In this section, we covered the static analysis of Android and iOS applications. We did not cover runtime analysis testing, which entails hooking application classes and functions during app execution. Depending on how much time and effort you are willing to spend on testing a mobile app, this may not always be within your scope. Runtime analysis is great for validating client-side security controls such as bypassing pin code lock screens or brute forcing logins. The OWASP Testing Guide provides details on runtime analysis techniques for both Android and iOS. Visit the links below for more information:

• Android: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md
• iOS: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md