After this lesson, you will be able to: Understand how mobile security differs from web security, the platforms and threat model involved, and the authorization rule for the labs.
Billions of people run their digital lives on mobile apps, and those apps handle sensitive data on devices users control. This subtrack covers the Android and iOS security models, the OWASP Mobile Top 10, static and dynamic analysis, and common mobile vulnerabilities, with hands-on work against a deliberately vulnerable app.
This is a free introductory lesson. No purchase required.
Unlike a web app on a server you control, a mobile app runs on a device the attacker may fully control: they can decompile the binary, inspect storage, hook functions at runtime, and intercept traffic. Anything shipped in the app (including 'hidden' keys and logic) is reachable. The threat model assumes the client is hostile, which changes how you design and test.
Compare the Android and iOS security models. Walk the OWASP Mobile Top 10. Decompile an APK with jadx and find hardcoded secrets and insecure storage. Instrument an app at runtime with Frida and intercept its traffic with Burp. By the end you can find common mobile vulnerabilities in a lab and explain the fixes.