO Cryptography Crypto Auditor, DEX Analyzer, Semgrep
MASVS-AUTH Authentication and session management Authentication Analyzer
MASVS-NETWORK Network communication Network Config, SSL Pinning, Manifest, Plist
MASVS-PLATFORM Platform interaction Manifest, Component Security, Deeplink, Entitlements
MASVS-CODE Code quality and build settings Code Quality, Dependency, Semgrep
MASVS-RESILIENCE Resilience against reverse engineering Binary Protection, Obfuscation
MASVS-PRIVACY Privacy Privacy Analyzer, Permissions

Workflow 1: Full Static Analysis

Best for: Initial security assessment without requiring a device.

Steps

  1. Upload the application

    POST /api/apps
Content-Type: multipart/form-data
file: app-release.apk

  2. Review framework detection

    • Check if Flutter, React Native, or Native was detected
    • Framework-specific analyzers will run automatically

  3. Start a static scan

    POST /api/scans
{ "app_id": "uuid", "scan_type": "static" }

  4. Monitor progress

    • Watch the Scan Detail view for per-analyzer status
    • 26 analyzers for Android, 14 for iOS (plus cross-platform if applicable)

  5. Review findings by priority

    • Start with Critical and High severity
    • Focus on findings with PoC evidence
    • Check OWASP MASVS compliance dashboard

  6. Validate false positives

    • Use the PoC verification commands provided with each finding
    • Mark confirmed false positives with reason

  7. Export results

    • PDF for executive stakeholders
    • SARIF for developer teams
    • CSV for custom analysis

Workflow 2: Dynamic Analysis

Best for: Runtime behavior validation and bypass testing.

Prerequisites

  • Connected Android device or emulator
  • ADB running on host
  • Frida server on device

Steps

  1. Set up the device

    • Navigate to Devices view
    • Click "Discover Devices" to find connected devices
    • Install Frida server on the device

  2. Upload and install the app

    POST /api/apps  (upload APK)

    Install via ADB: adb install app-release.apk

  3. Start a dynamic scan

    POST /api/scans
{ "app_id": "uuid", "scan_type": "dynamic" }

  4. Runtime analyzer hooks into:

    • Data storage APIs (SharedPreferences, Keychain)
    • Cryptographic operations
    • Network connections
    • Logging calls
    • Certificate validation

  5. Review dynamic findings

    • Compare with static analysis results
    • Dynamic findings confirm or refute static detections

Workflow 3: Protection Bypass Testing

Best for: Assessing the app's resistance to reverse engineering and tampering.

Steps

  1. Detect protections

    POST /api/bypass/analyze
{ "app_id": "uuid", "device_id": "uuid" }

    Identifies: root detection, SSL pinning, Frida detection, emulator detection, debugger detection, integrity checks

  2. Attempt automated bypass

    POST /api/bypass/auto-bypass
{
  "app_id": "uuid",
  "device_id": "uuid",
  "detections": ["root", "ssl_pinning", "frida"]
}

  3. Manual bypass with Frida scripts

    • Use built-in bypass scripts (SSL pinning, root, jailbreak, biometric)
    • Write custom hooks via the Frida Script editor

  4. Document results

    • Bypass success/failure recorded with evidence
    • Protection gaps added as findings

Workflow 4: API Security Testing

Best for: Testing the backend APIs discovered in the mobile app.

Steps

  1. Run static scan to discover API endpoints

    • The API Endpoint Extractor finds REST, GraphQL, and gRPC endpoints
    • View results in the API Endpoints view

  2. Export endpoints

    GET /api/api-endpoints/{app_id}/export

  3. Probe endpoints

    POST /api/api-endpoints/{app_id}/probe

    Tests for: accessibility, authentication requirements, SSL configuration

  4. Burp Suite integration

    • Export endpoints to Burp Suite
    • Run active scans against API endpoints
    • Import Burp results back into Mobilicustos

  5. Unified findings view

    • Mobile static/dynamic findings + web API findings in one view

Workflow 5: Compliance Assessment

Best for: Verifying adherence to OWASP MASVS requirements.

Steps

  1. Run a full scan (static + dynamic)

    POST /api/scans
{ "app_id": "uuid", "scan_type": "full" }

  2. View MASVS compliance

    GET /api/compliance/masvs/{app_id}

    Shows pass/fail status for each MASVS requirement

  3. Drill into categories

    GET /api/compliance/masvs/{app_id}/MASVS-NETWORK

    See specific test results per category

  4. Generate compliance report

    GET /api/compliance/report/{app_id}

    Full compliance report with evidence and remediation guidance

  5. Track MASTG test coverage

    GET /api/scans/{scan_id}/mastg-coverage

    Shows which MASTG tests were executed and their results

Workflow 6: Attack Path Analysis

Best for: Understanding real-world exploitability and prioritizing fixes.

Steps

  1. Complete a full scan with multiple analyzers

  2. Generate attack paths

    POST /api/attack-paths/{app_id}/generate

    Builds a Neo4j graph from findings showing exploitation chains

  3. View attack path graph

    • Navigate to Attack Paths view
    • Visualize: Entry points → Exploitation steps → Sensitive targets

  4. Prioritize remediation

    • Focus on findings that appear in critical attack paths
    • A single fix can break multiple attack chains
    • Combined risk scores reflect real-world impact

Workflow 7: Secret Validation

Best for: Confirming whether discovered secrets are actually exploitable.

Steps

  1. Review detected secrets

    • Navigate to Secrets view
    • Filter by type: AWS, Google, Firebase, Stripe, etc.

  2. Live validation

    POST /api/secrets/{secret_id}/validate

    Performs safe, read-only probes:

    • AWS: Attempts s3 ls with discovered key
    • Google: Tests API key against Maps/Places API
    • Firebase: Checks database/storage accessibility

  3. Triage results

    • Validated secrets → Critical severity
    • Invalid/expired → Downgrade or mark as false positive
    • Redacted display protects actual values

Finding Lifecycle

Discovery → Open → Confirmed → Remediated
                 ↓
           False Positive (with reason)
                 ↓
           Accepted Risk (with justification)
Status Description
open Newly discovered, needs triage
confirmed Validated as a real vulnerability
false_positive Not a real issue (requires reason)
accepted_risk Known issue, accepted by stakeholder
remediated Fix verified

Reporting Best Practices

Executive Report (PDF)

  • Use for non-technical stakeholders
  • Includes: severity distribution, risk score, top findings, compliance status
  • Export: GET /api/exports/{app_id}/pdf

Technical Report (HTML/JSON)

  • Use for development teams
  • Includes: full finding details, PoC commands, code snippets, remediation steps
  • Export: GET /api/exports/{app_id}/html or json

CI/CD Integration (SARIF)

  • Use for automated security gates
  • Upload to GitHub Code Scanning or Azure DevOps
  • Export: GET /api/exports/{app_id}/sarif

Penetration Test Report (CSV + Burp XML)

  • Use for detailed manual testing documentation
  • Combine with Burp Suite findings
  • Export: GET /api/exports/{app_id}/csv + GET /api/scans/{id}/export/burp

Mobilicustos v0.1.1 | GitHub Repository | MIT License

Mobilicustos Wiki

Getting Started

Architecture

Analysis Engine

Interface

Workflows

Clone this wiki locally