In the interest of working smarter and not harder, there's a neat tool called NowSecure that can automate the process of mobile app security analysis.This cloud or on-premises platform can be used on currently-deployed mobile apps or apps that are in the middle of their development lifecycle. Just load the APK (Android) or IAP (iOS) file for the mobile app to be tested and the checks are run - including real-world, dynamic simulation - and the report is generated.
You're provided with the specific vulnerability, CVSS references, and recommendations for each finding. NowSecure also includes informational findings as well as security checks that "passed". A summary view of sample findings is shown as follows:
Additional information regarding the mobile app's functionality is provided including:
- Network connections outlining who/what the mobile app talks to (I always find this amusing and sometimes scary!)
- Behavioral events of specific app methods that are run along with timestamps
- URLs listed in the source code and files contained in the archive package
There's too much to do with security and not nearly enough time to do it. Work smart. Don't re-invent the wheel. Automate your security testing with tools like NowSecure where you can. Of course, perform your manual analysis where you need to. I never advocate relying solely on automated tools when performing a full security assessment. There's too much to overlook and lose. However, mobile apps are largely an unexplored frontier so you're going to have to rely on good tools to point you in the right direction and (especially) find those niche flaws that would be impossible or unreasonable to uncover otherwise.