Mobile Security
Mobile application security encompasses the unique attack surface of iOS and Android applications, including insecure local data storage, weak transport layer protection, insufficient binary protections, and client-side injection vulnerabilities. The OWASP Mobile Top 10 highlights risks such as improper platform usage, insecure data storage, insecure communication, insecure authentication, insufficient cryptography, and code tampering. Mobile apps face threats that web applications do not: reverse engineering of client-side code, certificate pinning bypass, inter-process communication attacks, and exploitation of platform-specific features like deep links, content providers, and keychain storage. Tools like Frida, objection, MobSF, and Jadx enable dynamic instrumentation and static analysis of mobile binaries, while proxy tools allow interception of API traffic for server-side testing.
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-22 NEW 2026 | Root/Jailbreak Detection and SSL Pinning in KMM | Root/Jailbreak Detection and SSL Pinning in KMM |
| 2026-04-22 NEW 2026 | Reversing Android Apps: Bypassing Detection Like a Pro | Reversing Android Apps: Bypassing Detection Like a Pro |
| 2026-04-22 NEW 2026 | Reverse engineering and modifying Android apps with JADX and Frida | Reverse engineering and modifying Android apps with JADX and Frida |
| 2026-04-22 NEW 2026 | Common Vulnerabilities and Exposures Examples in Mobile Apps | Common Vulnerabilities and Exposures Examples in Mobile Apps |
| 2026-04-22 NEW 2026 | Bypassing iOS Frida Detection with LLDB and Frida | Bypassing iOS Frida Detection with LLDB and Frida |
| 2026-04-22 NEW 2026 | frida-interception-and-unpinning: Scripts to MitM all HTTPS traffic | frida-interception-and-unpinning: Scripts to MitM all HTTPS traffic |
| 2026-04-22 NEW 2026 | Android Reports and Resources | Android Reports and Resources |
| 2026-04-22 NEW 2026 | iOS Security Testing - OWASP MASTG | iOS Security Testing - OWASP MASTG |
| 2026-04-22 NEW 2026 | Android Security Bulletin - March 2026 | Android Security Bulletin - March 2026 |
| 2026-04-22 NEW 2026 | Android Security Bulletin - April 2026 | Android Security Bulletin - April 2026 |
| 2026-04-19 NEW 2026 | Zero-Day Vulnerabilities in Apple WebKit — CSA Singapore | Zero-Day Vulnerabilities in Apple WebKit — CSA Singapore |
| 2026-04-19 NEW 2026 | Update Apple Devices: Actively Exploited CVE-2025-14174 & CVE-2025-43529 | Update Apple Devices: Actively Exploited CVE-2025-14174 & CVE-2025-43529 |
| 2026-04-19 NEW 2026 | CVE-2025-14174: Apple WebKit Memory Corruption Zero-Day | CVE-2025-14174: Apple WebKit Memory Corruption Zero-Day |
| 2026-04-19 NEW 2026 | Two Serious Vulnerabilities in Latest Android Security Update | Two Serious Vulnerabilities in Latest Android Security Update |
| 2026-04-19 NEW 2026 | LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042) | LANDFALL: New Commercial-Grade Android Spyware (CVE-2025-21042) |
| 2026-04-16 NEW 2026 | Awesome Android Reverse Engineering: Curated List | Awesome Android Reverse Engineering: Curated List |
| 2026-04-16 NEW 2026 | Android App Reverse Engineering 101 | Android App Reverse Engineering 101 |
| 2026-04-16 NEW 2026 | Exploiting Android Fingerprint Authentication | Exploiting Android Fingerprint Authentication |
| 2026-04-16 NEW 2026 | Android Keystore Pitfalls and Best Practices | Android Keystore Pitfalls and Best Practices |
| 2026-04-16 NEW 2026 | Frida's Impact on Mobile Security and How to Fight Back | Frida's Impact on Mobile Security and How to Fight Back |
| 2026-04-16 NEW 2026 | From an Android Hook to RCE: $5000 Bounty | From an Android Hook to RCE: $5000 Bounty |
| 2026-04-16 NEW 2026 | iOS Reverse Engineering: Defeating Anti-Debug and Extracting Hidden Flag | iOS Reverse Engineering: Defeating Anti-Debug and Extracting Hidden Flag |
| 2026-04-16 NEW 2026 | DarkSword iOS Exploit Chain Adopted by Multiple Threat Actors - Google | DarkSword iOS Exploit Chain Adopted by Multiple Threat Actors - Google |
| 2026-04-16 NEW 2026 | Inside DarkSword: A New iOS Exploit Kit - iVerify | Inside DarkSword: A New iOS Exploit Kit - iVerify |
| 2026-04-16 NEW 2026 | DarkSword iOS Exploit Kit: 6 Flaws and 3 Zero-Days for Full Takeover | DarkSword iOS Exploit Kit: 6 Flaws and 3 Zero-Days for Full Takeover |
| 2026-04-11 2026 | Exploiting Content Providers in Android Applications | Exploiting Content Providers in Android Applications |
| 2026-04-11 2026 | SQL injection vulnerabilities in Owncloud Android app | SQL injection vulnerabilities in Owncloud Android app |
| 2026-04-11 2026 | Android, SQL and ContentProviders - Why SQL injections aren't dead yet | Android, SQL and ContentProviders - Why SQL injections aren't dead yet |
| 2026-04-11 2026 | iOS Universal Links - HackTricks | iOS Universal Links - HackTricks |
| 2026-04-11 2026 | MASTG-TEST-0070: Testing Universal Links | MASTG-TEST-0070: Testing Universal Links |
| 2026-04-11 2026 | Mobile OAuth Attacks - iOS URL Scheme Hijacking Revamped | Mobile OAuth Attacks - iOS URL Scheme Hijacking Revamped |
| 2026-04-11 2026 | Exploiting Android WebView Vulnerabilities | Exploiting Android WebView Vulnerabilities |
| 2026-04-11 2026 | Android security checklist: WebView - Oversecured Blog | Android security checklist: WebView - Oversecured Blog |
| 2026-04-11 2026 | WebView addJavascriptInterface Remote Code Execution - WithSecure Labs | WebView addJavascriptInterface Remote Code Execution - WithSecure Labs |
| 2026-04-11 2026 | Exploiting Insecure Android WebView with JavaScript Interface | Exploiting Insecure Android WebView with JavaScript Interface |
| 2026-04-11 2026 | Mobile Security Framework - MobSF Documentation | Mobile Security Framework - MobSF Documentation |
| 2026-04-11 2026 | MobSF: Mobile Security Framework (GitHub) | MobSF: Mobile Security Framework (GitHub) |
| 2026-04-11 2026 | Deep Linking Vulnerabilities - Application Security Cheat Sheet | Deep Linking Vulnerabilities - Application Security Cheat Sheet |
| 2026-04-11 2026 | Android Intent Redirection: A Hacker's Gateway to Internal Components | Android Intent Redirection: A Hacker's Gateway to Internal Components |
| 2026-04-11 2026 | From Browser to Breach: One-Click Android Deep Link Exploitation | From Browser to Breach: One-Click Android Deep Link Exploitation |
| 2026-04-11 2026 | Unsafe use of deep links - Android Developers Security | Unsafe use of deep links - Android Developers Security |
| 2026-04-11 2026 | Android Pentest: Deep Link Exploitation | Android Pentest: Deep Link Exploitation |
| 2026-04-11 2026 | A Comprehensive Guide to iOS Jailbreak Detection Bypass | A Comprehensive Guide to iOS Jailbreak Detection Bypass |
| 2026-04-11 2026 | Bypassing iOS Security Suite: Jailbreak Detection Explained and Tested | Bypassing iOS Security Suite: Jailbreak Detection Explained and Tested |
| 2026-04-11 2026 | Frida CodeShare: iOS Jailbreak Detection Bypass | Frida CodeShare: iOS Jailbreak Detection Bypass |
| 2026-04-11 2026 | iOS Jailbreak Detection Bypass with Frida - Full Guide | iOS Jailbreak Detection Bypass with Frida - Full Guide |
| 2026-04-11 2026 | Android 15 Vulnerabilities: A Comprehensive Security Research Analysis | Android 15 Vulnerabilities: A Comprehensive Security Research Analysis |
| 2026-04-11 2026 | December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited | December 2025 Android Security Bulletin: Two Zero-Day Flaws Exploited |
| 2026-04-11 2026 | Android Security Bulletin - December 2025 | Android Security Bulletin - December 2025 |
| 2026-04-11 2026 | Intent redirection vulnerability in third-party SDK exposed millions of Android wallets | Intent redirection vulnerability in third-party SDK exposed millions of Android wallets |
| 2026-04-10 2026 | Mobile App Security Testing Guide 2026 | Mobile App Security Testing Guide 2026 |
| 2026-04-10 2026 | Frida - OWASP Mobile Application Security Tool | Frida - OWASP Mobile Application Security Tool |
| 2026-04-10 2026 | OWASP MASTG Testing Guide | OWASP MASTG Testing Guide |
| 2026-04-10 2026 | OWASP MASVS & MASTG: Mobile Security Guide (2026) | OWASP MASVS & MASTG: Mobile Security Guide (2026) |
| 2026-04-10 2026 | Mobile App Tampering and Reverse Engineering - OWASP MASTG | Mobile App Tampering and Reverse Engineering - OWASP MASTG |
| 2026-04-10 2026 | A Comprehensive Guide to iOS Penetration Testing | A Comprehensive Guide to iOS Penetration Testing |
| 2026-04-10 2026 | iOS Penetration Testing: Definition, Process and Tools | iOS Penetration Testing: Definition, Process and Tools |
| 2026-04-10 2026 | iOS App Reverse Engineering: Tools & Tactics | iOS App Reverse Engineering: Tools & Tactics |
| 2026-04-10 2026 | iOS Pentesting Checklist: Complete Guide for 2026 | iOS Pentesting Checklist: Complete Guide for 2026 |
| 2026-04-10 2026 | Understanding Mobile App Reverse Engineering: How Attackers Break Apps | Understanding Mobile App Reverse Engineering: How Attackers Break Apps |
| 2026-04-10 2026 | 2025 Phone Security Guide: Android vs iOS | 2025 Phone Security Guide: Android vs iOS |
| 2026-04-10 2026 | Android vs iOS Security Comparison | Android vs iOS Security Comparison |
| 2026-04-10 2026 | iOS vs Android Security: Which Is More Secure? | iOS vs Android Security: Which Is More Secure? |
| 2026-04-10 2026 | iOS Devices Face Twice the Phishing Attacks of Android | iOS Devices Face Twice the Phishing Attacks of Android |
| 2026-04-10 2026 | iOS vs Android Security Comparison 2025 | iOS vs Android Security Comparison 2025 |
| 2026-04-10 2026 | Common Mobile Application Security Vulnerabilities 2025 | Common Mobile Application Security Vulnerabilities 2025 |
| 2026-04-10 2026 | 2025 Global Mobile Threat Report | 2025 Global Mobile Threat Report |
| 2026-04-10 2026 | Mobile Security Testing Challenges: 2025-2026 Outlook | Mobile Security Testing Challenges: 2025-2026 Outlook |
| 2026-04-10 2026 | App Threat Report 2025 Q1: Android and iOS | App Threat Report 2025 Q1: Android and iOS |
| 2026-04-10 2026 | Mobile App Security Testing in 2026: Statistics and OWASP Threats | Mobile App Security Testing in 2026: Statistics and OWASP Threats |
| 2026-04-06 2026 | Hacking Android and IOT Apps by Example - DEF CON Training LV 2026 | Hacking Android and IOT Apps by Example - DEF CON Training LV 2026 |
| 2026-04-06 2026 | Mobile Application Penetration Testing: iOS and Android | Mobile Application Penetration Testing: iOS and Android |
| 2026-04-06 2026 | 10 Mobile App Security Best Practices for 2026 | 10 Mobile App Security Best Practices for 2026 |
| 2026-04-06 2026 | Grapefruit: Open-source mobile security testing suite | Grapefruit: Open-source mobile security testing suite |
| 2026-04-06 2026 | Objection 2026: Runtime Mobile Exploration via Frida | Objection 2026: Runtime Mobile Exploration via Frida |
| 2026-04-03 2026 | OWASP Mobile Top 10 2024: A Security Guide | OWASP Mobile Top 10 2024: A Security Guide |
| 2026-04-03 2026 | OWASP Mobile Top 10 and MobSF | OWASP Mobile Top 10 and MobSF |
| 2026-04-03 2026 | Bypassing Certificate Pinning Using Frida: A Step-by-Step Guide | Bypassing Certificate Pinning Using Frida: A Step-by-Step Guide |
| 2026-04-03 2026 | Hail Frida!! The Universal SSL Pinning Bypass for Android | Hail Frida!! The Universal SSL Pinning Bypass for Android |
| 2026-04-03 2026 | OWASP Mobile Top 10 (2024) — Bug Bounty Hunter's Guide | OWASP Mobile Top 10 (2024) — Bug Bounty Hunter's Guide |
| 2026-04-03 2026 | Four Ways to Bypass Android SSL Verification and Certificate Pinning | NetSPI | Four Ways to Bypass Android SSL Verification and Certificate Pinning | NetSPI |
| 2026-04-03 2026 | Bypassing Certificate Pinning | OWASP MASTG | Bypassing Certificate Pinning | OWASP MASTG |
| 2026-04-03 2026 | Defeating Android Certificate Pinning with Frida | Defeating Android Certificate Pinning with Frida |
| 2026-04-03 2026 | OWASP Mobile Top 10 | OWASP Mobile Top 10 |
| 2026-04-03 2026 | OWASP Mobile Application Security (MAS) | OWASP Mobile Application Security (MAS) |
| 2026-04-03 2026 | What is Mobile Security? | IBM | Mobile device security refers to being free from danger or risk of an asset loss or data loss by using mobile computers and communication hardware. |
Frequently Asked Questions
- What is the OWASP Mobile Top 10?
- The OWASP Mobile Top 10 covers the most critical mobile application security risks: Improper Credential Usage, Inadequate Supply Chain Security, Insecure Authentication/Authorization, Insufficient Input/Output Validation, Insecure Communication, Inadequate Privacy Controls, Insufficient Binary Protections, Security Misconfiguration, Insecure Data Storage, and Insufficient Cryptography.
- What tools are used for mobile app security testing?
- Essential tools include Frida and objection for dynamic instrumentation, MobSF for automated static and dynamic analysis, Jadx and apktool for Android reverse engineering, Hopper and Ghidra for iOS binary analysis, and proxy tools like Burp Suite or mitmproxy for intercepting API traffic with certificate pinning bypass.
- How is mobile security testing different from web testing?
- Mobile testing adds client-side concerns: local data storage, binary protections, certificate pinning, inter-app communication, and platform-specific features. You must analyze the compiled binary, not just network traffic. Reverse engineering reveals hardcoded secrets, hidden endpoints, and client-side logic that attackers can manipulate.
Weekly AppSec Digest
Get new resources delivered every Monday.