Anthropic-Cybersecurity-Skills/skills/conducting-mobile-app-penetration-test/references/api-reference.md

API Reference: Mobile App Penetration Testing Agent

Overview

Tests Android mobile applications for OWASP MASTG vulnerabilities: insecure storage, hardcoded secrets, manifest misconfigurations, certificate pinning bypass, and API authorization flaws. For authorized testing only.

Dependencies

Package	Version	Purpose
requests	>=2.28	API and cert pinning testing
apktool	>=2.7	APK decompilation (subprocess)
adb	-	Android device interaction (subprocess)

CLI Usage

python agent.py --apk target.apk --manifest AndroidManifest.xml \
  --api-url https://api.target.com --auth-token <jwt> --output report.json

Key Functions

decompile_apk(apk_path, output_dir)

Decompiles APK using apktool for static analysis of smali code and resources.

extract_strings_from_apk(apk_path)

Extracts hardcoded sensitive strings (API keys, passwords, tokens, URLs) from APK binary.

check_android_manifest(manifest_path)

Analyzes AndroidManifest.xml for debuggable, allowBackup, exported components, and cleartext traffic settings.

test_certificate_pinning(target_url)

Tests if API connections succeed through a proxy (indicating missing cert pinning).

check_insecure_storage_adb()

Checks shared_prefs, databases, and external storage for sensitive data via adb shell.

test_api_endpoints(base_url, endpoints, auth_token)

Tests API endpoints for authorization bypass by comparing authenticated vs unauthenticated responses.

check_root_detection(package_name)

Inspects the app package for root detection library indicators (RootBeer, SafetyNet).

OWASP MASTG Coverage

Category	Test	Function
MASVS-STORAGE	Insecure Data Storage	check_insecure_storage_adb
MASVS-STORAGE	Hardcoded Credentials	extract_strings_from_apk
MASVS-NETWORK	Certificate Pinning	test_certificate_pinning
MASVS-NETWORK	Cleartext Traffic	check_android_manifest
MASVS-AUTH	API Authorization	test_api_endpoints
MASVS-RESILIENCE	Root Detection	check_root_detection