Blind spot #1: Vulnerability to man-at-the-end attacks
In web-first development, the server is the ultimate “fortress.” Because we control the hardware and software environment, security is focused on sanitizing inputs and hardening the perimeter. Traditional web-centric SAST (static application security testing) tools are designed for this model. They scan for logical flaws in the server binary, assuming the binary itself remains protected within the fortress. On the web, the “don’t trust your client” strategy is easily maintained because the client-side code typically has limited features and can be ephemeral.
In comparison, a mobile app is a “messenger in enemy territory.” The device and the end-user cannot be trusted, as the app binary is physically in the attacker’s hands. Unlike web servers, mobile clients are often responsible for more complex local functions, creating a much larger surface. An attacker can tamper with the binary through repackaging or use tools like Frida to perform dynamic instrumentation to bypass security controls in real time. Because web-centric SAST tools assume the binary is safe in a fortress, they often overlook these critical mobile-specific vulnerabilities and tampering scenarios.
Frida injects a JavaScript engine into the target process’s memory space, allowing an attacker to intercept function calls in real time. Specifically, it leverages inline hooking and PLT/GOT (procedure linkage table/global offset table) interception. It allows the user to redirect the execution of the application code to attacker-controlled code.
