Android Mobile App Pentest: Frida, MobSF, and a Genymotion Lab

An APK is a zip file in a trench coat, and that is exactly what makes Android mobile pentesting both fun and surgical. At Basilisk OffSec we build labs that only ever test binaries we own or have written authorization to audit, because reverse engineering third-party apps without consent is a federal crime in almost every jurisdiction. Before any Frida hook lands, we define scope, contract, and a real threat model, in the same spirit as STRIDE Threat Modeling in Sprints: A Full Microservice Walkthrough. Skip that step and you are not doing research, you are collecting court dates.

The 2026 baseline stack we recommend is simple: Genymotion Personal for x86_64 emulation with optional Google Apps, MobSF in Docker for static and automated dynamic analysis, Frida 16.x with frida-tools on the host, objection for fast workflows, and jadx-gui to read decompiled smali. Genymotion beats AVD on IO speed and exposes ADB on port 5555 out of the box. Spin up a rooted Android 13 image, drop Magisk via the setup-frida module, and push frida-server-arm64 to /data/local/tmp with 755 permissions. In under fifteen minutes you have a reproducible lab, isolated from your production network, which matches the philosophy of Malware Analysis in an Isolated Lab: Safe Setup with FlareVM and REMnux.

MobSF is your first pivot. Launch it with docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest, drag the APK into the UI, and it extracts AndroidManifest, dangerous permissions, hardcoded secrets, Janus checks, WebView usage with setJavaScriptEnabled, and even domains exposed in network_security_config. Static scans routinely surface forgotten AWS tokens, Firebase keys with public rules, and staging endpoints no one was supposed to see. Use that attack surface map to drive dynamic hypotheses, and do not fall into treating the MobSF numeric score as ground truth. Like any SAST, it produces noise, just like we covered in AppSec Shift-Left: SAST, SCA and Secrets Scanning Without Slowing the Team.

With the surface mapped, fire up Frida. A classic example is SSL pinning bypass so you can inspect TLS traffic through Burp or mitmproxy. Load the script with frida -U -f com.company.app -l ssl-bypass.js --no-pause; the hook rewrites checkServerTrusted on TrustManagerImpl and neutralizes okhttp3 CertificatePinner. With pinning gone, you become a man-in-the-middle proxy inside the emulator, capture authenticated JSON payloads, and probe the backend API like a normal web pentest, with Burp configured as in Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite. Remember: pinning bypass is only legitimate against the app you are licensed to audit.

Once traffic is clean, start hammering the API. The classic vectors come right back: mass assignment, IDOR on /v2/users/{id}, JWT with the none algorithm, GraphQL with introspection wide open. Apply the methodology from REST and GraphQL API Pentest: Technical Checklist for Legal Bug Bounty and, for backend injection, validate candidates with parameterized payloads as shown in SQL Injection in Practice: Exploiting, Detecting and Mitigating in a Controlled Lab. Another underrated target is the internal WebView: if the app loads remote HTML without an allowlist, you can chain XSS into a privileged context via addJavascriptInterface, exposing Java methods to JavaScript, an attack we dissect in Modern XSS: DOM, Stored and Reflected With Real Examples in a Test Lab.

Custom hooks are where the pentester actually shines. Three Frida scripts worth their weight in gold: dump AES keys passed to Cipher.init by capturing the first argument of SecretKeySpec; instrument SharedPreferences.Editor.putString to flag tokens stored in clear text; and hook java.io.File to log everything written under /data/data/com.company.app during login. Pair that with adb shell run-as com.company.app to pull sqlite databases and crack them open with sqlitebrowser. In a recent audit we found refresh_token persisted without keystore, a flaw that turned into a full account takeover within one afternoon.

Do not wrap up before reviewing runtime defenses. Check root detection via RootBeer, Frida detection by scanning local ports (27042), emulator detection via Build.FINGERPRINT, and integrity via the Play Integrity API. Document exactly how each control was bypassed and propose defense in depth instead of silver bullets. On the server side, harden SSH on the API bastion per SSH Hardening 2026: Algorithms, Certificates and Bastion Hosts and scrub artifacts before shipping the report, as in Metadata Hygiene: Stripping EXIF, PDF and Office Before You Publish. Practical takeaway: run Genymotion, MobSF, and Frida inside a dedicated VM with a clean snapshot per engagement, and never tied to your personal identity.