Penetration testing

Android vs. iOS Mobile App Penetration Testing

April 12, 2018 by


The adoption rate of smartphones has exploded in recent years. The two dominant smartphone operating systems (OS) of today are the Android OS developed by Google and the iOS from Apple. Ease of use, smooth operation and data security, as well as an extended team for app development, allowed Android and Apple to lead the market in mobile devices.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Before moving forward to the actual topic of system penetration, it is essential to know some basics of these operating systems.

The Android OS is based on Linux, while the iOS is coded in Objective-C language. Both operating systems have their own set of advantages and disadvantages. The Android OS has a clear-cut advantage of having an already established platform. As a result, this provides a separate virtual environment for the mobile apps that run on it.

The primary disadvantage of the Android OS is the added complexity leads to excessive usage of the processing power and memory. This leads to performance issues and low benchmarks.

In case of the iOS, it has the advantage of leveraging the raw processing power and memory it possesses. The disadvantage to this is the iOS is a closed operating system, making it highly vulnerable to a security breach.

App Penetration Testing for iOS: System Requirements & Overview

All iOS mobile apps are reviewed by a special team at Apple. After this process occurs, the mobile app can be distributed and downloaded via the official App Store.

Apps in iOS are developed in Objective-C language and utilize the C libraries in the OS. Hence, it is extremely essential to test the app on a device to fix any kind of bugs in the code.

iOS application development requires a computer running Mac OS. Applications in their development phase cannot be directly run on the normal devices. Since these applications are not yet certified by Apple as official App Store apps, they require a special work environment. This environment is achieved by jailbreaking any iOS device.

The process of jailbreaking involves a lot of patching on the kernel level, which then allows the installation of apps and extensions which are otherwise prohibited due to reasons of security. The process of jailbreaking does not necessarily hamper the hardware of your Apple device, but the legal status is still unclear in many countries. The process of jailbreaking unlocks the bootloader in the operating system, thereby allowing smooth sideloading of apps.

Though the process might sound harmless and normal, it does violate the software end-user agreement of Apple. This means the company is entitled to make unchallenged decisions regarding the warranty claim issues. Amongst the companies who provide jailbreaking tools and services, Cydia is the most successful and preferred group.

Jailbreaking is classified into three major types:

  • Tethered: This type of jailbreak requires the use of a specialized computer every time the device is being booted up. It is not capable by itself to patch the necessary kernels.
  • Semi-tethered: In this type of jailbreak, the user can boot the device in a normal state. But, in order to run the modified codes and patched kernels, the device needs to be booted up via a computer using the jailbreak tool (such as Cydia).
  • Untethered: This is the most complicated type of jailbreak in which the device is capable of patching the kernels by itself.

In case of iOS, all users get security updates immediately after the release. However, since the OS security is not open to third-party developers, these developers do not have the liberty to develop any added security features if required.

App Penetration Testing for Android OS: System Requirements & Overview

App penetration testing for Android devices requires a less sophisticated system as compared to iOS app testing. The only requirements are a Windows or Linux computer system and a rooted Android device. In case of Android apps, they are coded in Java programming language and work on a different ecosystem as compared to iOS. These apps run on dedicated virtual machines within the operating system.

Though this eliminates the problem of buffer overflow, Android apps have their own set of problems. Unlike iOS, Android OS is not just limited to a single device. Being an open source operating system, apps need to be in compliance with a majority of devices. In the Android Play Store, apps are not tested as meticulously as iOS apps. Though app review is not meticulously done, developers need to take care the permissions asked by their app are justified and not considered as malware by users.

Being a user-centric ecosystem, the Android Play Store authorities wipe apps from all devices (without any notification) if the app is reported as a malware by multiple users. As opposed to iOS, Android applications need to be backward compatible as well. Being an open source OS, Android does not provide its Original Equipment Manufacturers (OEMs) with their latest version. Thus, all apps must be supported on all devices.

Rooting an Android Device

Similar to iOS devices, Android apps need to be tested on devices with kernel patches. The process in Android devices is called rooting. As opposed to iOS, Android devices are rooted just to remove hardware restrictions and gain elevated administrator-level privileges necessary for app testing. The process of rooting an Android device is not as tedious as jailbreaking an iOS device but does risk the device warranty. In both the cases, i.e., jailbreaking as well as rooting, they take away any kind of hardware restrictions levied by the manufacturer or service provider, and thus help app developers test their programs for a varied list of service providers and different hardware constraints.

The security issue with Android OS is that it is an open source OS. Android phones, other than the Nexus and Pixel devices, get their security updates late. This makes them vulnerable to security threats until updates roll out for other devices. Yet another security issue with the OEM Android devices is after a certain time period, the devices do not receive software updates and security patches lag.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.


In this article, we have learned about the differences between the Android OS and iOS from the mobile app point of view. A clear insight into the development of applications for both the iOS and Android OS was provided, as well as the various challenges faced by software developers. The article also shed some light over the security structure of both operating systems and their various limitations in terms of security.


Sayaala is a graduate from India. Sayaala has interest in the field of information security and also other environmental studies. Sayaala would like to explore more and more about different aspect of information security domain such as AWS, Common threats in infosec, Malware, Vulnerability assessment etc. My Blog link