Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Mobile App Penetration Testing · modules
Android + iOS pentesting. Frida, Objection, keychain, API surface, and defeating app hardening.
Module 13 · Android Permission Model
Android 6.0+ introduced runtime permissions. Android 11+ added more restrictions. Mobile pentesters check permission patterns; defenders limit ask. The categories Normal — auto-granted (network, vibrate) Dangerous — runtime permission required (location, camera, contacts) Signature — only granted to apps signed with same cert as system Special — Settings opt-in (overlay, accessibility, device admin) What pentesters […]
Module 14 · Mobile Malware Analysis Workflow
Indian users are targeted by mobile banking trojans regularly. Defenders need to understand the patterns. Common Android malware patterns Accessibility service abuse — read screen, autofill credentials, dismiss prompts SMS interception — intercept OTPs from banks Overlay attacks — display fake login screen on top of legitimate banking app Notification listening — read notifications including […]
Module 15 · Mobile Pentest Reporting
OWASP MASVS (Mobile Application Security Verification Standard) is the reporting baseline. MASTG (Testing Guide) is the methodology. MASVS verification levels L1 (Standard) — basic security; suitable for most apps L2 (Defense in Depth) — for apps handling sensitive data R (Resiliency) — additional resistance to client-side attacks; for high-value targets The categories tested Architecture, design, […]
Module 6 · Mobile Static Analysis — APK & IPA
Mobile pentesting starts with the binary. APK and IPA files contain code, resources, configuration, often secrets. Android — APK analysis # Extract APK apktool d app.apk -o app-extracted # Decompile to Java jadx -d output app.apk # Run automated MobSF scan docker run -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Upload APK; get full report iOS — IPA […]
Module 7 · Frida & Objection — Runtime Mobile Analysis
Frida injects JavaScript into running mobile apps. Objection wraps Frida with ready-made tools. Together: bypass any client-side check. Common bypasses # SSL pinning bypass (so Burp can intercept) objection -g com.example.app explore android sslpinning disable # Jailbreak/root detection bypass ios jailbreak disable android root disable # Hook a specific method android hooking watch class_method com.example.MyClass.checkLicense […]
Module 9 · Android Keystore & Secure Storage
Android Keystore generates and stores cryptographic keys in hardware (TEE / StrongBox on supported devices). Apps that store secrets correctly use it; many don’t. The hierarchy SharedPreferences — plaintext file in app sandbox. NOT secure. EncryptedSharedPreferences — wraps with key from Keystore. Standard. Keystore-bound key — never leaves hardware. Highest security. Biometric-bound key — only […]
Module 10 · iOS Keychain & Data Protection
iOS Keychain is hardware-backed. Data Protection classes determine when items are accessible. Data Protection classes kSecAttrAccessibleWhenUnlocked — accessible only when device unlocked. Default for new items. kSecAttrAccessibleAfterFirstUnlock — after first unlock until reboot. For background tasks. kSecAttrAccessibleAlways — anytime. AVOID; deprecated. WhenPasscodeSet variants — only if user has passcode set; deletes if passcode removed. WhenUnlockedThisDeviceOnly […]
Module 11 · Deep Links & URL Schemes
Deep links let other apps invoke yours. Misimplemented, they become attack vectors: open phishing pages, leak tokens, hijack flows. Two patterns Custom URL schemes (myapp://login) — any app can register; squatter wins. Insecure. Universal Links (iOS) / App Links (Android) — domain-verified via well-known file. Only your app handles the URL. App Links setup Android: […]
Module 12 · Runtime Tampering Detection
Many apps add “tamper detection”: Frida hook detection, jailbreak/root detection, debugger detection. Attackers bypass them all (Module 7). Why bother? Why detection still has value Raises attacker effort Generates telemetry — when an account triggers tamper detection, treat as suspicious server-side Combined with server-side enforcement, raises bar significantly What to detect Frida-server processes / TCP […]
Module 1 · Mobile App Security Threat Model
How mobile apps differ from web, Android/iOS security models, OWASP Mobile Top 10, lab setup, and scoping questions.
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.