Do I need to own a jailbroken iPhone or rooted Android device?

No. We provide rooted Android emulators and shared access to jailbroken iOS test devices in the lab environment. Students with their own compatible test devices are welcome to use them, but it is not required.

Is the course online or in-person?

Both formats are available. In-person sessions run at our Indore center with physical access to test devices. Online students receive live instruction and remote access to the same emulators and shared test devices.

What tools will I learn?

MobSF, Frida, Objection, jadx, Apktool, Ghidra, Hopper, Cycript, Drozer, Burp Suite, Genymotion and Android Studio emulators, and Python scripting for custom Frida modules. Every tool is used across the engagement-style labs.

Does this course prepare me for OSCP+ or CEH?

This is a mobile specialization, but it strongly reinforces the offensive methodology and reporting discipline expected by OSCP+ and CEH. OSCP+ alignment is listed first in our certification preparation, followed by CEH and mobile-specific certifications such as MASE, GMOB, and eMAPT.

Do you offer a retest for the final assessment?

Yes. Students who do not clear the final practical assessment on the first attempt are eligible for one free retest within 60 days, subject to instructor sign-off on remediation work.

What is the refund policy?

A full refund is available before the second class. After that, partial refunds are considered on a case-by-case basis. Full details are shared during enrollment.

// Mobile Application Security

Mobile Application Penetration Testing

Master offensive security testing of iOS and Android applications aligned to OWASP MASVS and OWASP MASTG. Learn static and dynamic analysis, reverse engineering, runtime instrumentation with Frida and Objection, root and jailbreak detection bypass, certificate pinning bypass, IPC abuse, insecure storage discovery, and mobile backend API testing.

Duration

3 Months / 12 Weeks / 90 Hours

Level

Advanced

Modules

14 Modules

Format

Hands-on Labs

// Course Overview

What You'll Learn

The Mobile Application Penetration Testing course is designed for penetration testers, application security engineers, bug bounty hunters, and mobile developers who want to specialize in iOS and Android security assessment. The curriculum is anchored on OWASP MASVS verification requirements and the OWASP Mobile Application Security Testing Guide (MASTG). You will reverse engineer APKs and IPAs, perform static and dynamic analysis, hook runtime functions with Frida and Objection, bypass root and jailbreak detection, defeat certificate pinning, exploit IPC vulnerabilities, identify insecure data storage, and assess the mobile backend API attack surface using Burp Suite. Labs run on real jailbroken iOS test devices and Android emulators.

// Prerequisites

- Solid penetration testing or application security foundation
- Working knowledge of HTTP and web application testing with Burp Suite
- Comfort with Linux command line and Git
- Basic understanding of Java or Kotlin (Android) and Objective-C or Swift (iOS) helpful
- Familiarity with Python scripting
- Laptop with 16GB+ RAM and virtualization support

mapt--syllabus

$ armour --training mapt --info

[*] Course: Mobile Application Penetration Testing

[*] Duration: 3 Months / 12 Weeks / 90 Hours

[*] Level: Advanced

[!] 14 modules | 107 topics

[+] Lab environment: READY

[+] Certification prep: INCLUDED

$ _

// Syllabus

Complete Course Modules

Mobile Security Landscape & Threat Modeling

> iOS vs Android security architecture
> Mobile attack surface overview
> Threat modeling for mobile applications
> OWASP MASVS verification levels (L1, L2, R)
> OWASP MASTG methodology
> Engagement scoping and rules of engagement
> Reporting standards for mobile assessments

Android Platform Internals

> Android architecture and runtime (ART)
> APK structure and manifest
> Application sandboxing and permissions
> Activities, Services, Broadcast Receivers, Content Providers
> Intents and intent filters
> Android Keystore and KeyChain
> SELinux on Android
> Android security updates and patch levels

iOS Platform Internals

> iOS architecture and Mach-O binaries
> IPA structure and code signing
> App sandbox and entitlements
> Keychain Services
> Data Protection API and file protection classes
> URL schemes and Universal Links
> App Transport Security (ATS)
> iOS security updates and SEP

Lab Setup: Devices, Emulators & Tooling

> Setting up Android emulators with Genymotion and AVD
> Rooting Android emulators and physical test devices
> Configuring jailbroken iOS test devices
> Installing Frida, Objection, MobSF, jadx, Apktool, Drozer
> Configuring Burp Suite with mobile proxies and CA certs
> Ghidra and Hopper for binary analysis
> Cycript for legacy iOS hooking
> Lab hygiene and isolation

Android Static Analysis

> Decompiling APKs with jadx and Apktool
> Reading AndroidManifest.xml for exposed components
> Hunting hardcoded secrets, API keys, and endpoints
> Reviewing smali for sensitive logic
> Detecting insecure cryptography
> Automated scanning with MobSF
> Identifying debuggable and backup flags
> Mapping findings to OWASP MASVS

iOS Static Analysis

> Extracting and decrypting IPAs
> Analyzing Mach-O binaries with Hopper and Ghidra
> Inspecting Info.plist and entitlements
> Hunting secrets and endpoints in binaries
> Detecting insecure cryptography and weak randomness
> Class-dump and Objective-C runtime introspection
> Reviewing Swift symbols
> Static scanning with MobSF for iOS

Dynamic Analysis & Runtime Instrumentation

> Frida architecture and scripting fundamentals
> Objection for guided runtime exploration
> Method hooking and replacement
> Dumping memory, classes, and keychains at runtime
> Tracing native and Java/Kotlin function calls
> Hooking Swift and Objective-C methods
> Drozer for Android attack surface enumeration
> Building reusable Frida script libraries

Root & Jailbreak Detection Bypass

> Common root detection techniques on Android
> Common jailbreak detection techniques on iOS
> Hooking detection routines with Frida
> Patching binaries with Apktool and Objection
> Bypassing integrity checks (SafetyNet, Play Integrity, DeviceCheck)
> Defeating emulator and debugger detection
> Repackaging and resigning apps

Certificate Pinning Bypass

> How TLS pinning works on Android and iOS
> Detecting pinning implementations
> Bypassing OkHttp, TrustManager, and Network Security Config pinning
> Bypassing NSURLSession and AFNetworking pinning on iOS
> Frida and Objection pinning bypass scripts
> Defeating custom and native pinning libraries
> Handling Flutter and React Native pinning

Insecure Data Storage

> Shared Preferences and internal storage on Android
> SQLite databases and content providers
> External storage and scoped storage risks
> NSUserDefaults and plist files on iOS
> Keychain misuse and weak access groups
> Cached files, snapshots, and pasteboard leakage
> Logging sensitive data
> Auditing backups and cloud sync

IPC & Component Vulnerabilities

> Exported activities, services, and broadcast receivers
> Intent redirection and intent spoofing
> Insecure content providers and SQL injection
> Deep link and URL scheme hijacking
> Universal Link and App Link abuse
> PendingIntent and XPC vulnerabilities on iOS
> WebView misconfigurations and JavaScript bridge abuse
> Inter-app data leakage

Runtime Manipulation & Tampering

> Bypassing business logic via runtime hooks
> Forcing premium and feature flags
> Manipulating in-app purchase flows for testing
> Local authentication bypass (biometrics, PIN)
> Memory tampering and credential extraction
> Defeating obfuscation (ProGuard, R8, Swift Shield)
> Anti-tampering and integrity checks

Mobile Backend API Testing

> Proxying mobile traffic through Burp Suite
> Handling certificate pinning during proxying
> Authentication and session attacks against mobile APIs
> Authorization flaws and BOLA in mobile backends
> Mass assignment and parameter tampering
> GraphQL and gRPC mobile backends
> Rate limiting, abuse, and account takeover paths
> Mapping findings to OWASP API Security Top 10

Reporting & OWASP MASVS Verification

> Structuring mobile penetration test reports
> Severity scoring tailored to mobile context
> Mapping every finding to OWASP MASVS controls
> Producing MASTG-aligned evidence
> Communicating risk to mobile and product teams
> Retesting workflow and remediation validation
> Continuous mobile security programs

// Outcomes

Learning Outcomes

Scope and execute end-to-end mobile penetration tests on iOS and Android
Perform static analysis of APKs and IPAs to extract secrets and identify weaknesses
Conduct dynamic analysis and runtime instrumentation with Frida and Objection
Reverse engineer Android and iOS binaries with jadx, Apktool, Ghidra, and Hopper
Bypass root, jailbreak, and integrity detection mechanisms
Bypass TLS certificate pinning across native, Flutter, and React Native apps
Identify and exploit IPC vulnerabilities and insecure component exposure
Discover insecure data storage in Shared Preferences, plist, SQLite, and Keychain
Test mobile backend APIs through Burp Suite with proper proxying setup
Map findings to OWASP MASVS and document them following OWASP MASTG
Produce professional mobile penetration test reports with prioritized remediation

// Lab Environment

Hands-On Labs

Genymotion and Android Studio emulators with rooted images
Jailbroken iOS test devices for hands-on iOS labs
Vulnerable Android and iOS practice applications
MobSF preconfigured for automated static and dynamic scanning
Frida and Objection installed across all lab devices
jadx, Apktool, Ghidra, Hopper, and Cycript toolchain
Drozer attack framework for Android component testing
Burp Suite with mobile proxy and CA configuration
Custom Frida script library for pinning and root detection bypass
Mobile backend API targets for end-to-end engagement labs

Certification Preparation

+OSCP+ (Offensive Security Certified Professional+)Advanced Offensive Security Certification
+CEH (Certified Ethical Hacker)
+MASE (Mobile Application Security Expert)
+GMOB (GIAC Mobile Device Security Analyst)
+OWASP MASVS and MASTG aligned methodology
+eMAPT (eLearnSecurity Mobile Application Penetration Tester) foundations

// Training Mode

Training Mode

One unified programme delivered in two parallel modes — same curriculum, same trainers, same certification.

Online Live Classes (Instructor-led)
On-Premise Classroom Training (Indore Centre)
Both modes run concurrently
Students can choose either mode
Same curriculum for both formats
Same certification for both tracks

// Instructor

Meet Your Instructor

Armour Infosec Mobile Security Team

Lead Mobile Penetration Testing Instructor

Our mobile security instructors are active penetration testers who assess production iOS and Android applications for enterprise clients and bug bounty programs. They bring deep experience with Frida, Objection, MobSF, jadx, Apktool, Ghidra, Hopper, Cycript, Drozer, and Burp Suite, along with hands-on familiarity testing on jailbroken iOS devices and rooted Android emulators against real-world hardening like Play Integrity, DeviceCheck, and custom pinning libraries.

OSCP+CEHOSWEGMOBeMAPT

// Testimonials

What Students Say

“The Frida and Objection labs are the strongest part. Bypassing pinning and root detection on real apps felt routine by the end of the course.”

Rohan T.

Mobile Security Engineer

“I came from a web app background and this course made iOS approachable. The MASVS and MASTG mapping turned my reports from generic to genuinely useful.”

Anjali D.

Penetration Tester

“The IPC and deep link modules paid for the course on my first mobile bounty. Insecure content providers and exported activities are now my go-to first checks.”

Manish G.

Bug Bounty Hunter

// FAQ

Frequently Asked Questions

Common questions about the course, enrollment, and certification.

Ready to Enroll?

Secure your spot in the next batch. Limited seats available for hands-on lab access.

Enroll Now Download Syllabus