There is no secret that times are changing and a plethora of companies have a mobile application in the Google Play Store, the Apple App Store, or both. While mobile applications are convenient, they pose a huge security risk if developed in a manner that is secure. In this talk, methodologies, tools, and potential challenges will be discussed in detail, with the goal of providing penetration testers with the under the hood knowledge required to perform security assessments of Android and iOS applications. The iOS portion of this talk will cover topics ranging from getting set up with jailbreaking, cydia, and OpenSSL, to information gathering with otool, nm, strings, and class-dump; to decryption with clutch; to debugging with gdb, lldb, and cycript. Simpler concepts, such as copying files using iExplorer, will also be explored. The Android portion of this talk will cover similar topics, including package decompilation with dex2jar and jd-gui, enabling debugging using apktool, and debugging during runtime with adb and jdb. Similar to the iOS portion of the talk, simpler concepts will also be covered, including moving files with adb push and pull Attendees should leave this talk with a firm understanding of how some popular, higher level tools work in the background. Applications such as iRET, idb, and Androguard can be very helpful, but in the event they fail, it is critical that an analyst know how to proceed. This presentation will help provide analysts with the background knowledge they need to do just that.