Mobile & API Pentesting

๐Ÿ”ฅ Vibe Prompt

"Pentest a mobile app: intercept traffic, bypass SSL, root detection, API testing."

Mobile Setup

# Android: Burp Suite proxy
# 1. Set Wi-Fi proxy to Burp (192.168.1.X:8080)
# 2. Install Burp CA cert
adb push burp-ca.der /sdcard/
adb shell "su -c 'cp /sdcard/burp-ca.der /system/etc/security/cacerts/9a5ba575.0'"

# iOS: Proxy with QProxy
# 1. Install QProxy from Cydia
# 2. Set proxy to Burp
# 3. Install Burp CA (Settings โ†’ Profile)

# Bypass SSL pinning (Android)
# Use Frida: frida -U -f com.target.app -l ssl_bypass.js

Frida SSL Bypass

// ssl_bypass.js
Java.perform(function() {
    var ArrayList = Java.use('java.util.ArrayList');
    var TrustManager = Java.use('javax.net.ssl.TrustManager');
    
    var TrustAll = Java.registerClass({
        name: 'com.example.TrustAll',
        implements: [TrustManager],
        methods: {
            checkClientTrusted: function(chain, authType) {},
            checkServerTrusted: function(chain, authType) {},
            getAcceptedIssuers: function() { return []; }
        }
    });
    
    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(keyManagers, trustManagers, secureRandom) {
        return this.init(keyManagers, [TrustAll.$new()], secureRandom);
    };
    
    console.log("SSL pinning bypassed!");
});

# Run: frida -U -f com.target.app -l ssl_bypass.js

Root Detection Bypass

// root_bypass.js
Java.perform(function() {
    // Method 1: Hook root check
    var RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
    RootBeer.isRooted.implementation = function() { return false; };
    
    // Method 2: Hide from detection
    var Process = Java.use('java.lang.Process');
    var File = Java.use('java.io.File');
    File.exists.implementation = function() {
        var path = this.getPath();
        if (path.includes("su") || path.includes("magisk")) {
            return false;
        }
        return this.exists();
    };
    
    console.log("Root detection bypassed!");
});

API Security Testing

import requests

BASE = "https://api.target.com/v1"

def test_api():
    findings = []
    
    # 1. Rate limiting
    for i in range(100):
        r = requests.post(f"{BASE}/login", json={"user": "admin", "pass": "wrong"})
        if r.status_code != 429 and i > 10:
            findings.append("No rate limiting on login!")
            break
    
    # 2. Auth bypass
    r = requests.get(f"{BASE}/admin/users", headers={"Authorization": "Bearer invalid"})
    if r.status_code == 200:
        findings.append("Auth bypass!")
    
    # 3. Mass assignment
    r = requests.put(f"{BASE}/user/profile", json={"name": "test", "role": "admin"})
    if r.status_code == 200:
        findings.append("Mass assignment: role updated!")
    
    # 4. IDOR
    r1 = requests.get(f"{BASE}/orders/1", headers={"Authorization": f"Bearer {token}"})
    r2 = requests.get(f"{BASE}/orders/2", headers={"Authorization": f"Bearer {token}"})
    if r1.json().get("user_id") != r2.json().get("user_id") and r2.status_code == 200:
        findings.append("IDOR: can access other orders!")
    
    # 5. Injection
    r = requests.get(f"{BASE}/search?q=' OR 1=1--")
    if r.status_code == 200 and len(r.json()) > 0:
        findings.append("SQL injection in search!")
    
    return findings

for f in test_api():
    print(f"โš ๏ธ  {f}")

Mobile Pentesting Checklist

| Check | Android | iOS | |-------|---------|-----| | Traffic interception | Burp proxy + CA cert | QProxy + CA cert | | SSL pinning bypass | Frida | Frida / SSL Kill Switch 2 | | Root/jailbreak detect | RootBeer hook | AntiSubstrateCrack | | Insecure storage | SharedPrefs, SQLite | Keychain, Plist | | Hardcoded secrets | APK decompile | IPA decompile | | App clipping | Intent sniffing | URL scheme hijack | | Emulator detection | Build fingerprint | Model check |

Tools

| Tool | Purpose | |------|---------| | Frida | Runtime manipulation | | Objection | Mobile exploration | | APKTool | APK decompile | | MobSF | Static/dynamic analysis | | Drozer | Android security audit | | Radare2 | Binary analysis | | Hopper | iOS disassembler |

Best Practices

  • Always test on real device (emulator detection common)
  • Use Frida for runtime bypasses
  • Decompile APK/IPA for hardcoded secrets
  • Test both API and mobile app together
  • Check for insecure data storage
  • Verify rate limiting on all endpoints
  • Test app clipping / intent hijacking

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!