The rise of mobile applications has brought about significant security challenges, making thorough security testing an essential element of the development process. While manual penetration tests offer in-depth assessments, they require considerable resources and are difficult to scale. Existing automated tools generally operate in isolation, focusing either on static or dynamic analysis, which leads to an incomplete insight into an application\'s security condition. This paper presents the Mobile Application Penetration Testing Framework (MAPTF), an innovative, integrated solution aimed at automating and enhancing the security evaluation of Android applications. MAPTF utilizes a hybrid approach, merging static analysis (SAST), dynamic analysis (DAST), and network traffic analysis within a single, web-based infrastructure. It coordinates a collection of specialized tools, such as APKiD, Frida, and OWASP ZAP, to execute a thorough analysis. Significant features of this framework include a data fusion engine that aggregates findings from various sources, a heuristic-based risk scoring system that quantifies the security posture, and the automated creation of detailed, actionable reports. By incorporating multiple analytical methods, MAPTF offers a comprehensive and user-friendly platform for developers and security professionals to effectively identify and address vulnerabilities.
Introduction
I. Overview
The Android OS, dominating the global mobile market, supports apps handling sensitive data. This makes Android a prime target for cyberattacks, necessitating robust security testing. Traditional manual penetration testing, though effective, is time-consuming and expensive. Automated tools have emerged but face two main issues:
Fragmented Analysis: Static and dynamic tools often miss context or runtime behavior.
Lack of Integration: Outputs from various tools require manual consolidation.
To address this, MAPTF (Mobile Application Penetration Testing Framework) was developed as an automated, unified framework combining static, dynamic, and network analysis for Android (APK) and iOS (IPA) applications.
II. Related Work
MobSF: Offers comprehensive analysis but can be complex to manage.
MAPTF Improvements: Modular, lightweight (Flask-based), with fallback analysis and an intuitive UI.
Uses key tools:
Androguard, APKTool, APKiD for static analysis
Frida for dynamic analysis
ZAP and Burp Suite for network traffic inspection
III. MAPTF Architecture
MAPTF has four key layers:
User Interface Layer: Web dashboard for uploads, progress tracking, and report downloads.
Core Engine: Main Flask app (main.py) that orchestrates all tasks and analysis modules.
Password stored in world-readable file: /sdcard/tmp/
Confirmed exported activity could be abused at runtime
C. Network Analysis (with ZAP & Burp Suite)
Profile data fetched via unencrypted HTTP
Discovered vulnerabilities:
Missing Content-Security-Policy (CSP) header
Session cookie lacked HttpOnly flag
VI. Tool Comparison Table
Tool
Core Function
Key Advantage
MAPTF
Integrated Testing
Data fusion + unified risk-scored report
MobSF
Static/Dynamic Analysis
All-in-one platform
Frida
Runtime Instrumentation
Real-time API tracing & app manipulation
OWASP ZAP
Network/API Vulnerability
Server-side scanning with automation and scripting APIs
Conclusion
The Mobile Application Penetration Testing Framework (MAPTF) represents an important advancement in developing a more effective, user-friendly, and all-encompassing solution for testing security on Android devices [9]. By integrating static, dynamic, and network analysis into a single, automated pipeline, it empowers developers and security analysts to identify and remediate vulnerabilities more effectively than with standalone tools. Future work will focus on adding iOS support, integrating machine learning models to improve vulnerability detection, and enabling seamless integration into CI/CD pipelines for a true DevSecOps workflow.
References
[1] B. ÖZGÜR, ?. A. DO?RU, G. UÇTU and M. Alkan, \"A Suggested Model for Mobile Application Penetration Test Framework,\" 2021 International Conference on Information Security and Cryptology (ISCTURKEY), Ankara, Turkey, 2021, pp. 18-21, doi: 10.1109/ISCTURKEY53027.2021.9654417.
[2] Daraojimba, E.C., Nwasike, C.N., Adegbite, A.O., Ezeigweneme, C.A. and Gidiagba, J.O., 2024. Comprehensive review of agile methodologies in project management. Computer Science & IT Research Journal, 5(1), pp.190-218.
[3] Malek, S., Esfahani, N., Kacem, T., Mahmood, R., Mirzaei, N. and Stavrou, A., 2012, June. A framework for automated security testing of android applications on the cloud. In 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (pp. 35-36). IEEE.
[4] Androguard. (2021). Reverse-engineering, Malware and goodware analysis of Android applications. GitHub.
[5] https://owasp.org/www-project-mobile-app-security/
[6] https://www.opsmx.com/blog/ensuring-api-security-with-owasp-zap-a-step-by-step-guide/
[7] https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk-assessment-and-analysis-methods
[8] Frida. (2022). Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Frida.re.
[9] https://mas.owasp.org/MASTG/0x04b-Mobile-App-Security-Testing/
[10] WASP. (2023). OWASP Zed Attack Proxy (ZAP). zaproxy.org. interface,” IEEE Transl. J. Magn. Japan, vol. 2, pp. 740–741, August 1987 [Digests 9th Annual Conf. Magnetics Japan, p. 301, 1982].
[11] Xiong, P. and Peyton, L., 2010, August. A model-driven penetration test framework for Web applications. In 2010 Eighth International Conference on Privacy, Security and Trust (pp. 173-180). IEEE.
[12] Kraunelis, J., Fu, X., Yu, W. and Zhao, W., 2018, May. A framework for detecting and countering android UI attacks via inspection of IPC traffic. In 2018 IEEE International Conference on Communications (ICC) (pp. 1-6). IEEE.
[13] Bennouk, K., Ait Aali, N., El Bouzekri El Idrissi, Y., Sebai, B., Faroukhi, A.Z. and Mahouachi, D., 2024. A comprehensive review and assessment of cybersecurity vulnerability detection methodologies. Journal of Cybersecurity and Privacy, 4(4), pp.853-908.
[14] https://library.mosse-institute.com/articles/2022/03/introduction-to-the-penetration-testing-workflow/introduction-to-the-penetration-testing-workflow.html
[15] Adamski, J., Janiszewski, M. and Rytel, M., 2025. IoT Mobile Applications Pentesting–Methodology and Results of Research. IEEE Internet of Things Journal.
[16] Velu, V.K., 2016. Mobile Application Penetration Testing. Packt Publishing Ltd.