📱

Mobile Security

Mobile challenges involve reverse engineering and exploiting Android APKs and iOS IPAs — from decompiling Java bytecode and patching apps to hooking runtime methods with Frida and bypassing certificate pinning.

What is it?

Mobile security is the field of finding and exploiting vulnerabilities in Android and iOS applications. Unlike desktop software, mobile apps run in sandboxed environments but are regularly undermined by insecure data storage, weak authentication, certificate pinning mistakes, and exported activity/intent misuse.

The OWASP Mobile Top 10 defines the most common mobile weaknesses, and both Android (Java/Kotlin/NDK) and iOS (Swift/Objective-C) have distinct attack surfaces that security researchers must understand.

How it works in a CTF

In a CTF, you receive an APK or IPA file and must extract a flag hidden inside the app's logic, resources, or network communication. Some challenges require only static analysis; others need you to run the app on an emulator, hook functions with Frida, or patch the binary to bypass checks.

Common workflow: unpack with APKTool/jadx → inspect AndroidManifest.xml → search strings/resources → decompile Java → hook with Frida if dynamic analysis is needed → intercept HTTPS traffic with Burp + SSL unpin.

Example challenge types
Hardcoded API key in APK resourcesReverse Java validation logicBypass root/emulator detection (Frida)SSL pinning bypassExported Activity access (ADB intent)Shared preferences plain-text secretNative library (JNI) reverse engineeringFirebase misconfiguration (public DB)Deep-link parameter injectioniOS Keychain extractionFrida hook to dump decrypted payloadAPK repack and re-sign

Sample Challenge

UnlockMe
Mobile Medium 200 pts
You receive an Android APK that shows a PIN entry screen. Entering the correct 6-digit PIN displays the flag. The app performs root and emulator detection before proceeding.
unlockme.apk
How to solve it
  1. Decompile with jadx-gui unlockme.apk. Search for onCheckPin — find a method that compares user input against a SHA-256 hash.
  2. The hash 8d969eef6...<snip> matches the SHA-256 of 123456 (identify with hashcat --example-hashes or CrackStation).
  3. The app crashes on emulator. Bypass using Frida: hook isEmulator() to return false.
  4. Run the patched check: frida -U -f com.ctf.unlockme --no-pause -l bypass.js.
  5. Enter PIN 123456 in the app — the flag is displayed on screen.
FLAG{fr1d4_byp4ss_em_d3t3ct10n}

Official Resources & Standards

OWASP Mobile Application Security
The OWASP MAS project — MASVS (testing standard) and MASTG (testing guide) with hundreds of test cases.
OfficialStandardOWASP
Android Developer Security
Google's official documentation on Android security model, permissions, sandboxing, and secure coding.
OfficialAndroid
Apple Platform Security Guide
Apple's comprehensive technical reference for iOS/macOS security architecture and features.
OfficialiOS
Frida
Dynamic instrumentation framework that lets you inject JavaScript to hook and modify running app behaviour.
ToolOpen Source

Free Training & Practice

OWASP MASTG Crackmes
Official OWASP Mobile challenge apps — Android and iOS — ranging from beginner to expert.
FreeChallengesOWASP
DVIA-v2 (iOS)
Damn Vulnerable iOS App — intentionally insecure iOS app covering OWASP Mobile Top 10.
FreeiOSLab App
hpAndro Vulnerable Bank
Vulnerable Android banking app specifically designed for OWASP-aligned CTF-style challenges.
FreeAndroidLab App
NowSecure Academy
Free courses on Android and iOS security testing methodology from an industry leader.
FreeCourse
HackTricks — Mobile
Comprehensive wiki-style reference for Android and iOS pentesting techniques.
FreeReference
HackTheBox Mobile Challenges
Android and iOS challenge apps covering reversing, hooking, and runtime manipulation.
Free TierChallenges

Essential Tools

MobSF
Mobile Security Framework — automated static and dynamic analysis for Android/iOS apps.
FreeOpen Source
APKTool
Decompile and recompile Android APKs. Decode resources and smali bytecode.
FreeAndroidOpen Source
jadx
Dex to Java decompiler — produces readable Java source from APK/DEX files.
FreeAndroidOpen Source
Frida
Hook any function at runtime on Android or iOS — bypass security checks, dump secrets, trace calls.
FreeOpen Source

Getting Started Tips

💡 Tip: Start every APK challenge with MobSF static analysis — it automatically flags hardcoded secrets, insecure components, and dangerous permissions.
💡 Tip: Use `jadx-gui` for readable Java decompilation, then Ghidra for native (.so) library RE if needed.
💡 Tip: For Frida: use the objection framework (`pip install objection`) to automate common tasks like SSL unpinning with a single command.
💡 Tip: Check AndroidManifest.xml for exported activities, content providers, and broadcast receivers — they're common attack entry points.