If session tokens are not sufficiently random it opens the door to session hijacking attacks, and should be noted. I will break these steps down into sub-tasks and describe the tools I recommend using at each level. When the mobile application has been designed with a clear client-server tier architecture, network attacks are one of the major concerns. Self-healing applications don't need AI or machine learning. How to hack an app: Portswigger - Server Side Template Injecton.
What is the difference between security architecture and security design?
Application Penetration Testing
Forced browsing is a discovery technique for identifying resources that are not referenced by the target application, but are reachable nonetheless. How do credits work? This is a risk if the application can ever be used in a shared computing environment. Better still if they exist on the same web server as the target usually due to developer negligence, and forgotten about they can oftentimes expose it to attack. Instead of using a proxy to understand the inner workings of the app, debugging software is used. As a tester you should make note of any areas of the application that accept arbitrary user input and try to inject into them.