Mobile Pentest — PhantomYerra Help

Prerequisites

APK file (Android) or IPA file (iOS) from client
Physical device or emulator with USB debugging enabled (for dynamic analysis)
Android: ADB installed, device in developer mode
iOS: Jailbroken device or Corellium subscription for iOS dynamic testing
Written authorization covering the mobile app and its backend APIs

1

Select Mobile Pentest from Home Screen

Click 📱 Mobile Pentest. Select platform: Android, iOS, or Both.
2

Upload APK / IPA

Drag and drop the APK or IPA file onto the upload zone. PhantomYerra validates the file, calculates SHA-256, and prepares it for analysis.

💡 For Android: obtain the APK with adb shell pm path com.target.app then adb pull [path]. For iOS: export from Xcode Archive or request from client.
3

Complete Mobile Wizard

Platform : Android / iOS / Both App Version : [auto-detected from manifest] Backend API : Include API testing? Yes/No → enter API URL Device : Connected device or emulator (for dynamic) Auth : App login credentials for authenticated dynamic testing Scope : App binary + backend API + local storage
4

Claude Runs the Mobile Test Pipeline

Phase 1: Static analysis — MobSF decompile, apktool, jadx Phase 2: Secrets scan — API keys, hardcoded passwords, tokens in APK Phase 3: Permission audit — dangerous permissions, over-privileged access Phase 4: SSL pinning check — detect pinning implementation Phase 5: Dynamic analysis — Frida hooking, Objection bypass Phase 6: Traffic intercept — HTTP/S traffic via proxy with cert installed Phase 7: Backend API test — all endpoints discovered from traffic Phase 8: Storage analysis — SQLite DBs, SharedPrefs, files on device
5

Review Findings and Generate Mobile Security Report

Report includes: app info, permission analysis, static findings, dynamic findings, API security findings, OWASP Mobile Top 10 coverage, and remediation guidance.

⏱️ Static analysis: 15–30 minutes. Full dynamic analysis: 2–4 hours.

Prerequisites

apktool, jadx, MobSF installed
Frida, Objection installed (frida-tools via pip)
Android: ADB, rooted device or emulator
iOS: Frida on jailbroken device, SSL Kill Switch
Burp Suite or mitmproxy for traffic interception

1

Android Static Analysis

# Decompile APK apktool d app.apk -o app_decompiled/ jadx -d app_jadx/ app.apk # Find secrets grep -r "api_key\|password\|secret\|token\|Bearer" app_decompiled/ grep -r "http://\|https://" app_decompiled/res/ | grep -v "schemas.android" # Check AndroidManifest.xml cat app_decompiled/AndroidManifest.xml | grep -E "permission|exported|debuggable"
2

ADB Device Setup

adb devices # confirm device connected adb shell getprop ro.build.version.release # Android version adb install app.apk # install test app adb shell pm list packages | grep target # confirm installed
3

SSL Pinning Bypass with Frida / Objection

# Start frida-server on device first (push to /data/local/tmp/) adb push frida-server /data/local/tmp/ adb shell chmod +x /data/local/tmp/frida-server adb shell /data/local/tmp/frida-server & # Objection SSL pinning bypass objection -g com.target.app explore # In objection shell: android sslpinning disable # Direct Frida script frida -U -f com.target.app \ -l ssl_pinning_bypass.js \ --no-pause
4

Traffic Interception

# Configure device proxy → Burp Suite (192.168.1.x:8080) # Install Burp CA cert on device: # Settings → Security → Install certificate → burp_ca.der # For Android 7+: add network_security_config.xml # Or use Magisk + MagiskTrustUserCerts module
5

Local Storage Analysis

adb shell run-as com.target.app ls /data/data/com.target.app/ adb shell run-as com.target.app cat databases/app.db adb shell run-as com.target.app cat shared_prefs/prefs.xml # Pull all app data adb backup -f backup.ab com.target.app dd if=backup.ab bs=24 skip=1 | zlib-flate -uncompress | tar xf -
6

iOS Testing (Jailbroken)

# Install Frida on device via Cydia/Sileo # SSH into device ssh root@[device_ip] # List apps frida-ps -U | grep -i target # Dump IPA frida-ios-dump -u root -p alpine \ -H [device_ip] com.target.app # Objection on iOS objection -g com.target.app explore ios sslpinning disable

⏱️ Duration: Static analysis 2–4 hours. Full dynamic assessment 1–3 days.

Common Issues

Ensure the frida-server binary matches the device architecture (arm64 for modern devices, x86 for emulator). Download from github.com/frida/frida/releases — match the version exactly to your installed frida-tools. Run with adb shell su -c "/data/local/tmp/frida-server &" for root.

The app may use certificate transparency or custom pinning not covered by the standard bypass. Try: android sslpinning disable --quiet. If that fails, use the TrustMeAlready Xposed module or write a custom Frida script targeting the specific pinning class found via jadx analysis. Check the decompiled code for custom TrustManager implementations.

The APK may be split (Android App Bundle). Request a universal APK from the client or use bundletool build-apks --bundle=app.aab --output=app.apks --mode=universal to generate a universal APK. MobSF requires a standard APK, not an AAB.

Mobile Application Pentest

Prerequisites

Select Mobile Pentest from Home Screen

Upload APK / IPA

Complete Mobile Wizard

Claude Runs the Mobile Test Pipeline

Review Findings and Generate Mobile Security Report

Prerequisites

Upload APK and Complete Wizard

Approve Static Analysis

Approve Dynamic Testing Steps

Prerequisites

Android Static Analysis

ADB Device Setup

SSL Pinning Bypass with Frida / Objection

Traffic Interception

Local Storage Analysis

iOS Testing (Jailbroken)

Common Issues

Mobile Application Pentest

Prerequisites

Select Mobile Pentest from Home Screen

Upload APK / IPA

Complete Mobile Wizard

Claude Runs the Mobile Test Pipeline

Review Findings and Generate Mobile Security Report

Prerequisites

Upload APK and Complete Wizard

Approve Static Analysis

Approve Dynamic Testing Steps

Prerequisites

Android Static Analysis

ADB Device Setup

SSL Pinning Bypass with Frida / Objection

Traffic Interception

Local Storage Analysis

iOS Testing (Jailbroken)

Common Issues

Related Topics