一键在 Manus 中运行任何 Skill

pentest-mobile-app

星标284

分支55

更新时间2026年2月11日 09:17

OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

jd-opensource

jd-opensource/JoySafeter

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Pentest Mobile App

Purpose

Mobile apps are completely absent from Shannon (web-only) and all existing skills. Mobile apps often share backend APIs but introduce unique attack surfaces: local storage, pinning, intent handling, binary protections.

Prerequisites

Authorization Requirements

Written authorization with mobile app testing scope
APK/IPA files or access to app store downloads
Test devices or emulators (rooted Android, jailbroken iOS preferred)
Backend API documentation if available

Environment Setup

Frida for runtime instrumentation
Objection for quick mobile security testing
MobSF for automated static/dynamic analysis
jadx for Android decompilation, Hopper for iOS
Burp Suite configured as mobile proxy

Core Workflow

Static Analysis: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
Insecure Data Storage: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
Certificate Pinning Bypass: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
Auth & Session on Mobile: Token storage security, biometric bypass, session timeout, deep link auth bypass.
IPC Testing: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
Binary Protections: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
Mobile-Context API Testing: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.

Tool Categories

Category	Tools	Purpose
Runtime Instrumentation	Frida, Objection	Hook functions, bypass protections
Static Analysis	MobSF, jadx, Hopper	Decompile and analyze binaries
Traffic Interception	Burp Suite, mitmproxy	HTTPS interception with pinning bypass
Android Testing	adb, drozer	Component testing, IPC analysis
iOS Testing	Objection, cycript	Runtime manipulation, keychain dump

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors

同仓库更多 Skills

同仓库

skill-creator

jd-opensource/JoySafeter

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.

2026-03-26284

openclaw-security-checker

jd-opensource/JoySafeter

OpenClaw 安全检测工具，基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性

2026-03-13284

openclaw-threat-detect

jd-opensource/JoySafeter

OpenClaw 攻击模式检测工具，识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为，支持 MITRE ATT&CK 映射

2026-03-13284

skill-security-auditor

jd-opensource/JoySafeter

OpenClaw Skills 全方位安全审计工具，检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险

2026-03-13284

planning-with-files

jd-opensource/JoySafeter

Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls. Now with automatic session recovery after /clear.

2026-02-13284

pentest-ai-llm-security

jd-opensource/JoySafeter

AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.

2026-02-11284

name	pentest-mobile-app
description	OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.

Pentest Mobile App

Purpose

Prerequisites

Authorization Requirements

Written authorization with mobile app testing scope
APK/IPA files or access to app store downloads
Test devices or emulators (rooted Android, jailbroken iOS preferred)
Backend API documentation if available

Environment Setup

Frida for runtime instrumentation
Objection for quick mobile security testing
MobSF for automated static/dynamic analysis
jadx for Android decompilation, Hopper for iOS
Burp Suite configured as mobile proxy

Core Workflow

Static Analysis: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
Insecure Data Storage: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
Certificate Pinning Bypass: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
Auth & Session on Mobile: Token storage security, biometric bypass, session timeout, deep link auth bypass.
IPC Testing: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
Binary Protections: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
Mobile-Context API Testing: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.

Tool Categories

Category	Tools	Purpose
Runtime Instrumentation	Frida, Objection	Hook functions, bypass protections
Static Analysis	MobSF, jadx, Hopper	Decompile and analyze binaries
Traffic Interception	Burp Suite, mitmproxy	HTTPS interception with pinning bypass
Android Testing	adb, drozer	Component testing, IPC analysis
iOS Testing	Objection, cycript	Runtime manipulation, keychain dump

References

references/tools.md - Tool function signatures and parameters
references/workflows.md - Attack pattern definitions and test vectors