In the Mobile Application Penetration Testing, the end user is in the control of the device.There are usually four phases
Understanding the platform
Client Side and Server Side Scenarios - Native, Hybrid or Web
Static Analysis - Analysis is performed without executing the application or just looking at the source code of the application.
Dynamic Analysis - Dynamic analysis is performed while the application is running on the device. This includes forensic analysis of the local filesystem, network traffic between the application and server, and assessment of the app's local inter-process communication (IPC) surface.
Achieve Analysis - Review of the files that have not been compiled into a binary
Local File Analysis - Files Accessed by the application and files used during the application execution
Network & Web Traffic - The device will be configured to route their connection to the server through a test proxy controlled by the security tester. This will enable web traffic to be intercepted, viewed, and modified. It will also reveal the communication endpoints between the application and the server so that they can be tested. Network traffic that is not traversing the Web and is happening at a lower layer in the TCP/IP protocol stack, such as TCP and UDP packets, will also be intercepted and analyzed.
Reverse Engineering - Complied Code into Human readable format
Attempt to Exploit the Vulnerability - Discovered vulnerabilities to gain sensitive information or perform malicious activities.
Risk Assessment - Analyze business criticality of the application and the security risk posture and categorize the overall risk rating of the assessed application