npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
MITRE ATLAS
When to Use
- Testing mobile applications before release to identify security vulnerabilities and data protection issues
- Conducting compliance assessments against OWASP MASVS (Mobile Application Security Verification Standard) levels L1 and L2
- Evaluating the security of mobile banking, healthcare, or government applications handling sensitive data
- Testing mobile apps that interact with backend APIs to assess the end-to-end security of the mobile ecosystem
- Assessing mobile application resistance to reverse engineering, tampering, and runtime manipulation
Do not use against mobile applications without written authorization from the application owner, for distributing modified or repackaged applications, or for testing apps on the public app stores without a separate test build.
Prerequisites
- Target application IPA (iOS) and APK (Android) files or access to download from a private distribution channel
- Rooted Android device or emulator (Genymotion, Android Studio AVD) with Frida, Objection, and Magisk installed
- Jailbroken iOS device or Corellium virtual device with Frida, Objection, and SSL Kill Switch installed
- Static analysis tools: jadx (Android decompilation), Hopper/Ghidra (iOS binary analysis), MobSF (automated scanning)
- Burp Suite Professional configured as proxy for intercepting mobile app traffic with CA certificate installed on the test device
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Workflow
Step 1: Static Analysis
Analyze the application binary without executing it:
Android Static Analysis:
- Decompile the APK:
jadx -d output/ target.apkto obtain Java/Kotlin source code - Review
AndroidManifest.xmlfor exported components (activities, services, receivers, content providers), permissions, and debuggable flag - Search for hardcoded secrets:
grep -rn "api_key\|password\|secret\|token\|aws_" output/ - Identify insecure data storage patterns: SharedPreferences with sensitive data, SQLite databases without encryption, files in external storage
- Check for WebView vulnerabilities:
setJavaScriptEnabled(true),addJavascriptInterface(), and loading untrusted content - Run MobSF automated scan:
python manage.py runserverand upload the APK for automated static analysis
iOS Static Analysis:
- Extract the IPA and locate the Mach-O binary
- Use
otool -L <binary>to list linked frameworks and identify third-party libraries - Analyze with Ghidra or Hopper for hardcoded URLs, API endpoints, and embedded credentials
- Check Info.plist for App Transport Security (ATS) exceptions that allow insecure HTTP connections
- Review embedded entitlements for excessive capabilities
Step 2: Network Security Testing
Intercept and analyze all network communications:
- Configure Burp Suite as proxy on the test device and install the Burp CA certificate
- Exercise all application functionality while Burp captures API traffic
- SSL/TLS validation: Verify the app validates server certificates properly. If the app fails to connect through the proxy, it may implement certificate pinning.
- Certificate pinning bypass:
- Android: Use Frida script:
frida -U -f com.target.app -l ssl-pinning-bypass.js --no-pause - iOS: Use SSL Kill Switch or Objection:
objection -g "Target App" explore --startup-command "ios sslpinning disable"
- Android: Use Frida script:
- API traffic analysis: Review all API calls for:
- Sensitive data transmitted without encryption
- Authentication tokens in URL parameters (visible in logs)
- Excessive data in API responses beyond what the UI displays
- Missing or weak authentication on API endpoints
- WebSocket and custom protocols: Check for non-HTTP communication channels that may bypass standard proxy interception
Step 3: Data Storage Analysis
Test for insecure local data storage:
Android Data Storage:
- Access app data directory:
/data/data/com.target.app/ - Check SharedPreferences XML files for stored credentials, tokens, and PII
- Examine SQLite databases:
sqlite3 /data/data/com.target.app/databases/*.db ".dump" - Check for sensitive data in application logs:
logcat -d | grep -i "password\|token\|key" - Verify that application data is excluded from backups:
android:allowBackup="false"in AndroidManifest.xml - Check clipboard for sensitive data leakage
iOS Data Storage:
- Examine the Keychain for stored credentials:
objection -g "Target App" explorethenios keychain dump - Check NSUserDefaults/plist files:
find /var/mobile/Containers/Data/Application/ -name "*.plist" -exec plutil -p {} \; - Inspect SQLite databases and Core Data stores for unencrypted sensitive data
- Check for data leaking through screenshots (iOS captures screenshots during app backgrounding)
- Verify data protection class: sensitive files should use NSFileProtectionComplete
Step 4: Authentication and Session Management
Test mobile-specific authentication controls:
- Biometric bypass: Test if biometric authentication can be bypassed by hooking the authentication callback with Frida to always return success
- Token storage: Verify that authentication tokens are stored in the Keychain (iOS) or Android Keystore, not in SharedPreferences or files
- Session timeout: Verify that sessions expire after a reasonable idle timeout and that tokens are invalidated server-side on logout
- Root/jailbreak detection bypass: Test if the app detects rooted/jailbroken devices and if the detection can be bypassed with Frida or Magisk Hide
- Deep link abuse: Test if custom URL schemes or universal links can be used to bypass authentication or access restricted functionality
Step 5: Runtime Manipulation
Test the application's resistance to runtime attacks:
- Frida hooking: Use Frida to hook and modify application functions at runtime:
- Bypass root detection: hook the detection function to return false
- Modify return values of authentication checks
- Intercept encryption functions to capture plaintext data before encryption
- Bypass certificate pinning by hooking SSL verification
- Method swizzling (iOS): Use Frida to replace Objective-C method implementations
- Intent manipulation (Android): Send crafted intents to exported components:
adb shell am start -n com.target.app/.InternalActivity -e "user_id" "admin" - Tampering detection: Modify the APK/IPA (add code, change resources), re-sign, and install. Verify whether the app detects tampering.
Key Concepts
| Term | Definition |
|---|---|
| OWASP MASTG | Mobile Application Security Testing Guide; comprehensive manual for mobile app security testing covering both iOS and Android platforms |
| Certificate Pinning | A mobile security control that restricts which TLS certificates the app trusts, preventing man-in-the-middle attacks through proxy interception |
| Frida | Dynamic instrumentation toolkit that allows injection of JavaScript into running processes to hook functions, modify behavior, and bypass security controls |
| Root/Jailbreak Detection | Application-level checks to detect if the device has been modified to grant root access, typically blocking app usage on compromised devices |
| Android Keystore | Hardware-backed credential storage on Android that protects cryptographic keys and secrets from extraction even on rooted devices |
| App Transport Security (ATS) | iOS security feature that enforces HTTPS connections by default; ATS exceptions may indicate insecure network communication |
| Deep Links | URL schemes that open specific screens within a mobile application, which may bypass normal navigation and authentication flows if not properly validated |
Tools & Systems
- Frida / Objection: Dynamic instrumentation tools for hooking functions, bypassing security controls, and manipulating application behavior at runtime
- MobSF (Mobile Security Framework): Automated static and dynamic analysis platform for Android and iOS applications
- jadx: Android decompiler that converts APK bytecode to readable Java source code for manual code review
- Burp Suite Professional: HTTP proxy for intercepting and modifying mobile app API traffic after bypassing certificate pinning
Common Scenarios
Scenario: Mobile Banking Application Security Assessment
Context: A bank is launching a new mobile banking app for iOS and Android. The app handles account viewing, fund transfers, bill payment, and check deposit. OWASP MASVS L2 compliance is required due to the financial data handled.
Approach:
- Static analysis of the Android APK reveals API endpoints, a hardcoded staging server URL, and an AWS API key in a configuration file
- Certificate pinning is implemented but bypassed with Frida SSL pinning bypass script
- API traffic analysis reveals that the balance check endpoint returns all account numbers associated with the user, not just the requested account
- Local data storage analysis finds that the app caches the last 10 transactions in an unencrypted SQLite database
- Biometric authentication bypass: Frida hook on the biometric callback always returns success, granting access without fingerprint
- Root detection is present but bypassed with Magisk Hide module, allowing the app to run on a rooted device with full data access
Pitfalls:
- Testing only on an emulator and missing hardware-specific security features (Android Keystore hardware backing, iOS Secure Enclave)
- Not testing both iOS and Android versions, as they may have different implementations and different vulnerabilities
- Ignoring the backend API security because it was "tested separately" when the mobile app may call API endpoints differently than the web app
- Failing to test certificate pinning bypass, resulting in an incomplete network analysis
Output Format
## Finding: Biometric Authentication Bypass via Frida Instrumentation
**ID**: MOB-003
**Severity**: High (CVSS 7.7)
**Platform**: Android and iOS
**OWASP MASVS**: MASVS-AUTH-2 (Biometric Authentication)
**Description**:
The mobile banking app's biometric authentication can be bypassed using Frida
dynamic instrumentation. The authentication callback function accepts a boolean
result from the biometric API, which can be hooked and forced to return true
without presenting a valid fingerprint or face scan.
**Proof of Concept (Android)**:
frida -U -f com.bank.mobileapp -l bypass-biometric.js --no-pause
// bypass-biometric.js
Java.perform(function() {
var BiometricCallback = Java.use("com.bank.mobileapp.auth.BiometricCallback");
BiometricCallback.onAuthenticationSucceeded.implementation = function(result) {
console.log("[*] Biometric bypassed");
this.onAuthenticationSucceeded(result);
};
});
**Impact**:
An attacker with physical access to an unlocked device can bypass biometric
authentication and access the victim's bank accounts, initiate transfers,
and view financial data without biometric verification.
**Remediation**:
1. Implement server-side biometric verification using Android BiometricPrompt
CryptoObject tied to a Keystore key
2. Require the biometric operation to decrypt a server-side challenge, making
client-side bypass ineffective
3. Add runtime integrity checks to detect Frida and other instrumentation frameworks
4. Implement step-up authentication for high-risk operations (transfers > threshold)References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.1 KB
API Reference: Mobile App Penetration Testing Agent
Overview
Tests Android mobile applications for OWASP MASTG vulnerabilities: insecure storage, hardcoded secrets, manifest misconfigurations, certificate pinning bypass, and API authorization flaws. For authorized testing only.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| requests | >=2.28 | API and cert pinning testing |
| apktool | >=2.7 | APK decompilation (subprocess) |
| adb | - | Android device interaction (subprocess) |
CLI Usage
python agent.py --apk target.apk --manifest AndroidManifest.xml \
--api-url https://api.target.com --auth-token <jwt> --output report.jsonKey Functions
decompile_apk(apk_path, output_dir)
Decompiles APK using apktool for static analysis of smali code and resources.
extract_strings_from_apk(apk_path)
Extracts hardcoded sensitive strings (API keys, passwords, tokens, URLs) from APK binary.
check_android_manifest(manifest_path)
Analyzes AndroidManifest.xml for debuggable, allowBackup, exported components, and cleartext traffic settings.
test_certificate_pinning(target_url)
Tests if API connections succeed through a proxy (indicating missing cert pinning).
check_insecure_storage_adb()
Checks shared_prefs, databases, and external storage for sensitive data via adb shell.
test_api_endpoints(base_url, endpoints, auth_token)
Tests API endpoints for authorization bypass by comparing authenticated vs unauthenticated responses.
check_root_detection(package_name)
Inspects the app package for root detection library indicators (RootBeer, SafetyNet).
OWASP MASTG Coverage
| Category | Test | Function |
|---|---|---|
| MASVS-STORAGE | Insecure Data Storage | check_insecure_storage_adb |
| MASVS-STORAGE | Hardcoded Credentials | extract_strings_from_apk |
| MASVS-NETWORK | Certificate Pinning | test_certificate_pinning |
| MASVS-NETWORK | Cleartext Traffic | check_android_manifest |
| MASVS-AUTH | API Authorization | test_api_endpoints |
| MASVS-RESILIENCE | Root Detection | check_root_detection |
Scripts 1
agent.py7.7 KB
#!/usr/bin/env python3
# For authorized penetration testing and lab environments only
"""Mobile App Penetration Testing Agent - Tests Android/iOS apps for OWASP MASTG vulnerabilities."""
import json
import logging
import argparse
import subprocess
from datetime import datetime
import requests
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def decompile_apk(apk_path, output_dir):
"""Decompile Android APK using apktool for static analysis."""
cmd = ["apktool", "d", apk_path, "-o", output_dir, "-f"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
logger.info("APK decompiled to %s", output_dir)
return True
logger.error("Decompilation failed: %s", result.stderr[:200])
return False
def extract_strings_from_apk(apk_path):
"""Extract hardcoded strings from APK for sensitive data detection."""
cmd = ["strings", apk_path]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
sensitive_patterns = {
"api_key": [], "password": [], "secret": [], "token": [],
"http://": [], "aws_access": [], "private_key": [],
}
for line in result.stdout.split("\n"):
line_lower = line.strip().lower()
for pattern in sensitive_patterns:
if pattern in line_lower and len(line.strip()) < 200:
sensitive_patterns[pattern].append(line.strip())
total = sum(len(v) for v in sensitive_patterns.values())
logger.info("Extracted %d sensitive strings from APK", total)
return sensitive_patterns
def check_android_manifest(manifest_path):
"""Analyze AndroidManifest.xml for security misconfigurations."""
findings = []
with open(manifest_path, "r", errors="ignore") as f:
content = f.read()
checks = [
("android:debuggable=\"true\"", "App is debuggable - allows runtime manipulation"),
("android:allowBackup=\"true\"", "Backup allowed - data extractable via adb backup"),
("android:exported=\"true\"", "Components exported without permission protection"),
("android:usesCleartextTraffic=\"true\"", "Cleartext HTTP traffic allowed"),
("android:networkSecurityConfig", None),
]
for pattern, description in checks:
if description and pattern in content:
findings.append({"check": pattern, "finding": description, "severity": "Medium"})
if "android:networkSecurityConfig" not in content:
findings.append({
"check": "Missing networkSecurityConfig",
"finding": "No custom network security configuration - may trust user-installed CAs",
"severity": "Medium",
})
logger.info("Manifest analysis: %d findings", len(findings))
return findings
def test_certificate_pinning(target_url):
"""Test if the app enforces certificate pinning via mitmproxy check."""
try:
resp = requests.get(target_url, timeout=10, verify=False)
return {
"url": target_url,
"status": resp.status_code,
"pinning_bypassed": resp.status_code == 200,
"note": "If 200 with proxy active, cert pinning is not enforced",
}
except requests.RequestException as e:
return {"url": target_url, "pinning_bypassed": False, "error": str(e)}
def check_insecure_storage_adb():
"""Check for insecure data storage on connected Android device via adb."""
checks = [
("shared_prefs", "run-as com.target.app ls /data/data/com.target.app/shared_prefs/"),
("databases", "run-as com.target.app ls /data/data/com.target.app/databases/"),
("external_storage", "ls /sdcard/Android/data/com.target.app/"),
]
findings = []
for check_name, adb_cmd in checks:
cmd = ["adb", "shell"] + adb_cmd.split()
result = subprocess.run(cmd, capture_output=True, text=True, timeout=10)
if result.returncode == 0 and result.stdout.strip():
findings.append({
"check": check_name,
"files_found": result.stdout.strip().split("\n"),
"severity": "High" if check_name == "external_storage" else "Medium",
})
logger.info("Storage checks: %d findings", len(findings))
return findings
def test_api_endpoints(base_url, endpoints, auth_token=None):
"""Test mobile app API endpoints for common vulnerabilities."""
headers = {}
if auth_token:
headers["Authorization"] = f"Bearer {auth_token}"
results = []
for endpoint in endpoints:
url = f"{base_url}{endpoint}"
try:
resp = requests.get(url, headers=headers, timeout=10, verify=False)
result = {
"endpoint": endpoint,
"status": resp.status_code,
"response_size": len(resp.content),
}
no_auth_resp = requests.get(url, timeout=10, verify=False)
if no_auth_resp.status_code == 200 and resp.status_code == 200:
result["auth_bypass"] = True
result["severity"] = "Critical"
else:
result["auth_bypass"] = False
results.append(result)
except requests.RequestException:
continue
return results
def check_root_detection(package_name):
"""Check if the app implements root/jailbreak detection."""
cmd = ["adb", "shell", "pm", "dump", package_name]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
root_indicators = ["rootbeer", "rootdetect", "safetynet", "integrity", "tamper"]
found = [ind for ind in root_indicators if ind in result.stdout.lower()]
return {
"package": package_name,
"root_detection_indicators": found,
"likely_protected": len(found) > 0,
}
def generate_report(apk_analysis, manifest_findings, storage_findings, api_results, cert_pinning):
"""Generate mobile app penetration test report."""
report = {
"timestamp": datetime.utcnow().isoformat(),
"sensitive_strings": {k: len(v) for k, v in apk_analysis.items()},
"manifest_findings": manifest_findings,
"storage_findings": storage_findings,
"api_security": api_results,
"certificate_pinning": cert_pinning,
}
total = len(manifest_findings) + len(storage_findings) + len([r for r in api_results if r.get("auth_bypass")])
print(f"MOBILE PENTEST REPORT - {total} findings")
return report
def main():
parser = argparse.ArgumentParser(description="Mobile App Penetration Testing Agent")
parser.add_argument("--apk", help="Path to Android APK file")
parser.add_argument("--manifest", help="Path to AndroidManifest.xml")
parser.add_argument("--api-url", help="Backend API base URL")
parser.add_argument("--auth-token", help="Auth token for API testing")
parser.add_argument("--output", default="mobile_pentest_report.json")
args = parser.parse_args()
apk_strings = extract_strings_from_apk(args.apk) if args.apk else {}
manifest_findings = check_android_manifest(args.manifest) if args.manifest else []
storage = check_insecure_storage_adb()
api_results = []
if args.api_url:
endpoints = ["/api/v1/user/profile", "/api/v1/users", "/api/v1/settings", "/api/v1/admin"]
api_results = test_api_endpoints(args.api_url, endpoints, args.auth_token)
cert_pinning = test_certificate_pinning(args.api_url) if args.api_url else {}
report = generate_report(apk_strings, manifest_findings, storage, api_results, cert_pinning)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", args.output)
if __name__ == "__main__":
main()