Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Mobile App Penetration Testing · modules
Android + iOS pentesting. Frida, Objection, keychain, API surface, and defeating app hardening.
Module 13 · Android Permission Model
Android 6.0+ introduced runtime permissions. Android 11+ added more restrictions. Mobile pentesters check permission patterns; defenders limit ask. The categories Normal — auto-granted (network, vibrate) Dangerous — runtime permission required (location, camera, contacts) Signature — only granted to apps signed with same cert as system Special — Settings opt-in (overlay, accessibility, device admin) What pentesters […]
Module 15 · Mobile Pentest Reporting
OWASP MASVS (Mobile Application Security Verification Standard) is the reporting baseline. MASTG (Testing Guide) is the methodology. MASVS verification levels L1 (Standard) — basic security; suitable for most apps L2 (Defense in Depth) — for apps handling sensitive data R (Resiliency) — additional resistance to client-side attacks; for high-value targets The categories tested Architecture, design, […]
Module 9 · Android Keystore & Secure Storage
Android Keystore generates and stores cryptographic keys in hardware (TEE / StrongBox on supported devices). Apps that store secrets correctly use it; many don’t. The hierarchy SharedPreferences — plaintext file in app sandbox. NOT secure. EncryptedSharedPreferences — wraps with key from Keystore. Standard. Keystore-bound key — never leaves hardware. Highest security. Biometric-bound key — only […]
Module 10 · iOS Keychain & Data Protection
iOS Keychain is hardware-backed. Data Protection classes determine when items are accessible. Data Protection classes kSecAttrAccessibleWhenUnlocked — accessible only when device unlocked. Default for new items. kSecAttrAccessibleAfterFirstUnlock — after first unlock until reboot. For background tasks. kSecAttrAccessibleAlways — anytime. AVOID; deprecated. WhenPasscodeSet variants — only if user has passcode set; deletes if passcode removed. WhenUnlockedThisDeviceOnly […]
Module 11 · Deep Links & URL Schemes
Deep links let other apps invoke yours. Misimplemented, they become attack vectors: open phishing pages, leak tokens, hijack flows. Two patterns Custom URL schemes (myapp://login) — any app can register; squatter wins. Insecure. Universal Links (iOS) / App Links (Android) — domain-verified via well-known file. Only your app handles the URL. App Links setup Android: […]
Module 6 · Mobile Static Analysis — APK & IPA
Mobile pentesting starts with the binary. APK and IPA files contain code, resources, configuration, often secrets. Android — APK analysis # Extract APK apktool d app.apk -o app-extracted # Decompile to Java jadx -d output app.apk # Run automated MobSF scan docker run -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Upload APK; get full report iOS — IPA […]
Module 2 · Android Pentesting with Objection & Frida
Hands-on Android pentest workflow: Frida server, Objection REPL, SSL pinning bypass, local storage, runtime hooking.
Module 3 · iOS Pentesting Fundamentals
iOS device options (jailbreak, Corellium), pulling decrypted IPAs, class-dump, keychain inspection, URL schemes, pinning bypass.
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.