تشغيل أي مهارة في Manus
بنقرة واحدة

تشغيل أي مهارة في Manus بنقرة واحدة

ابدأ الآن

testing-mobile-applications

Pentest Android and iOS mobile applications including APK analysis, dynamic analysis, SSL pinning bypass, root/jailbreak detection bypass, and mobile-specific vulnerabilities. Use when testing mobile app security or performing mobile pentesting.

تشغيل في Manus

نظرة عامة

Pentest Android and iOS mobile applications including APK analysis, dynamic analysis, SSL pinning bypass, root/jailbreak detection bypass, and mobile-specific vulnerabilities. Use when testing mobile app security or performing mobile pentesting.

أمر التثبيت

npx skills add https://github.com/trilwu/secskills --skill testing-mobile-applications

انسخ والصق هذا الأمر في Claude Code لتثبيت المهارة

المصدر

trilwu/secskills

النجوم٥٨

التفرعات٦

آخر تحديث١٤ نوفمبر ٢٠٢٥ في ٠٩:٤٥

SKILL.md

readonly

تشغيل أي مهارة بنقرة واحدة

name	testing-mobile-applications
description	Pentest Android and iOS mobile applications including APK analysis, dynamic analysis, SSL pinning bypass, root/jailbreak detection bypass, and mobile-specific vulnerabilities. Use when testing mobile app security or performing mobile pentesting.

Testing Mobile Applications

When to Use

Android APK analysis and exploitation
iOS application pentesting
Mobile app security assessment
Bypassing security controls (SSL pinning, root detection)
Testing mobile-specific vulnerabilities

Android Pentesting

APK Analysis Tools

# Decompile APK
apktool d app.apk -o app_decompiled

# Convert DEX to JAR
d2j-dex2jar app.apk

# View JAR with JD-GUI
jd-gui app-dex2jar.jar

# Automated analysis
mobsf  # Mobile Security Framework
jadx app.apk  # APK to Java decompiler

ADB (Android Debug Bridge)

# List devices
adb devices

# Connect over network
adb connect 192.168.1.100:5555

# Install APK
adb install app.apk

# Uninstall
adb uninstall com.package.name

# List packages
adb shell pm list packages
adb shell pm list packages | grep -i "keyword"

# Get APK path
adb shell pm path com.package.name

# Pull APK from device
adb pull /data/app/com.package.name-xxx/base.apk

# Start activity
adb shell am start -n com.package.name/.MainActivity

# View logs
adb logcat

# Shell access
adb shell

Static Analysis

Search for Sensitive Data:

# Extract strings
strings app.apk | grep -i password
strings app.apk | grep -i api
strings app.apk | grep -i token
strings app.apk | grep -i key

# Search in decompiled code
grep -r "password" app_decompiled/
grep -r "http://" app_decompiled/
grep -r "api_key" app_decompiled/

Check AndroidManifest.xml:

# Decompile and view
apktool d app.apk
cat app_decompiled/AndroidManifest.xml

# Look for:
# - android:debuggable="true"
# - android:allowBackup="true"
# - Exported activities/services
# - Custom permissions
# - URL schemes

Dynamic Analysis

Frida (Runtime Instrumentation):

# List running apps
frida-ps -U

# Attach to app
frida -U -n "App Name"
frida -U -f com.package.name

# Load script
frida -U -f com.package.name -l script.js

# Common scripts
# - Bypass SSL pinning
# - Bypass root detection
# - Hook functions
# - Dump memory

SSL Pinning Bypass:

// Frida script - Universal SSL pinning bypass
Java.perform(function() {
    var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    TrustManager.checkServerTrusted.implementation = function() {};

    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(a,b,c) {
        this.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').call(this, a, null, c);
    };
});

Root Detection Bypass:

// Frida - Bypass root detection
Java.perform(function() {
    var RootClass = Java.use('com.package.name.RootDetection');
    RootClass.isRooted.implementation = function() {
        return false;
    };
});

Intercepting Traffic

Burp Suite Setup:

# 1. Install Burp CA certificate
# Download from http://burp:8080 on device
# Install in Settings -> Security -> Install from storage

# 2. Configure proxy
adb shell settings put global http_proxy 192.168.1.100:8080

# 3. For apps with SSL pinning, use Frida bypass

# 4. Clear proxy when done
adb shell settings put global http_proxy :0

mitmproxy:

# Start mitmproxy
mitmproxy --listen-port 8080

# Install certificate on device
# http://mitm.it

# Set device proxy to attacker IP:8080

Modifying and Repackaging APK

# 1. Decompile
apktool d app.apk -o app_mod

# 2. Modify smali code
# Edit files in app_mod/smali/

# 3. Recompile
apktool b app_mod -o app_modified.apk

# 4. Sign APK
# Generate keystore (first time only)
keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

# Sign
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-key.keystore app_modified.apk alias_name

# Or use uber-apk-signer
java -jar uber-apk-signer.jar -a app_modified.apk

# 5. Install
adb install app_modified.apk

Common Vulnerabilities

Insecure Data Storage:

# Check shared preferences
adb shell
cd /data/data/com.package.name/shared_prefs/
cat *.xml

# Check databases
cd /data/data/com.package.name/databases/
sqlite3 database.db
.tables
SELECT * FROM users;

# Check files
cd /data/data/com.package.name/files/
ls -la
cat *

Exported Components:

# List exported activities
adb shell dumpsys package com.package.name | grep -A 20 "Activity"

# Start exported activity
adb shell am start -n com.package.name/.ExportedActivity

# Call exported service
adb shell am startservice -n com.package.name/.ExportedService

# Broadcast to receiver
adb shell am broadcast -a com.package.name.ACTION

Insecure WebView:

# Check for JavaScript enabled
# Look in code for:
webView.getSettings().setJavaScriptEnabled(true);

# Check for addJavascriptInterface
# Can lead to RCE if exposed

iOS Pentesting

Setup

Jailbreak Tools:

checkra1n (iOS 12-14)
unc0ver (iOS 11-14.8)
Taurine (iOS 14-14.3)

SSH Access:

# Default credentials
ssh root@<device-ip>
# password: alpine

# Change default password!
passwd

IPA Analysis

# Extract IPA
unzip app.ipa

# View binary
otool -L Payload/App.app/App
strings Payload/App.app/App

# Class dump
class-dump Payload/App.app/App > classes.txt

# Decrypt binary (on jailbroken device)
frida-ios-dump -u App

# Static analysis with Hopper/Ghidra

Runtime Analysis

Frida on iOS:

# List apps
frida-ps -Ua

# Attach
frida -U -n "App Name"
frida -U -f com.company.app

# SSL pinning bypass (iOS)
objection -g "App Name" explore
ios sslpinning disable

Objection:

# Launch objection
objection -g com.company.app explore

# Common commands
ios info binary
ios hooking list classes
ios hooking search methods MainActivity
ios sslpinning disable
ios jailbreak disable
ios keychain dump
ios nsuserdefaults get

File System Access

# Connect via SSH
ssh root@device-ip

# App data location
cd /var/mobile/Containers/Data/Application/<UUID>/

# Find app UUID
ipainstaller -l  # List apps
ls /var/mobile/Containers/Data/Application/

# Common paths
Documents/
Library/
Library/Preferences/  # plist files
Library/Caches/
tmp/

Keychain Access

# Using objection
ios keychain dump

# Manual (requires keychain-dumper on device)
./keychain_dumper

# Specific item
security find-generic-password -s "ServiceName"

Common iOS Vulnerabilities

Insecure Data Storage:

# Check plist files
plutil -p Info.plist

# Check UserDefaults
ios nsuserdefaults get

# Check SQLite databases
sqlite3 database.db
.tables
SELECT * FROM sensitive_table;

Binary Protections:

# Check for PIE
otool -hv App | grep PIE

# Check for stack canaries
otool -I App | grep stack_chk

# Check for ARC
otool -I App | grep objc_release

Mobile-Specific Attacks

Deep Link Exploitation:

# Android
adb shell am start -a android.intent.action.VIEW -d "app://open?param=value"

# iOS
xcrun simctl openurl booted "app://open?param=value"

Intent Injection:

# Send malicious intent
adb shell am start -n com.package/.Activity --es "extra_key" "malicious_value"

Backup Extraction:

# Android backup
adb backup -f backup.ab com.package.name
# Extract
java -jar abe.jar unpack backup.ab backup.tar

# iOS backup
idevicebackup2 backup --full backup_directory

Tools

Android:

APKTool - Decompile/recompile APKs
dex2jar - Convert DEX to JAR
JADX - APK to Java decompiler
Frida - Dynamic instrumentation
Objection - Frida-based toolkit
MobSF - Automated analysis
Drozer - Android security framework

iOS:

Frida - Dynamic instrumentation
Objection - Frida toolkit
class-dump - Extract class info
Hopper/Ghidra - Disassemblers
frida-ios-dump - Decrypt binaries
iproxy - Forward ports

Quick Testing Workflow

Static Analysis - Decompile, search strings, analyze manifest/Info.plist
Install - Install on emulator/device
Intercept Traffic - Set up Burp/mitmproxy, bypass SSL pinning
Dynamic Analysis - Use Frida to hook functions, bypass protections
Test Components - Test exported components, deep links, intents
Data Storage - Check for insecure data storage in files/DB/keychain
Repackage - Modify and recompile to test additional scenarios

References