offensive-mobile

# Mobile (Android + iOS) — Offensive Testing Methodology

## Quick Workflow

1. Static: pull the IPA/APK, decompile, dump resources/strings, identify endpoints
2. Dynamic: install on rooted/jailbroken device, hook with Frida, intercept TLS
3. Map exported attack surface: deep links, URL schemes, exported components
4. Storage / Keystore audit: where do secrets live, what protects them
5. API: every backend the app talks to is your scope — test like a web app

---

## Lab Setup

### Android
- Rooted device or **Genymotion** / Android Studio AVD with `userdebug` build
- **Magisk** for systemless root; **LSPosed** for hooks; **Frida server** matching device arch
- **Burp / Mitmproxy** with system-trusted CA via Magisk module (`MagiskTrustUserCerts`)

### iOS
- Jailbroken device (palera1n / checkra1n / Dopamine depending on iOS version)
- **Frida** + **Objection** + **Filza** + **SSH via USB (iproxy 2222 22)**
- Burp CA installed via Settings → General → Device Management → Certificate Trust Settings

---

## Static Analysis

### Android

```bash
# Decode resources + smali
apktool d app.apk -o app

# Decompile to Java
jadx -d app_src app.apk

# Manifest review
xmllint --format app/AndroidManifest.xml | less
# Look for: android:exported="true", intent-filters, custom permissions, debuggable, allowBackup, networkSecurityConfig
```

```bash
# Secrets and endpoints
grep -rE '(https?://[a-z0-9.-]+|api[_-]?key|secret|token|firebase|amazonaws|appspot)' app_src/
grep -r "Log\.[dwief]" app_src/   # leftover debug logs

# Native libs
file app/lib/*/*.so
# RE in Ghidra/IDA; look for JNI_OnLoad and exported Java_* functions
```

### iOS

```bash
# Pull IPA from device
frida-ios-dump -o app.ipa "com.vendor.app"

# Or via App Store via 3rd-party tools (Apple Configurator with paid acct, etc.)
unzip app.ipa
# Decrypt if needed (jailbroken device): bagbak / clutch
bagbak com.vendor.app

# Class dump
class-dump-dyld -H Payload/App.app/App -o headers/
# Or for Swift symbols, use Hopper / IDA

# Strings / endpoints
strings -a Payload/App.app/App | grep -E '(https?://|key|secret|api)'
```

```bash
# Info.plist analysis
plutil -p Payload/App.app/Info.plist
# Look for: NSAppTransportSecurity exceptions, CFBundleURLTypes (URL schemes),
# associated-domains entitlements, UIFileSharingEnabled, ATS exemptions
```

---

## Dynamic Analysis & Frida

### Common Hooks

```javascript
// Bypass SSL pinning (Android — generic OkHttp/CertificatePinner/TrustManager)
Java.perform(() => {
  const X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
  const TrustManagerFactory = Java.use('javax.net.ssl.TrustManagerFactory');
  // ... full bypass scripts: codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida
});

// Bypass root detection
Java.perform(() => {
  const File = Java.use('java.io.File');
  File.exists.implementation = function () {
    const path = this.getAbsolutePath();
    if (path.includes('su') || path.includes('Magisk')) return false;
    return this.exists();
  };
});

// iOS — bypass jailbreak detection
const stat = Module.findExportByName(null, 'stat');
Interceptor.attach(stat, {
  onEnter(args) {
    const path = args[0].readUtf8String();
    if (/Cydia|jailbreak|substrate|frida/i.test(path)) {
      args[0] = Memory.allocUtf8String('/nonexistent');
    }
  }
});
```

### Objection (Frida-based shortcuts)

```bash
objection -g com.vendor.app explore
# Then inside:
android sslpinning disable
android root disable
android hooking list activities
android intent launch_activity com.vendor.app/.SecretActivity
ios sslpinning disable
ios jailbreak disable
ios keychain dump
```

---

## SSL / TLS Interception

### Android Network Security Config

App with `<network-security-config>` requiring its own pinned CA: edit `res/xml/network_security_config.xml`, repack:

```bash
apktool b app -o app-patched.apk
apksigner sign --ks debug.keystore app-patched.apk
```

Or live-bypass with Frida (preferred — no recompile).

### iOS ATS / Pinning

For pinning, use Frida hooks against `SecTrustEvaluate*` / `NSURLSession` delegate methods. ATS exceptions in Info.plist (`NSAllowsArbitraryLoads`) make MITM trivial without pinning.

---

## Exported / IPC Attack Surface

### Android — Exported Components

```bash
drozer console connect
> run app.package.attacksurface com.vendor.app
> run app.activity.start --component com.vendor.app .ExportedActivity \
    --extra string url 'javascript:alert(1)'
> run app.provider.query content://com.vendor.app.provider/secrets
```

Targets:
- `exported="true"` activities → call from another app, bypass auth
- ContentProviders without `grantUriPermissions` → arbitrary read
- Receivers handling `BOOT_COMPLETED` etc. with privileged actions
- Services bound by intent extras → command injection

### Intent Redirection / PendingIntent Hijack

```java
// Vulnerable: PendingIntent with implicit Intent given to untrusted app
PendingIntent.getActivity(this, 0, new Intent(), FLAG_MUTABLE)
// Attacker fills the empty Intent → action runs with victim app's identity
```

### iOS — URL Schemes / Universal Links

```bash
# Open custom scheme (test from another app)
plutil -p Payload/App.app/Info.plist | grep -A 5 CFBundleURLTypes
# Then on device:
xcrun simctl openurl booted "vendorapp://payment?to=ATTACKER&amount=9999"
```

Universal Links: check `apple-app-site-association` on the linked domain — open redirect on that domain → universal-link claim → in-app webview navigation.

### iOS XPC / Mach Services

`launchctl list | grep com.vendor` enumerates the app's launch services. XPC handlers without proper audit-token validation accept messages from any process.

---

## Insecure Data Storage

### Android

```bash
# On device (root), pull app data
adb shell "su -c 'tar -cz /data/data/com.vendor.app'" > app_data.tgz
```

Inspect:
- `shared_prefs/*.xml` — preferences in plaintext
- `databases/*.db` — SQLite (use `sqlite3` to dump)
- `files/` — arbitrary writes
- `cache/` and extern