// Comparison

Black Hat GraphQL vs The Mobile Application Hacker's Handbook: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52023

Attacking Next Generation APIs

Nick Aleks, Dolev Farhi

Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.

Intermediate

3/52015

The Mobile Application Hacker's Handbook

Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse

Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.

Read this if

Anyone whose bug bounty or pentest scope includes GraphQL — and who keeps finding nothing because they're using web-app methodology. Aleks and Farhi cover introspection abuse, batching attacks, depth/complexity DoS, auth flaws, and the way GraphQL flattens the typical web threat model.

Mobile pentesters who want the structural foundations of the discipline — what surface exists, where bugs typically live, how the platforms differ in their defaults. The taxonomy and methodology chapters age more slowly than the specific tooling.

Skip this if

Readers without GraphQL exposure in their work; the book is a specialization, not a general intro.

Readers needing current technique on App Attest, DeviceCheck, biometric-bound keys, modern pinning bypass, recent runtime instrumentation (Frida-class), or the cross-platform reality (React Native, Flutter, Capacitor). The 2015 publication shows on every chapter.

Key takeaways

Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.

The platform-defaults-and-pitfalls structure is durable: each platform's security model is still best understood through the same lens the book uses.
IPC, deep-link, and inter-app surface remain the highest-yield mobile attack surfaces, even though the specific APIs have changed.
Pair every chapter with current OWASP MASTG / MASVS material; the conceptual map is the book's value, the specific tooling is not.

How they compare

We rate Black Hat GraphQL higher (4/5 against 3/5 for The Mobile Application Hacker's Handbook). For most readers, that means Black Hat GraphQL is the primary pick and The Mobile Application Hacker's Handbook is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Black Hat GraphQL and The Mobile Application Hacker's Handbook both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Black Hat GraphQL

→ Alternatives to Black Hat GraphQL → What to read after Black Hat GraphQL