Testing Mobile API Authentication When to Use Use this skill when: - Assessing mobile app backend API authentication during penetration tests - Testing JWT token implementation for common vulnerabilities (none algorithm, weak signing) - Evaluating OAuth 2.0 / OIDC flows in mobile applications for redirect, PKCE, and scope issues - Testing for broken object-level authorization (BOLA/IDOR) in API endpoints Do not use this skill against production APIs without explicit authorization and rate-limiting awareness. Prerequisites - Burp Suite or mitmproxy configured as mobile device proxy - SSL pinni…