Introducción al pentesting de aplicaciones móviles sin morir en el intento

Introduction to mobile application pentesting without dying trying

Pentest para moviles

Before starting to talk about mobile pentesting, we must lay the foundations and differentiate between static analysis of the application and dynamic analysis. But not before talking about the structure of an APK.

The process of disassembling an APK is called decompression and it is through this process through which we can access the innards of our binary:

To do this, it would be enough to:

unzip APP.apk -d output-unzip

apktool d APP.apk -o output-apktool

When it comes to decompiling the source code, we have two ways, on the one hand we can generate the .smali which is the “readable” bytecode for humans (apktool), or generate the interpreted .java, it is not the original source code, but we It helps to understand the logic of the application more easily (jadx).

Once we have the source code with us, we will talk about the two types of analysis that need to be taken into account when performing mobile pentesting. 

Static vs Dynamic Analysis

In static analysis, the application is analyzed at the code level and without interaction with the application, and dynamic analysis is reviewed at runtime, interacting with the functionalities.

Static analysis

With the Jadx tool we will try to search for sensitive information:

  • Vulnerable keywords or code patterns. 
  • Credentials / api keys. 
  • Urls/endpoints.
  • Identification of important functions: authentication, state changes, PII.
  • Debug function identification. Presence of comments in the code.
  • Identification of dangerous functions: use of external storage, code execution. Sanitization.
  • Hardcoded secrets.


All the above analysis can be automated with the following tool (MobSF):

When talking about mobile pentesting there are a series of interesting components (identified by Mobsf in the previous image), which we recommend that you spend time understanding (activities, suppliers, recipients and exportable services). In the next article we will talk about exportable activities.

Xuquiang Liu Xu, Pentester Jr. at Zerolynx and Alejandro Auñón, Offensive Security Analyst at Zerolynx.
return to blog

Leave a comment

Please note that comments must be approved before they are published.