Mobile Application Penetration Testing Framework using Data Fusion

Abstract

The rise of mobile applications has brought about significant security challenges, making thorough security testing an essential element of the development process. While manual penetration tests offer in-depth assessments, they require considerable resources and are difficult to scale. Existing automated tools generally operate in isolation, focusing either on static or dynamic analysis, which leads to an incomplete insight into an application\'s security condition. This paper presents the Mobile Application Penetration Testing Framework (MAPTF), an innovative, integrated solution aimed at automating and enhancing the security evaluation of Android applications. MAPTF utilizes a hybrid approach, merging static analysis (SAST), dynamic analysis (DAST), and network traffic analysis within a single, web-based infrastructure. It coordinates a collection of specialized tools, such as APKiD, Frida, and OWASP ZAP, to execute a thorough analysis. Significant features of this framework include a data fusion engine that aggregates findings from various sources, a heuristic-based risk scoring system that quantifies the security posture, and the automated creation of detailed, actionable reports. By incorporating multiple analytical methods, MAPTF offers a comprehensive and user-friendly platform for developers and security professionals to effectively identify and address vulnerabilities.

Introduction

I. Overview

The Android OS, dominating the global mobile market, supports apps handling sensitive data. This makes Android a prime target for cyberattacks, necessitating robust security testing. Traditional manual penetration testing, though effective, is time-consuming and expensive. Automated tools have emerged but face two main issues:

• Fragmented Analysis: Static and dynamic tools often miss context or runtime behavior.

• Lack of Integration: Outputs from various tools require manual consolidation.

To address this, MAPTF (Mobile Application Penetration Testing Framework) was developed as an automated, unified framework combining static, dynamic, and network analysis for Android (APK) and iOS (IPA) applications.

II. Related Work

• MobSF: Offers comprehensive analysis but can be complex to manage.

• MAPTF Improvements: Modular, lightweight (Flask-based), with fallback analysis and an intuitive UI.

• Uses key tools:

  • Androguard, APKTool, APKiD for static analysis

  • Frida for dynamic analysis

  • ZAP and Burp Suite for network traffic inspection

III. MAPTF Architecture

MAPTF has four key layers:

1. User Interface Layer: Web dashboard for uploads, progress tracking, and report downloads.

2. Core Engine: Main Flask app (main.py) that orchestrates all tasks and analysis modules.

3. Analysis Layer:

   • Static: Decompilation, permissions check, malware signature detection

   • Dynamic: API tracing, file system monitoring with Frida

   • Network: API endpoint scanning using OWASP ZAP

4. Data & Reporting Layer: Aggregates results and generates reports (web + PDF)

IV. Workflow

1. User Authentication and Upload

2. Analysis Pipeline: Executes static, dynamic, and network assessments

3. Data Fusion Engine: Correlates findings and assigns severity scores

4. Report Generation: Provides actionable summaries with a quantified risk score

V. Results & Analysis

Test Application: “freenet” (Android & iOS versions)

A. Static Analysis

• Android:

  • Detected exported login activity (risk of hijacking)

  • Found hardcoded API key

  • Dangerous permission: READ_SMS

• iOS:

  • NSAllowsArbitraryLoads = true → insecure HTTP allowed

  • Unjustified camera access

  • Hardcoded API key

B. Dynamic Analysis (with Frida)

• Password stored in world-readable file: /sdcard/tmp/

• Confirmed exported activity could be abused at runtime

C. Network Analysis (with ZAP & Burp Suite)

• Profile data fetched via unencrypted HTTP

• Discovered vulnerabilities:

  • Missing Content-Security-Policy (CSP) header

  • Session cookie lacked HttpOnly flag

VI. Tool Comparison Table

Conclusion

The Mobile Application Penetration Testing Framework (MAPTF) represents an important advancement in developing a more effective, user-friendly, and all-encompassing solution for testing security on Android devices [9]. By integrating static, dynamic, and network analysis into a single, automated pipeline, it empowers developers and security analysts to identify and remediate vulnerabilities more effectively than with standalone tools. Future work will focus on adding iOS support, integrating machine learning models to improve vulnerability detection, and enabling seamless integration into CI/CD pipelines for a true DevSecOps workflow.

References

[1] B. ÖZGÜR, ?. A. DO?RU, G. UÇTU and M. Alkan, \"A Suggested Model for Mobile Application Penetration Test Framework,\" 2021 International Conference on Information Security and Cryptology (ISCTURKEY), Ankara, Turkey, 2021, pp. 18-21, doi: 10.1109/ISCTURKEY53027.2021.9654417. [2] Daraojimba, E.C., Nwasike, C.N., Adegbite, A.O., Ezeigweneme, C.A. and Gidiagba, J.O., 2024. Comprehensive review of agile methodologies in project management. Computer Science & IT Research Journal, 5(1), pp.190-218. [3] Malek, S., Esfahani, N., Kacem, T., Mahmood, R., Mirzaei, N. and Stavrou, A., 2012, June. A framework for automated security testing of android applications on the cloud. In 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (pp. 35-36). IEEE. [4] Androguard. (2021). Reverse-engineering, Malware and goodware analysis of Android applications. GitHub. [5] https://owasp.org/www-project-mobile-app-security/ [6] https://www.opsmx.com/blog/ensuring-api-security-with-owasp-zap-a-step-by-step-guide/ [7] https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods [8] Frida. (2022). Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Frida.re. [9] https://mas.owasp.org/MASTG/0x04b-Mobile-App-Security-Testing/ [10] WASP. (2023). OWASP Zed Attack Proxy (ZAP). zaproxy.org. interface,” IEEE Transl. J. Magn. Japan, vol. 2, pp. 740–741, August 1987 [Digests 9th Annual Conf. Magnetics Japan, p. 301, 1982]. [11] Xiong, P. and Peyton, L., 2010, August. A model-driven penetration test framework for Web applications. In 2010 Eighth International Conference on Privacy, Security and Trust (pp. 173-180). IEEE. [12] Kraunelis, J., Fu, X., Yu, W. and Zhao, W., 2018, May. A framework for detecting and countering android UI attacks via inspection of IPC traffic. In 2018 IEEE International Conference on Communications (ICC) (pp. 1-6). IEEE. [13] Bennouk, K., Ait Aali, N., El Bouzekri El Idrissi, Y., Sebai, B., Faroukhi, A.Z. and Mahouachi, D., 2024. A comprehensive review and assessment of cybersecurity vulnerability detection methodologies. Journal of Cybersecurity and Privacy, 4(4), pp.853-908. [14] https://library.mosse-institute.com/articles/2022/03/introduction-to-the-penetration-testing-workflow/introduction-to-the-penetration-testing-workflow.html [15] Adamski, J., Janiszewski, M. and Rytel, M., 2025. IoT Mobile Applications Pentesting–Methodology and Results of Research. IEEE Internet of Things Journal. [16] Velu, V.K., 2016. Mobile Application Penetration Testing. Packt Publishing Ltd.

Copyright

Copyright © 2025 Gunde Shravan Kumar, Dr. K. Suresh Babu . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.