The Mobile Application Hacker's Handbook
Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Published
- 2015
- Publisher
- Wiley
- Pages
- 816
- Language
- English
Read this if
Mobile pentesters who want the structural foundations of the discipline — what surface exists, where bugs typically live, how the platforms differ in their defaults. The taxonomy and methodology chapters age more slowly than the specific tooling.
Skip this if
Readers needing current technique on App Attest, DeviceCheck, biometric-bound keys, modern pinning bypass, recent runtime instrumentation (Frida-class), or the cross-platform reality (React Native, Flutter, Capacitor). The 2015 publication shows on every chapter.
Key takeaways
- The platform-defaults-and-pitfalls structure is durable: each platform's security model is still best understood through the same lens the book uses.
- IPC, deep-link, and inter-app surface remain the highest-yield mobile attack surfaces, even though the specific APIs have changed.
- Pair every chapter with current OWASP MASTG / MASVS material; the conceptual map is the book's value, the specific tooling is not.
Notes
Pair with OWASP MASTG, the Frida documentation, and platform-specific resources (Apple Platform Security Guide, Android Security Internals by Elenkov) for current depth. iOS Application Security (Thiel) is a thinner adjacent reference. The book is increasingly historical but still the most coherent printed introduction to mobile-pentest methodology — once you have the methodology, the tools are a search away.
What to read before
What to read before The Mobile Application Hacker's Handbook →Intermediate · 2016
iOS Application Security
David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.
Beginner · 2020
Alice and Bob Learn Application Security
Tanya Janca's hands-on AppSec primer covering threat modeling, secure design, secure coding, testing, deployment, and the social side of running an AppSec program — through a friendly, narrative-driven structure.
Beginner · 2025
Linux Basics for Hackers
OccupyTheWeb's introduction to Linux from the angle that hackers and pentesters actually need it: shells, networking, scripting, and Kali tooling.
What to read next
What to read after The Mobile Application Hacker's Handbook →Intermediate · 2016
iOS Application Security
David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.
Advanced · 2006
The Art of Software Security Assessment
The 1200-page reference on auditing C/C++ codebases for security: parsing complex memory and integer interactions, language pitfalls, and how vulnerabilities arise from interactions between layers.
Advanced · 2011
The Tangled Web
The deepest book ever written on the strange, accreted security model of the web browser.
Explore similar books
Alternatives to The Mobile Application Hacker's Handbook →Intermediate · 2016
iOS Application Security
David Thiel on attacking and defending iOS apps: the platform sandbox, IPC surfaces, keychain semantics, transport security, and the patterns that introduce real bugs.
Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.