The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.
The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics and checklist, which is mapped OWASP Mobile Risk Top 10 for conducting pentest.
python manage.py runserver 127.0.0.1:1337
apktool d <apk file>
apktool b <modified folder>
keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000
jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test
java -jar oat2dex.jar boot <boot.oat file>
java -jar oat2dex.jar <app.odex> <boot-class-folder output from above>
java -jar oat2dex.jar odex <oat file>
java -jar oat2dex.jar smali <oat/odex file>
simplify.jar -i "input smali files or folder" -o <output dex file>
adb backup <package name>
dd if=backup.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" > backup.tar
adb shell ps | grep -i "App keyword"
andbug shell -p <process number>
ct <package name>
adb forward tcp:<port> jdwp:<port>
jdb -attach localhost:<port>
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -f <app name>
run app.package.info -a <package name>
run app.package.attacksurface <package name>
run app.activity.info -a <package name> -u
run app.activity.start --component <package name> <component name>
run app.provider.info -a <package name>
run scanner.provider.finduris -a <package name>
run app.provider.query <uri>
run app.provider.update <uri> --selection <conditions> <selection arg> <column> <data>
run scanner.provider.sqltables -a <package name>
run scanner.provider.injection -a <package name>
run scanner.provider.traversal -a <package name>
run app.broadcast.info -a <package name>
run app.broadcast.send --component <package name> <component name> --extra <type> <key> <value>
run app.broadcast.sniff --action <action>
run app.service.info -a <package name>
run app.service.start --action <action> --component <package name> <component name>
run app.service.send <package name> <component name> --msg <what> <arg1> <arg2> --extra <type> <key> <value> --bundle-as-obj
adb shell "tcpdump -s 0 -w - | nc -l -p 4444"
adb forward tcp:4444 tcp:4444
nc localhost 4444 | sudo wireshark -k -S -i –
openssl x509 -inform PEM -subject_hash -in BurpCA.pem | head -1
cat BurpCA.pem > 9a5ba580.0
openssl x509 -inform PEM -text -in BurpCA.pem -out /dev/null >> 9a5ba580.0
adb root
abd remount
adb push 9a5ba580.0 /system/etc/security/cacerts/
adb shell “chmod 644 /system/etc/security/cacerts/9a5ba580.0”
adb shell “reboot”
frida --codeshare dzonerzy/fridantiroot -f YOUR_BINARY
frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY
iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan
iPod:~ root# cycript -p Skype weak_classdump.cy; cycript -p Skype
#cy weak_classdump_bundle([NSBundle mainBundle],"/tmp/Skype")
bash bfinject -P Reddit -L test
bash bfinject -P Reddit -L decrypt
bash bfinject -P Reddit -L cycript
cy# UIApp.keyWindow.rootViewController.visibleViewController
cy# UIApp.keyWindow.rootViewController.topViewController
cy# choose(UIViewController)
cy# [[UIApp keyWindow] _autolayoutTrace].toString()
cy# [[[UIApp keyWindow] rootViewController] _printHierarchy].toString()
cy# classname.messages
or
cy# function printMethods(className, isa) { var count = new new Type("I"); var classObj = (isa != undefined) ? objc_getClass(className)->isa : objc_getClass(className); var methods = class_copyMethodList(classObj, count); var methodsArray = []; for(var i = 0; i < *count; i++) { var method = methods[i]; methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)}); } free(methods); return methodsArray; }
cy# printMethods("<classname>")
cy# a=#0x15d0db80
cy# *a
orcy# function tryPrintIvars(a){ var x={}; for(i in *a){ try{ x[i] = (*a)[i]; } catch(e){} } return x; }
cy# a=#0x15d0db80
cy# tryPrintIvars(a)
cy# [a pinCode]
cy# [a setPinCode: @"1234"]
or cy# a.setPinCode= @"1234"
cy# [a isValidPin]
cy# <classname>.prototype.isValidPin = function(){return 1;}
cy# [Pin isValidPin]
cy# Pin.contructor.prototype.['isValidPin'] = function(){return 1;}
frida --codeshare lichao890427/ios-ssl-bypass -f YOUR_BINARY
frida --codeshare dki/ios10-ssl-bypass -f YOUR_BINARY
Your contributions and suggestions are welcome.
This work is licensed under a Creative Commons Attribution 4.0 International License