Mobile testing: storage, traffic, and the OWASP MASTG

Overview

Mobile testing is static (decompile APK/DEX, review manifest & secrets) plus dynamic (inspect local storage, proxy API traffic, check transport). Certificate pinning blocks proxying and is bypassed on authorized test devices. OWASP MASTG / Mobile Top 10 structure the work (the mobile WSTG).

Why it matters

The highest-impact mobile findings — secrets/PII in local storage and an insecure or fully-attackable API — come from static + dynamic analysis. Knowing pinning and the MASTG framework makes mobile assessments systematic.

Core concepts

Static. Decompile (APK→DEX), review manifest/secrets/crypto. Dynamic. Local storage plaintext, proxied API traffic (web/API bugs apply), transport. Cert pinning. Blocks proxy; bypass on authorized test device; a defense, not a substitute. MASTG / Mobile Top 10. The framework. Legal. Authorized apps/devices only.

Lesson

Mobile assessment combines inspecting the app package and watching it run — structured by OWASP's mobile guidance.

Static analysis

Unpack the app (an APK is a zip; tools decompile DEX to readable code) and review: hardcoded secrets/API keys, the manifest (exported components, debuggable flag, cleartext-traffic allowed), and weak crypto. iOS IPAs are similarly inspected (harder without a jailbreak).

Dynamic analysis

Run the app and observe:

• Local storage: are credentials/tokens/PII stored in plaintext in the app's files, databases, shared preferences, or logs? (Top finding.)
• API traffic: proxy the device through Burp/ZAP to see the app's backend calls — then the entire web/API attack surface (BOLA, injection, auth) applies.
• Insecure transport: cleartext HTTP, or TLS without validation.

Certificate pinning

Apps may pin their server's certificate so a proxy's cert is rejected (you can't see traffic). Testers bypass pinning (on an authorized test device) to inspect traffic; importantly, pinning is a defense that raises the bar — its absence (or trivial bypass) is worth noting, but pinning is not a substitute for server-side checks.

OWASP MASTG / Mobile Top 10

OWASP's Mobile Application Security Testing Guide (MASTG) and the Mobile Top 10 structure mobile testing (improper credential usage, insecure storage/communication, weak crypto/auth, etc.) — the mobile analogue of the WSTG/Top 10 you use for web.

Legality

Test only apps and accounts you're authorized to; use your own test devices.

Summary

Mobile testing pairs static package analysis with dynamic storage/traffic inspection, bypassing certificate pinning on authorized devices to reach the API — all structured by OWASP's MASTG and Mobile Top 10. Insecure storage and the backend API are the richest targets.