Why this topic matters
Pinning, local storage and link handling are three places where mobile apps reveal what they assume about the environment. Weaknesses here turn transport, device or app-entry behaviour into direct offensive value.
Operator checks
- Test whether pinned trust can be bypassed consistently and whether the app fails open or fails closed.
- Inspect keychain/keystore use, shared preferences, databases, logs and cache locations for sensitive material.
- Map custom schemes, universal links, intents and exported components as entry surfaces.
- Check how link handlers and storage artefacts interact with authentication state.
Reporting lens
Write findings in terms of trust crossed, scope enlarged and business or operational effect reached. That keeps the note useful whether you are validating a lab, an internal research target or a live customer environment.
Curated public references
- OWASP MASVS StorageStorage control expectations.
- OWASP MASVS NetworkTransport and server trust expectations.
- Android Intents and Intent FiltersComponent and deep-link behaviour on Android.