pentest-mobile-app
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePentest Mobile App
移动应用渗透测试
Purpose
测试目的
Mobile apps are completely absent from Shannon (web-only) and all existing skills. Mobile apps often share backend APIs but introduce unique attack surfaces: local storage, pinning, intent handling, binary protections.
Shannon(仅支持Web应用)及现有所有技能中均未覆盖移动应用测试。移动应用通常会共享后端API,但也带来了独特的攻击面:本地存储、证书固定、意图处理、二进制防护等。
Prerequisites
前置条件
Authorization Requirements
授权要求
- Written authorization with mobile app testing scope
- APK/IPA files or access to app store downloads
- Test devices or emulators (rooted Android, jailbroken iOS preferred)
- Backend API documentation if available
- 书面授权,明确包含移动应用测试范围
- APK/IPA安装包,或可访问应用商店进行下载
- 测试设备或模拟器(优先选择已Root的Android设备、已越狱的iOS设备)
- 后端API文档(如有)
Environment Setup
环境搭建
- Frida for runtime instrumentation
- Objection for quick mobile security testing
- MobSF for automated static/dynamic analysis
- jadx for Android decompilation, Hopper for iOS
- Burp Suite configured as mobile proxy
- Frida:用于运行时代码插桩
- Objection:用于快速移动安全测试
- MobSF:用于自动化静态/动态分析
- jadx:用于Android应用反编译,Hopper:用于iOS应用反编译
- 已配置为移动代理的Burp Suite
Core Workflow
核心工作流程
- Static Analysis: Decompile APK/IPA, analyze for hardcoded secrets, insecure storage patterns, weak crypto, exported components, debug flags.
- Insecure Data Storage: Check SharedPreferences/Keychain for sensitive data, SQLite DBs, log files, clipboard exposure, backup extraction.
- Certificate Pinning Bypass: Use Frida/Objection to disable pinning, intercept HTTPS traffic, test HTTP fallback.
- Auth & Session on Mobile: Token storage security, biometric bypass, session timeout, deep link auth bypass.
- IPC Testing: Exported Activities/Services/BroadcastReceivers (Android), URL scheme hijacking (iOS), intent injection, custom URI handler abuse.
- Binary Protections: Root/jailbreak detection bypass, anti-tampering bypass, code obfuscation assessment, runtime manipulation via Frida.
- Mobile-Context API Testing: APIs trusting mobile client-side validation, device-ID spoofing, push notification token abuse.
- 静态分析:反编译APK/IPA文件,分析是否存在硬编码密钥、不安全存储模式、弱加密、可导出组件、调试标志等问题。
- 不安全数据存储检测:检查SharedPreferences/Keychain中的敏感数据、SQLite数据库、日志文件、剪贴板泄露、备份文件提取情况。
- 证书固定绕过:使用Frida/Objection禁用证书固定,拦截HTTPS流量,测试HTTP回退机制。
- 移动端认证与会话测试:令牌存储安全性、生物识别绕过、会话超时检测、深度链接认证绕过。
- IPC测试:Android的可导出Activity/Service/BroadcastReceiver、iOS的URL scheme劫持、意图注入、自定义URI处理器滥用。
- 二进制防护测试:Root/越狱检测绕过、防篡改绕过、代码混淆评估、通过Frida进行运行时操纵。
- 移动上下文API测试:信任移动端客户端验证的API、设备ID伪造、推送通知令牌滥用。
Tool Categories
工具分类
| Category | Tools | Purpose |
|---|---|---|
| Runtime Instrumentation | Frida, Objection | Hook functions, bypass protections |
| Static Analysis | MobSF, jadx, Hopper | Decompile and analyze binaries |
| Traffic Interception | Burp Suite, mitmproxy | HTTPS interception with pinning bypass |
| Android Testing | adb, drozer | Component testing, IPC analysis |
| iOS Testing | Objection, cycript | Runtime manipulation, keychain dump |
| 分类 | 工具 | 用途 |
|---|---|---|
| 运行时代码插桩 | Frida, Objection | 挂钩函数,绕过防护机制 |
| 静态分析 | MobSF, jadx, Hopper | 反编译并分析二进制文件 |
| 流量拦截 | Burp Suite, mitmproxy | 绕过证书固定拦截HTTPS流量 |
| Android测试 | adb, drozer | 组件测试、IPC分析 |
| iOS测试 | Objection, cycript | 运行时操纵、钥匙串导出 |
References
参考资料
- - Tool function signatures and parameters
references/tools.md - - Attack pattern definitions and test vectors
references/workflows.md
- - 工具函数签名及参数
references/tools.md - - 攻击模式定义及测试向量
references/workflows.md