Files
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

48 lines
1.8 KiB
Markdown

# Mobile Application Penetration Test — API Reference
## Libraries & Tools
| Tool | Install | Purpose |
|------|---------|---------|
| apktool | `apt install apktool` | Android APK decompilation and recompilation |
| objection | `pip install objection` | Runtime mobile exploration via Frida |
| frida-tools | `pip install frida-tools` | Dynamic instrumentation framework |
| jadx | Binary download | Java decompiler for APK source code |
| MobSF | `docker pull opensecurity/mobile-security-framework-mobsf` | Automated mobile security scanner |
## Key objection Commands
| Command | Description |
|---------|-------------|
| `objection -g <pkg> explore` | Attach to running app |
| `android sslpinning disable` | Bypass SSL certificate pinning |
| `android root disable` | Bypass root detection |
| `android hooking list activities` | List app activities |
| `android keystore list` | Dump Android Keystore entries |
| `android clipboard monitor` | Monitor clipboard content |
## Frida Script Patterns
| Pattern | Purpose |
|---------|---------|
| `Java.use("class").method.implementation` | Hook Java method |
| `Interceptor.attach(addr, {onEnter, onLeave})` | Hook native function |
| `Java.choose("class", {onMatch, onComplete})` | Find live instances |
## OWASP Mobile Top 10 Checks
| ID | Vulnerability |
|----|--------------|
| M1 | Improper Platform Usage |
| M2 | Insecure Data Storage |
| M3 | Insecure Communication |
| M4 | Insecure Authentication |
| M5 | Insufficient Cryptography |
## External References
- [OWASP Mobile Testing Guide](https://owasp.org/www-project-mobile-security-testing-guide/)
- [Frida Documentation](https://frida.re/docs/home/)
- [objection Wiki](https://github.com/sensepost/objection/wiki)
- [apktool Documentation](https://apktool.org/docs/install)