Skip to content
All posts

Your mobile app is only as secure as its backend

2 min readmobile · security-research · invasive-testing

Upload an Android APK or iOS IPA and a good scanner will tell you a lot: cleartext-traffic flags in the manifest, hardcoded secrets in the decompiled code, dangerous permissions, outdated SDKs with known CVEs. NANOTESTING runs that full static battery (apktool / mobsfscan / MASVS, plus a CVE pass) on every mobile binary.

But here is the uncomfortable truth: a mobile binary is a client, and the client is rarely where the serious bugs live. The serious bugs live in the backend API the app talks to — broken object-level authorization, mass assignment, injection. And static analysis of the binary cannot test any of that, because the binary never runs against the server during a static scan.

The backend is hiding in plain sight

Mobile apps almost always hardcode their backend base URLs — https://api.yourapp.com, https://auth.yourapp.com — right in the decompiled resources and code. So the path to testing the backend is not a device emulator or runtime instrumentation. It is much simpler: extract the backend hosts from the binary, then test them like any other web/API target.

That is exactly what the Invasive Testing add-on does for mobile targets. When you authorize a mobile app for invasive testing, the worker:

  1. extracts the first-party backend hosts hardcoded in the decompiled binary, filtering out the long tail of SDK / analytics / CDN noise every app embeds;
  2. runs the active web checks (OWASP ZAP active scan, OpenAPI fuzzing, mass-assignment, host-header injection) against them; and
  3. reports exactly which hosts it discovered and which it actually tested.

The ownership rule that keeps it honest

There is one rule that matters more than any other here. A mobile binary routinely embeds third-party backend hosts too — your payment provider, your auth provider, a partner's API. You do not own those, and attacking them would be wrong.

So NANOTESTING only sends active payloads at a backend host you have verified ownership of — a verified web/API target in your workspace with the same host or a parent/child subdomain. Everything else is reported so you can add and verify it yourself, but never attacked. It fails closed: if there is no matching verified target, nothing is scanned. No exceptions, no fuzzy cross-domain guessing.

The result is mobile security testing that actually reaches the backend — without ever pointing the attack engine at someone else's server. See the mobile app scan guide and the invasive testing guide for the full flow.