Mobile Application Security Study Plan
This page is updated based on jassics/security-study-plan/mobile-application-security-study-plan. Check how much you can cover within the timeline - the more you cover, the better candidate you are for roles requiring good Android/iOS application security knowledge.
Also, I assume you have already checked and are comfortable with the Common Security Skills study plan and Web Security Testing study plan.
It covers what you need to test and secure mobile apps, including client, API, and backend aspects.
How this connects: Use this plan together with Web Security Testing, Application Security, and API Security, since mobile apps almost always talk to web backends and APIs.
In Short
- Mobile security is not just "web on a smaller screen" - there are platform-specific risks.
- You must understand Android and iOS app models and storage.
- You should be comfortable proxying traffic, analyzing APK/IPA files, and using common tools.
- Align with OWASP MASVS/MSTG for methodology.
- Consider both the app and its backend APIs.
ToC
- Mobile Fundamentals - 2 weeks
- Android Security - 3-4 weeks
- iOS Security - 3-4 weeks
- Mobile Testing Methodology (OWASP MASVS/MSTG) - 3-4 weeks
- Tools & Labs - 3-4 weeks
- Books, Videos, Courses
- Certifications
- Interview Questions
Mobile Fundamentals
Duration: 2 weeks
Goal: understand how mobile apps are built and deployed.
Week 1-2: Architecture
- Mobile App Models - native, hybrid, cross-platform
- Typical Architecture - client app ↔ API ↔ backend services
- Data Storage & Permissions - local storage, keychain/keystore, runtime permissions
Android Security
Duration: 3-4 weeks
Goal: understand Android internals and common vulnerabilities.
Week 3-6: Android Basics & Risks
- Android Architecture - APK structure, components (activities, services, receivers)
- Permissions & Manifest - exported components, dangerous permissions
- Common Issues - insecure storage, hardcoded secrets, insecure logging
- Reverse Engineering Basics - decompiling APKs, basic static analysis
iOS Security
Duration: 3-4 weeks
Goal: understand the iOS app model and security controls.
Week 7-10: iOS Basics & Risks
- iOS Architecture - IPA packages, app sandboxing
- Keychain & Secure Storage - where secrets go and how they can leak
- Common Issues - insecure local storage, weak jailbreak detection, insecure URL schemes
- High-Level Static & Dynamic Analysis - understanding what's possible
Mobile Testing Methodology (OWASP MASVS/MSTG)
Duration: 3-4 weeks
Goal: follow a structured approach for mobile security testing.
Week 11-14: Methodology
- OWASP MASVS - security requirement categories (architecture, storage, crypto, etc.)
- OWASP MSTG - test cases and practical guidance
- Testing Focus Areas - local data storage, authentication/session management, network communication and certificate pinning, code tampering and reverse-engineering resistance
Tools & Labs
Duration: 3-4 weeks
Goal: get hands-on experience.
Week 15-18: Practice
- Proxying & Interception - Burp/ZAP, cert installation, bypassing certificate pinning (at a high level)
- Emulators & Devices - basic setup for Android and iOS testing
- Deliberately Vulnerable Apps - practice on intentionally vulnerable mobile apps from reputable sources
- Backend APIs - reuse techniques from the API Security Study Plan to test the APIs mobile apps use
Books, Videos, Courses
- Books focused on mobile application security or testing, plus web/API security books to complement backend testing knowledge
- Conference talks on Android and iOS application security, and mobile app security assessment walkthroughs
- Official platform security overviews from Google/Apple
- Mobile application security/pentesting courses with hands-on labs
- Android/iOS development basics (optional, but helps in reading app code)
Certifications
- Mobile security-focused certifications if they align with your goals
- General offensive security certs (OSCP/eWPTX/etc.) if you want broader pentest credentials
Interview Questions
Reuse questions from Web & API Security, plus mobile specifics:
- How would you test a mobile banking app for insecure storage?
- What is OWASP MASVS and how would you use it in an assessment?
- How would you approach bypassing certificate pinning (conceptually)?
- What are common pitfalls in mobile auth and session management?
Practice next: Application Security interview questions and Web Security interview questions for the overlapping backend/API fundamentals, and jassics/security-study-plan for the latest updates to this plan.