Stats
Actions
Tags
From cybersec-toolkit
Guides static and dynamic analysis of Android APKs and iOS IPAs for bug bounty hunting, including Frida hooking, cert pinning bypass, deep link/intent abuse, and secrets extraction.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:bounty-mobileThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Android APK:
Android APK:
# From device
adb shell pm path com.target.app
adb pull /data/app/.../base.apk
# From APKMirror / APKPure (be sure of version match)
iOS IPA: requires jailbroken device or developer build (frida-ios-dump, flexdecrypt).
# Decompile to source
jadx-gui base.apk # GUI
jadx -d ./out base.apk # CLI
# Disassemble to smali
apktool d base.apk -o ./out
# Manifest
aapt2 dump badging base.apk
aapt2 dump xmltree base.apk AndroidManifest.xml | head -100
# Quick wins
grep -rE "https?://" ./out/sources/ | sort -u # endpoints
grep -rE "(api[_-]?key|secret|token|password)" ./out/sources/ # hardcoded creds
trufflehog filesystem ./out/
Specifically check AndroidManifest.xml for:
android:exported="true" activities/services/receivers (callable from other apps)android:debuggable="true" (massive vuln if shipped)<data android:scheme="...">) — deep link attack surfaceandroid:allowBackup="true" (backup leakage)networkSecurityConfig (cleartext allowed?)Look at assets/ and res/raw/ for embedded files (often contain SDK keys, dev URLs).
# IPA is just a ZIP
unzip app.ipa -d app
# Class-dump from binary (if not encrypted)
class-dump-z Payload/MyApp.app/MyApp
# If encrypted (FairPlay) — need decrypted dump from jailbroken device:
# frida-ios-dump or bagbak
# Strings & secrets
strings Payload/MyApp.app/MyApp | grep -E "https?://|api[_-]?key"
trufflehog filesystem Payload/
Inspect Info.plist for:
LSApplicationQueriesSchemes (URL schemes the app calls)CFBundleURLTypes (URL schemes the app accepts) — deep link surfaceNSAppTransportSecurity exceptions (cleartext allowed?)# List apps on device
frida-ps -Uai
# Spawn with hook
frida -U -f com.target.app -l hook.js --no-pause
# Objection — high-level wrapper
objection -g com.target.app explore
# Inside objection:
android sslpinning disable
android hooking watch class_method com.target.app.AuthManager.login
android root disable
ios sslpinning disable
ios jailbreak disable
objection covers ~80% of routine instrumentation. Use Frida directly only when you need custom hooks.
| Approach | When |
|---|---|
objection ... ssl-pinning disable | First try, works on most apps |
| Custom Frida script (apk-mitm, frida-ssl-bypass) | When objection fails |
Patching the APK with apk-mitm | Non-rooted devices, or for permanent test build |
Magisk + LSPosed + JustTrustMe | Rooted device, app-side bypass |
After bypass, route traffic through Burp / mitmproxy and replay/edit.
For each exported=true activity / service / receiver:
# Trigger directly from adb
adb shell am start -n com.target.app/.SomeActivity --es param "value"
adb shell am broadcast -a com.target.app.ACTION_FOO --es key val
Look for:
addJavascriptInterface exposing native methods to JS (XSS → RCE chain)myapp://?action=delete&id=123ContentProviders: adb shell content query --uri content://com.target.app/... — many leak data.
Check what the app writes to disk (rooted device or post-frida pull):
/data/data/com.target.app/shared_prefs/ — often plaintext SharedPreferences with tokens/data/data/com.target.app/databases/ — SQLite DBs, sometimes with secrets/sdcard/Android/data/com.target.app/) — accessible without root~/Containers/Data/Application/<UUID>/Library/Preferences/ (plist)# Setup mitmproxy / burp on host, route phone via WiFi proxy
# Install Burp/mitmproxy CA cert as system cert (rooted) or via apk-mitm patch
mitmproxy -p 8080 --mode regular
# or
burpsuite (Pro)
# Capture, intercept, replay, fuzz API calls just like web
After bypass + proxy, the target reduces to a normal API target → use bounty-api skill.
jadx, apktool, aapt2, frida, frida-tools, objection, mobsf, androguard, mitmproxy, apkleaks, apk-mitm.
iOS-specific (less common): class-dump, bagbak, frida-ios-dump, iproxy.
Show the chain end-to-end: app → exposed component → impact. Include the exact adb command or Frida hook used. Note device + Android version + app version.
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitConducts penetration testing of iOS and Android mobile apps per OWASP MASTG. Performs static analysis, dynamic analysis, and API security testing to identify vulnerabilities.
Conducts penetration testing of iOS and Android mobile apps per OWASP MASTG. Performs static analysis, dynamic analysis, and API security testing to identify vulnerabilities.
Conducts OWASP MASTG penetration testing on iOS and Android mobile apps via static binary analysis, dynamic runtime testing with Frida/Objection, and API proxying with Burp Suite.