Taking the perspective of an attacker and attempting to exploit mobile apps offers valuable insights into app security and privacy vulnerabilities. In fact, many organizations’ risk management programs require regular manual pen testing assessments of mobile apps to ensure they’re secure.
Security analysts and pen testers rely on an arsenal of mobile app security testing tools to deeply examine an app. Depending on the user’s level of experience and expertise, the mix typically includes open-source and commercial tools for iOS and Android application security testing.
At NowSecure, we provide the NowSecure Workstation pen testing toolkit, NowSecure Platform for fully automated testing and open-source tools like Frida and Radare developed by our research team. Read on to discover our recommendations for tools that ease the mobile app security testing process.
Open Source Mobile App Security Testing Tools
NowSecure researchers created two of the most popular open-source mobile app security testing tools, Frida and Radare. As part of its dedication to the open-source community, NowSecure continues to support these tools and more. Here are several open-source mobile app security testing tools our expert penetration testing services team calls on when doing their work.
- Ghidra: Developed by the U.S. National Security Agency, this open-source reverse engineering suite of tools includes a disassembler, decompile and a built-in scripting engine.
- Mitmproxy: This HTTP proxy is used to identify man-in-the-middle vulnerabilities in mobile apps by intercepting and modifying requests and responses exchanged between an app and backend services.
- Objection: This runtime mobile security assessment framework is powered by Frida.
- OWASP Zed Attack Proxy (ZAP): While primarily a tool for testing web apps and web services, ZAP has a proxy component that can be used to analyze mobile apps.
- Radare: The reverse-engineering framework is used to analyze and inspect iOS and Android binaries.
- R2frida: The r2project integration project blends the best of radare reverse engineering capabilities with the dynamic instrumentation toolkit of Frida to make each of the open-source tools more powerful.
Android App Security Testing Tools
Mobile pen testing pros can find several tools dedicated to the Android platform. Android app security testing tool offerings include:
- Android Debug Bridge (adb): This versatile command-line tool is a Dex to Java decompiler useful for producing Java source code from Android DEX and APK files.
- APKTool: This reverse engineering tool unpacks Android app packages to ensure the files are readable and can rebuild apps.
- Drozer: This tool identifies security vulnerabilities in Android apps and devices using Android Interprocess Communications and supports the use and sharing of public exploits.
- JADX: This tool eases the process of decompiling binaries for reverse engineering.
- Magisk: This tool for rooting Android devices has evolved over the years into a more powerful tool that boasts a collection of dozens of modules.
- Xposed: This tool grants access to many third-party or open-source tweaks that can be used for certain aspects of testing.
“NowSecure highly recommends deploying a commercial automated mobile app security testing tool.”
iOS Security Testing Tools
Security analysts around the globe also have a selection of iOS security testing tools available to them. Here are some popular offerings to aid pen testing of iOS mobile apps:
- Checkra1n: This jailbreaking tool for iOS helps analysts gain root access to a device.
- Grapefruit: The successor to Passionfruit, this is a runtime application instrumentation tool for iOS.
- Keychain-Dumper: This iOS tool helps analysts determine what keychain items are available to an attacker after an iOS device has been jailbroken.
- Xcode: The integrated development environment for macOS suite of tools can be used to interact with an iOS device during pen testing and analyze logs.
Commercial Mobile App Security Testing Tools
In addition to free OSS tools, mobile pen testers find a few paid mobile app security testing tools indispensable to their work.
- Burp Suite: Published by Portswigger, this web proxy testing tool can also be used to test mobile apps and APIs and analyze network traffic.
- Hopper: This reverse engineering tool comes in handy for disassembling, decompiling and debugging applications.
- IDA Pro: Offered by Hex-Rays, this disassembler translates machine executable code into assembly language source code for debugging and reverse engineering.
- NowSecure Workstation: This wizard-driven interactive testing tool for security analysts speeds productivity when testing complex, high-risk and IoT-connected mobile apps.
- NowSecure Platform: This mobile app security testing tool can automate about 80% of manual security testing, freeing staff to focus on the challenging aspects of mobile pen tests.
Less experienced testers may face a steep learning curve with open-source testing tools. In order to scale testing and keep pace with the mobile app development team’s release velocity, NowSecure highly recommends deploying a commercial automated mobile app security testing tool. A wizard-driven automation testing tool like NowSecure Workstation brings consistency, reduces onboarding time for new analysts, eases testing setup and helps organizations contend with skills gaps, workforce shortages and testing backlogs.
The NowSecure Workstation wizard-driven toolkit boosts productivity and collapses testing into a single day. NowSecure Platform fully automates the process to achieve continuous mobile appsec testing. To learn more about what features and functionality to look for in an automated mobile app security testing tool, consult our Mobile AppSec Testing Checklist to help guide your evaluation.