Mobile App Penetration Testing — Part 1 (Setup)

4 min readSep 9, 2023

Mobile apps are vulnerable to various security risks and threats due to their connectivity, complexity, and the sensitive data they often handle. Here’s why there is a need to conduct penetration testing (pen-testing) on mobile apps. Penetration testing for mobile apps involves systematically evaluating the app’s security posture through a series of controlled tests, which simulate real-world attacks. The goal is to identify vulnerabilities and weaknesses before malicious actors can exploit them.

In the realm of mobile application security, one name stands out: Angrogoat. This purposely vulnerable mobile application serves as an invaluable playground for security professionals, allowing them to test their skills and knowledge by identifying and exploiting a wide range of vulnerabilities. In this blog post, we embark on a thorough assessment of Angrogoat, delving into its various vulnerabilities and shedding light on the importance of identifying and addressing them.

The Playground of Vulnerabilities:

Root Detection and Emulator Detection:

These vulnerabilities target the identification of rooted devices and emulators, crucial for ensuring the security of your app against potential attackers.

Insecure Data Storage (Shared Preferences):

Angrogoat exposes vulnerabilities in how apps handle sensitive data, emphasizing the importance of secure storage practices.

Insecure Data Storage (SQLite):

Database security is paramount. Angrogoat’s SQLite vulnerability highlights the need for robust encryption and access controls.

Insecure Data Storage (Temp Files and SD Card):

Temporary files and external storage are often overlooked but can be exploited by malicious actors. Angrogoat shines a light on these weak points.

Keyboard Cache:

The keyboard cache vulnerability underscores the importance of user privacy and data leakage prevention.

Insecure Logging:

Proper logging practices are vital. Angrogoat demonstrates the risks of inadequate logging, which can inadvertently expose sensitive information.

Input Validations (XSS, SQLi, WebView):

Security begins with proper input validation. Angrogoat exposes the dangers of Cross-Site Scripting (XSS), SQL Injection (SQLi), and insecure WebView implementations.

Unprotected Android Components (Activity):

Android components, such as Activities, should be well-protected. Angrogoat reveals the risks associated with unprotected components.

Hardcoding Issues:

Hardcoded values are security vulnerabilities waiting to be exploited. Angrogoat’s examples serve as a cautionary tale.

Network Intercepting (HTTP, HTTPS, Certificate Pinning):

Angrogoat covers network security, including the interception of HTTP and HTTPS traffic, and the challenges presented by certificate pinning.

Tools that will be used in this activity:

Mobile Emulator — Platform for testing
Jadx — Usually used for Static Analysis
Bash or cmd — Helping hand for overall activity
Abd — Android debugger bridge for providing interaction to mobile shell
Frida or objection — for hooking
Burp Suite — For dynamic analysis

In the realm of mobile application security testing, I’ve opted for the Memu emulator as my preferred choice, although I respect your freedom to select any emulator that aligns with your preferences and requirements. The decision to leverage Memu emanates from its well-established reputation for versatility, reliability, and comprehensive feature set. Memu excels in its compatibility across a spectrum of Android versions, resource-efficient performance, extensive customization capabilities, and seamless integration with leading security testing tools.