This is a blog entirely dedicated to security analysis of mobine apps. No idea who writes it but it is good.
https://theappanalyst.com/
Neat writeup on going from SQL Injection to Remote Code Execution.
https://medium.com/bugbountywriteup/sql-injection-to-lfi-to-rce-536bed29a862
I've been on a PHP project recently, and I learned about this cool tool to bypass disable_functions.
https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass
Speaking of PHP, the statis code analysis tool I learned to use was Exakat. Steep learning curve but unbelievable reports. And open source!
https://github.com/exakat/exakat
That's the news, folks.