Back to Details

dragonjar-android-pentesting-skill

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

DragonJAR Android Pentesting Skill

DragonJAR Android渗透测试Skill

Skill by ara.so — Security Skills collection.
This skill provides comprehensive Android APK security analysis capabilities for AI agents, combining static analysis, dynamic instrumentation with Frida, RASP detection, authorized bypass validation, source-to-sink tracing, MASVS scoring, and professional reporting in a unified workflow.
ara.so开发的Skill — 安全技能集合。
该Skill为AI Agent提供全方位的Android APK安全分析能力,将静态分析、基于Frida的动态插桩、RASP检测、授权绕过验证、源到汇追踪、MASVS评分以及专业报告生成功能整合到统一工作流中。

What This Skill Does

该Skill的功能

Transforms an AI agent into an expert Android security auditor capable of:
  • APK Analysis: Decode APKs with APKTool, decompile with JADX, detect frameworks with APKiD
  • Static Security Analysis: 50+ manifest checks, 70+ Semgrep MASTG rules, secret detection, obfuscation analysis
  • Dynamic Instrumentation: 37 Frida scripts for SSL pinning bypass, root detection bypass, crypto interception
  • Runtime Defense Analysis (RDA): Detect 18 protection categories (RootBeer, SafetyNet, Frida detection, RASP, etc.)
  • RASP Bypass: Authorized bypass runner with reusable profiles, DRY workflow
  • Data Flow Tracing: Source-to-sink methodology with confidence levels
  • MASVS Compliance: Automated scoring against OWASP MASVS controls with CVSS 4.0
  • APK Modification: Smali patching, repackaging, signing, validation
将AI Agent转变为专业的Android安全审计工具,具备以下能力:
  • APK分析:使用APKTool解码APK,使用JADX反编译,使用APKiD检测框架
  • 静态安全分析:50余项清单检查、70余条Semgrep MASTG规则、密钥检测、混淆分析
  • 动态插桩:37个Frida脚本,用于SSL固定绕过、root检测绕过、加密拦截
  • 运行时防御分析(RDA):检测18类防护机制(RootBeer、SafetyNet、Frida检测、RASP等)
  • RASP绕过:具备可重用配置文件的授权绕过运行器,遵循DRY工作流
  • 数据流追踪:带有可信度等级的源到汇分析方法
  • MASVS合规性:基于OWASP MASVS控制项的自动评分,支持CVSS 4.0
  • APK修改:Smali补丁、重新打包、签名、验证

Installation

安装

Prerequisites

前置条件

Install required tools (Linux/macOS):
bash
undefined
安装所需工具(Linux/macOS):
bash
undefined

APKTool (3.0.1+)

APKTool (3.0.1+)

brew install apktool
brew install apktool

JADX (1.5.5+)

JADX (1.5.5+)

brew install jadx
brew install jadx

Android SDK Platform Tools

Android SDK Platform Tools

brew install --cask android-platform-tools
brew install --cask android-platform-tools

Frida (17.9+)

Frida (17.9+)

pip3 install frida-tools
pip3 install frida-tools

Objection (1.12.4+)

Objection (1.12.4+)

pip3 install objection
pip3 install objection

APKiD (3.0.0+)

APKiD (3.0.0+)

pip3 install apkid
pip3 install apkid

Semgrep (optional, for SAST)

Semgrep (optional, for SAST)

brew install semgrep
undefined
brew install semgrep
undefined

Skill Installation

Skill安装

bash
undefined
bash
undefined

Clone into your agent's skills directory

克隆到Agent的技能目录

cd ~/.agents/skills/ git clone https://github.com/DragonJAR/Android-Pentesting-Skill dragonjar-android-pentesting
cd ~/.agents/skills/ git clone https://github.com/DragonJAR/Android-Pentesting-Skill dragonjar-android-pentesting

Or clone to any location and add to agent skill path

或克隆到任意位置并添加到Agent技能路径

git clone https://github.com/DragonJAR/Android-Pentesting-Skill.git
undefined
git clone https://github.com/DragonJAR/Android-Pentesting-Skill.git
undefined

Verification

验证

bash
undefined
bash
undefined

Verify all dependencies are installed

验证所有依赖项已安装

cd dragonjar-android-pentesting python3 scripts/06-setup/preflight-check.py
cd dragonjar-android-pentesting python3 scripts/06-setup/preflight-check.py

Expected output:

预期输出:

✅ APKTool 3.0.1 found

✅ APKTool 3.0.1 found

✅ JADX 1.5.5 found

✅ JADX 1.5.5 found

✅ Frida 17.9.4 found

✅ Frida 17.9.4 found

✅ All dependencies satisfied

✅ All dependencies satisfied

undefined
undefined

Core Workflows

核心工作流

1. Basic APK Security Audit

1. 基础APK安全审计

bash
undefined
bash
undefined

Full static analysis with Semgrep enrichment

结合Semgrep增强功能的完整静态分析

bash scripts/auto-audit-static.sh /path/to/app.apk --semgrep
bash scripts/auto-audit-static.sh /path/to/app.apk --semgrep

Output includes:

输出内容包括:

- Manifest security issues (exported components, permissions)

- 清单安全问题(导出组件、权限)

- Hardcoded secrets (API keys, passwords, tokens)

- 硬编码密钥(API密钥、密码、令牌)

- Insecure crypto usage

- 不安全的加密使用

- WebView vulnerabilities

- WebView漏洞

- Intent injection risks

- Intent注入风险

- Findings report in findings-merged.json

- 检测结果报告存储在findings-merged.json中


**Example findings output:**

```json
{
  "findings": [
    {
      "id": "HARD-001",
      "severity": "CRITICAL",
      "title": "Hardcoded API Key in Source Code",
      "owasp_mobile": "M1",
      "masvs_control": "MASVS-STORAGE-1",
      "cvss": "9.1 (CRITICAL)",
      "location": "com/example/app/Config.java:42",
      "evidence": "private static final String API_KEY = \"sk_live_...\";",
      "remediation": "Store API keys in BuildConfig or secure server-side configuration"
    }
  ]
}

**示例检测结果输出:**

```json
{
  "findings": [
    {
      "id": "HARD-001",
      "severity": "CRITICAL",
      "title": "Hardcoded API Key in Source Code",
      "owasp_mobile": "M1",
      "masvs_control": "MASVS-STORAGE-1",
      "cvss": "9.1 (CRITICAL)",
      "location": "com/example/app/Config.java:42",
      "evidence": "private static final String API_KEY = \"sk_live_...\";",
      "remediation": "Store API keys in BuildConfig or secure server-side configuration"
    }
  ]
}

2. Runtime Defense Analysis (RASP Detection)

2. 运行时防御分析(RASP检测)

bash
undefined
bash
undefined

Detect runtime protections with passive + active modes

以被动+主动模式检测运行时防护机制

bash scripts/02-rasp/runtime-defense-analyzer.sh
/path/to/app.apk
com.example.app
--active-mode
--authorized-lab
--output findings-rda.json
bash scripts/02-rasp/runtime-defense-analyzer.sh
/path/to/app.apk
com.example.app
--active-mode
--authorized-lab
--output findings-rda.json

Catalog includes 18 protection categories:

可识别18类防护类别:

- Root detection (RootBeer, custom native)

- Root检测(RootBeer、自定义原生实现)

- Emulator detection

- 模拟器检测

- Debug detection

- 调试检测

- Frida/instrumentation detection

- Frida/插桩检测

- Screenshot/screenrecord blocking

- 截图/录屏拦截

- SafetyNet / Play Integrity

- SafetyNet / Play Integrity

- Commercial RASP (Talsec, AppSealing, DexGuard, etc.)

- 商用RASP(Talsec、AppSealing、DexGuard等)


**RDA output structure:**

```json
{
  "detectors": {
    "rootbeer": {
      "status": "DETECTED",
      "confidence": "high",
      "evidence": "RootBeer.isRooted() returns true",
      "bypass_profile": "rootbeer_standard"
    },
    "ssl_pinning": {
      "status": "DETECTED",
      "implementation": "OkHttp3 CertificatePinner",
      "bypass_profile": "ssl_okhttp3"
    }
  }
}

**RDA输出结构:**

```json
{
  "detectors": {
    "rootbeer": {
      "status": "DETECTED",
      "confidence": "high",
      "evidence": "RootBeer.isRooted() returns true",
      "bypass_profile": "rootbeer_standard"
    },
    "ssl_pinning": {
      "status": "DETECTED",
      "implementation": "OkHttp3 CertificatePinner",
      "bypass_profile": "ssl_okhttp3"
    }
  }
}

3. RASP Bypass Workflow (DRY Pattern)

3. RASP绕过工作流(DRY模式)

bash
undefined
bash
undefined

1) List available bypass profiles

1) 列出可用的绕过配置文件

bash scripts/02-rasp/rasp-bypass-runner.sh --list-profiles
bash scripts/02-rasp/rasp-bypass-runner.sh --list-profiles

Output:

输出:

Available profiles:

Available profiles:

- rootbeer_standard (RootBeer library bypass)

- rootbeer_standard (RootBeer library bypass)

- ssl_okhttp3 (OkHttp3 SSL pinning)

- ssl_okhttp3 (OkHttp3 SSL pinning)

- ssl_trustmanager (TrustManager bypass)

- ssl_trustmanager (TrustManager bypass)

- frida_detection (Anti-Frida bypass)

- frida_detection (Anti-Frida bypass)

- emulator_detection (Emulator checks bypass)

- emulator_detection (Emulator checks bypass)

2) Generate bypass command from RDA findings (print only)

2) 根据RDA检测结果生成绕过命令(仅打印)

bash scripts/02-rasp/rasp-bypass-runner.sh
--package com.example.app
--from-rda findings-rda.json
--print-command
bash scripts/02-rasp/rasp-bypass-runner.sh
--package com.example.app
--from-rda findings-rda.json
--print-command

Output:

输出:

frida -U -f com.example.app \

frida -U -f com.example.app \

-l assets/frida-scripts/android-root-bypass-advanced.js \

-l assets/frida-scripts/android-root-bypass-advanced.js \

-l assets/frida-scripts/ssl-pinning-bypass.js \

-l assets/frida-scripts/ssl-pinning-bypass.js \

--no-pause

--no-pause

3) Execute bypass in authorized lab environment

3) 在授权测试环境中执行绕过

bash scripts/02-rasp/rasp-bypass-runner.sh
--package com.example.app
--from-rda findings-rda.json
--run
--authorized-lab
bash scripts/02-rasp/rasp-bypass-runner.sh
--package com.example.app
--from-rda findings-rda.json
--run
--authorized-lab

Launches Frida with combined bypass scripts

启动加载了组合绕过脚本的Frida


**Important**: Client-side bypasses do NOT forge server-side attestation. For Play Integrity, SafetyNet, Approov, or similar backend-enforced controls, use an authorized test tenant, backend allowlist, or approved lab configuration.

**重要提示**:客户端绕过无法伪造服务端验证结果。对于Play Integrity、SafetyNet、Approov等后端强制验证的控制项,请使用授权测试租户、后端白名单或经批准的测试环境配置。

4. SSL Pinning Bypass

4. SSL固定绕过

bash
undefined
bash
undefined

Universal SSL pinning bypass (30+ implementations)

通用SSL固定绕过(支持30+种实现)

python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--script ssl-pinning-bypass
python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--script ssl-pinning-bypass

Supports:

支持:

- OkHttp3 CertificatePinner

- OkHttp3 CertificatePinner

- TrustManager custom implementations

- TrustManager自定义实现

- WebView SSL error handlers

- WebView SSL错误处理器

- React Native ssl-pinning libraries

- React Native ssl-pinning库

- Flutter BoringSSL (native hooks)

- Flutter BoringSSL(原生钩子)

- Cordova SSL plugins

- Cordova SSL插件

undefined
undefined

5. Framework-Specific Analysis

5. 特定框架分析

React Native

React Native

bash
undefined
bash
undefined

Detect React Native and extract JavaScript bundle

检测React Native并提取JavaScript包

bash scripts/auto-audit-static.sh /path/to/app.apk
bash scripts/auto-audit-static.sh /path/to/app.apk

Automatically:

自动执行:

- Detects libreactnativejni.so

- 检测libreactnativejni.so

- Extracts assets/index.android.bundle

- 提取assets/index.android.bundle

- Scans bundle for hardcoded secrets

- 扫描包中的硬编码密钥

- Analyzes Metro bundler output

- 分析Metro打包器输出


**Hook React Native bridge:**

```javascript
// assets/frida-scripts/react-native-bridge-hook.js
Java.perform(function() {
    var CatalystInstanceImpl = Java.use('com.facebook.react.bridge.CatalystInstanceImpl');
    
    CatalystInstanceImpl.jniCallJSFunction.implementation = function(module, method, args) {
        console.log('[RN Bridge] ' + module + '.' + method);
        console.log('[RN Bridge] Args: ' + JSON.stringify(args));
        return this.jniCallJSFunction(module, method, args);
    };
});

**Hook React Native桥接层:**

```javascript
// assets/frida-scripts/react-native-bridge-hook.js
Java.perform(function() {
    var CatalystInstanceImpl = Java.use('com.facebook.react.bridge.CatalystInstanceImpl');
    
    CatalystInstanceImpl.jniCallJSFunction.implementation = function(module, method, args) {
        console.log('[RN Bridge] ' + module + '.' + method);
        console.log('[RN Bridge] Args: ' + JSON.stringify(args));
        return this.jniCallJSFunction(module, method, args);
    };
});

Flutter

Flutter

bash
undefined
bash
undefined

Flutter uses Dart AOT compilation and native BoringSSL

Flutter使用Dart AOT编译和原生BoringSSL

Standard Java SSL hooks won't work

标准Java SSL钩子无效

Use Blutter for Dart code extraction

使用Blutter提取Dart代码

python3 tools/blutter/blutter.py lib/arm64-v8a/libapp.so output/
python3 tools/blutter/blutter.py lib/arm64-v8a/libapp.so output/

Hook native SSL functions

Hook原生SSL函数

python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.flutter
--script flutter-ssl-bypass
python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.flutter
--script flutter-ssl-bypass

Hooks:

钩子:

- SSL_CTX_set_custom_verify (certificate validation)

- SSL_CTX_set_custom_verify(证书验证)

- SSL_read / SSL_write (traffic interception)

- SSL_read / SSL_write(流量拦截)

undefined
undefined

6. Data Flow Tracing

6. 数据流追踪

bash
undefined
bash
undefined

Phase 3: Source-to-sink analysis

阶段3: 源到汇分析

Automatically runs during static audit

在静态审计期间自动运行

Example traced flows:

示例追踪流:

- User input → SQL query (SQL injection risk)

- 用户输入 → SQL查询(SQL注入风险)

- Intent extras → WebView.loadUrl (open redirect)

- Intent附加数据 → WebView.loadUrl(开放重定向)

- SharedPreferences → network (data leakage)

- SharedPreferences → 网络(数据泄露)

- File paths → external storage (path traversal)

- 文件路径 → 外部存储(路径遍历)


**Flow confidence levels:**

- `CONFIRMED`: Direct observable flow without conditions
- `LIKELY`: Flow with minimal conditional branches
- `POSSIBLE`: Flow through complex logic, needs dynamic validation

**流可信度等级:**

- `CONFIRMED`: 无分支条件的直接可观测流
- `LIKELY`: 仅含少量条件分支的流
- `POSSIBLE`: 复杂逻辑中的流,需动态验证

7. MASVS Compliance Scoring

7. MASVS合规评分

bash
undefined
bash
undefined

Calculate OWASP MASVS compliance score

计算OWASP MASVS合规得分

python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json

Output:

输出:

MASVS Score: 72.6/100 (Grade: C)

MASVS Score: 72.6/100 (Grade: C)

Controls Passed: 16/23

Controls Passed: 16/23

Controls Failed: 7

Controls Failed: 7

Critical Failures:

Critical Failures:

- MASVS-STORAGE-1: Hardcoded secrets in code

- MASVS-STORAGE-1: Hardcoded secrets in code

- MASVS-CRYPTO-1: Weak cryptographic algorithms

- MASVS-CRYPTO-1: Weak cryptographic algorithms

Recommendations:

Recommendations:

- Implement secure credential storage (Android Keystore)

- Implement secure credential storage (Android Keystore)

- Upgrade to AES-256-GCM for encryption

- Upgrade to AES-256-GCM for encryption

undefined
undefined

8. APK Modification Workflow

8. APK修改工作流

bash
undefined
bash
undefined

Decode APK

解码APK

apktool d -f -o decoded/ /path/to/app.apk
apktool d -f -o decoded/ /path/to/app.apk

Modify smali code (example: disable root check)

修改Smali代码(示例: 禁用root检测)

Edit decoded/smali/com/app/RootDetector.smali

编辑decoded/smali/com/app/RootDetector.smali

Change: const/4 v0, 0x1 (return true)

将: const/4 v0, 0x1 (返回true)

To: const/4 v0, 0x0 (return false)

修改为: const/4 v0, 0x0 (返回false)

Rebuild APK

重新构建APK

apktool b decoded/ -o app-modified.apk
apktool b decoded/ -o app-modified.apk

Align and sign

对齐并签名

zipalign -v -p 4 app-modified.apk app-aligned.apk apksigner sign --ks ~/.android/debug.keystore
--ks-pass pass:android
--out app-signed.apk
app-aligned.apk
zipalign -v -p 4 app-modified.apk app-aligned.apk apksigner sign --ks ~/.android/debug.keystore
--ks-pass pass:android
--out app-signed.apk
app-aligned.apk

Verify signature

验证签名

apksigner verify --verbose app-signed.apk
undefined
apksigner verify --verbose app-signed.apk
undefined

Frida Script Library

Frida脚本库

Common Frida Operations

常见Frida操作

bash
undefined
bash
undefined

List all available Frida scripts

列出所有可用Frida脚本

ls assets/frida-scripts/
ls assets/frida-scripts/

Key scripts:

核心脚本:

- ssl-pinning-bypass.js (universal SSL bypass)

- ssl-pinning-bypass.js(通用SSL绕过)

- android-root-bypass-advanced.js (30+ root detection bypasses)

- android-root-bypass-advanced.js(30+种root检测绕过)

- crypto-intercept.js (monitor Cipher, MessageDigest, etc.)

- crypto-intercept.js(监控Cipher、MessageDigest等)

- biometric-bypass.js (BiometricPrompt, FingerprintManager)

- biometric-bypass.js(BiometricPrompt、FingerprintManager)

- keystore-inspector.js (dump Keystore entries)

- keystore-inspector.js(导出Keystore条目)

- webview-inspector.js (WebView debugging, JS injection)

- webview-inspector.js(WebView调试、JS注入)

- intent-fuzzer.js (Intent injection testing)

- intent-fuzzer.js(Intent注入测试)

undefined
undefined

Frida Exploit Helper

Frida漏洞利用助手

bash
undefined
bash
undefined

List bundled scripts

列出内置脚本

python3 scripts/07-tools/frida-exploit-helper.py --list-scripts
python3 scripts/07-tools/frida-exploit-helper.py --list-scripts

Hook memory functions

Hook内存函数

python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--hook malloc,free,memcpy
python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--hook malloc,free,memcpy

SSL pinning bypass

SSL固定绕过

python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--script ssl-pinning-bypass
python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--script ssl-pinning-bypass

Memory layout analysis

内存布局分析

python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--layout
python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--layout

Runtime defense detection

运行时防御检测

python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--runtime-defense
undefined
python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--runtime-defense
undefined

Custom Frida Script Example

自定义Frida脚本示例

javascript
// Hook custom native function
Java.perform(function() {
    var targetClass = Java.use('com.example.app.SecurityCheck');
    
    targetClass.isDeviceSecure.implementation = function() {
        console.log('[+] isDeviceSecure() called');
        var result = this.isDeviceSecure();
        console.log('[+] Original result: ' + result);
        console.log('[+] Forcing return: true');
        return true;
    };
    
    console.log('[+] Hooked isDeviceSecure()');
});
javascript
// Hook自定义原生函数
Java.perform(function() {
    var targetClass = Java.use('com.example.app.SecurityCheck');
    
    targetClass.isDeviceSecure.implementation = function() {
        console.log('[+] isDeviceSecure() called');
        var result = this.isDeviceSecure();
        console.log('[+] Original result: ' + result);
        console.log('[+] Forcing return: true');
        return true;
    };
    
    console.log('[+] Hooked isDeviceSecure()');
});

Configuration

配置

Environment Variables

环境变量

bash
undefined
bash
undefined

Android SDK path

Android SDK路径

export ANDROID_HOME="$HOME/Library/Android/sdk" export PATH="$PATH:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/36.0.0"
export ANDROID_HOME="$HOME/Library/Android/sdk" export PATH="$PATH:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/36.0.0"

Frida server configuration

Frida服务器配置

export FRIDA_SERVER_PORT=27042
export FRIDA_SERVER_PORT=27042

Optional: Semgrep API token for managed scanning

可选: 用于托管扫描的Semgrep API令牌

export SEMGREP_APP_TOKEN="your_token_here"
export SEMGREP_APP_TOKEN="your_token_here"

Optional: Custom APKTool config

可选: 自定义APKTool配置

export APKTOOL_CONFIG="$HOME/.apktool/config.yml"
undefined
export APKTOOL_CONFIG="$HOME/.apktool/config.yml"
undefined

Bypass Profiles Configuration

绕过配置文件配置

json
// scripts/02-rasp/bypass-profiles.json
{
  "profiles": {
    "rootbeer_standard": {
      "description": "RootBeer library bypass",
      "scripts": [
        "assets/frida-scripts/android-root-bypass-advanced.js"
      ],
      "hooks": ["RootBeer.isRooted", "RootBeer.isRootedWithoutBusyBoxCheck"]
    },
    "ssl_okhttp3": {
      "description": "OkHttp3 CertificatePinner bypass",
      "scripts": [
        "assets/frida-scripts/ssl-pinning-bypass.js"
      ],
      "hooks": ["CertificatePinner.check"]
    }
  }
}
json
// scripts/02-rasp/bypass-profiles.json
{
  "profiles": {
    "rootbeer_standard": {
      "description": "RootBeer library bypass",
      "scripts": [
        "assets/frida-scripts/android-root-bypass-advanced.js"
      ],
      "hooks": ["RootBeer.isRooted", "RootBeer.isRootedWithoutBusyBoxCheck"]
    },
    "ssl_okhttp3": {
      "description": "OkHttp3 CertificatePinner bypass",
      "scripts": [
        "assets/frida-scripts/ssl-pinning-bypass.js"
      ],
      "hooks": ["CertificatePinner.check"]
    }
  }
}

Common Patterns

常见模式

Pattern 1: Full Security Assessment

模式1: 完整安全评估

bash
undefined
bash
undefined

1) Static analysis with Semgrep

1) 结合Semgrep的静态分析

bash scripts/auto-audit-static.sh app.apk --semgrep
bash scripts/auto-audit-static.sh app.apk --semgrep

2) Runtime defense detection

2) 运行时防御检测

bash scripts/02-rasp/runtime-defense-analyzer.sh
app.apk com.example.app
--active-mode --authorized-lab
--output findings-rda.json
bash scripts/02-rasp/runtime-defense-analyzer.sh
app.apk com.example.app
--active-mode --authorized-lab
--output findings-rda.json

3) MASVS scoring

3) MASVS评分

python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json

4) Generate professional report

4) 生成专业报告

python3 scripts/05-reporting/report-generator.py
findings-merged.json
findings-rda.json
--output report.pdf
undefined
python3 scripts/05-reporting/report-generator.py
findings-merged.json
findings-rda.json
--output report.pdf
undefined

Pattern 2: Traffic Interception

模式2: 流量拦截

bash
undefined
bash
undefined

1) Set up proxy (Burp/ZAP)

1) 设置代理(Burp/ZAP)

export HTTP_PROXY=127.0.0.1:8080 export HTTPS_PROXY=127.0.0.1:8080
export HTTP_PROXY=127.0.0.1:8080 export HTTPS_PROXY=127.0.0.1:8080

2) Install CA certificate on device

2) 在设备上安装CA证书

adb push burp-ca.crt /sdcard/
adb push burp-ca.crt /sdcard/

Install via Settings → Security → Install from SD card

通过设置 → 安全 → 从SD卡安装

3) Bypass SSL pinning

3) 绕过SSL固定

frida -U -f com.example.app
-l assets/frida-scripts/ssl-pinning-bypass.js
--no-pause
frida -U -f com.example.app
-l assets/frida-scripts/ssl-pinning-bypass.js
--no-pause

4) Monitor traffic in proxy

4) 在代理中监控流量

undefined
undefined

Pattern 3: Root Detection Bypass Stack

模式3: Root检测绕过栈

bash
undefined
bash
undefined

Layer 1: Java-level root checks

第一层: Java层root检测

frida -U -f com.example.app
-l assets/frida-scripts/android-root-bypass-advanced.js
--no-pause
frida -U -f com.example.app
-l assets/frida-scripts/android-root-bypass-advanced.js
--no-pause

Layer 2: Native-level root checks (if detected)

第二层: 原生层root检测(若检测到)

Edit native-root-bypass.js to target specific native libraries

编辑native-root-bypass.js以针对特定原生库

frida -U -f com.example.app
-l assets/frida-scripts/android-root-bypass-advanced.js
-l assets/frida-scripts/native-hook.js
--no-pause
undefined
frida -U -f com.example.app
-l assets/frida-scripts/android-root-bypass-advanced.js
-l assets/frida-scripts/native-hook.js
--no-pause
undefined

Pattern 4: Automated Secret Extraction

模式4: 自动密钥提取

bash
undefined
bash
undefined

Extract and scan all strings

提取并扫描所有字符串

bash scripts/01-decompile/extract-strings.sh app.apk > strings.txt
bash scripts/01-decompile/extract-strings.sh app.apk > strings.txt

Scan with patterns

使用模式扫描

grep -E '(sk_live_|ghp_|AIza[0-9A-Za-z-_]{35})' strings.txt
grep -E '(sk_live_|ghp_|AIza[0-9A-Za-z-_]{35})' strings.txt

Deep search in decompiled code

在反编译代码中深度搜索

find decoded/smali -name "*.smali" -exec grep -H "const-string.*sk_live" {} ;
find decoded/smali -name "*.smali" -exec grep -H "const-string.*sk_live" {} ;

Search in JavaScript bundles (React Native/Cordova)

在JavaScript包中搜索(React Native/Cordova)

find decoded/assets -name ".bundle" -o -name ".js" |
xargs grep -E '(API_KEY|SECRET|PASSWORD).=.["'][^"']{20,}'
undefined
find decoded/assets -name ".bundle" -o -name ".js" |
xargs grep -E '(API_KEY|SECRET|PASSWORD).=.["'][^"']{20,}'
undefined

Troubleshooting

故障排除

Issue: APKTool Decode Fails

问题: APKTool解码失败

bash
undefined
bash
undefined

Error: "brut.androlib.AndrolibException: Could not decode arsc file"

错误: "brut.androlib.AndrolibException: Could not decode arsc file"

Solution 1: Update APKTool to 3.0.1+

解决方案1: 将APKTool更新至3.0.1+

brew upgrade apktool
brew upgrade apktool

Solution 2: Use --only-main-classes flag

解决方案2: 使用--only-main-classes参数

apktool d --only-main-classes -f -o decoded/ app.apk
apktool d --only-main-classes -f -o decoded/ app.apk

Solution 3: Use legacy AAPT mode (not recommended)

解决方案3: 使用旧版AAPT模式(不推荐)

apktool d --use-aapt1 -f -o decoded/ app.apk
undefined
apktool d --use-aapt1 -f -o decoded/ app.apk
undefined

Issue: Frida Server Connection Failed

问题: Frida服务器连接失败

bash
undefined
bash
undefined

Error: "Failed to spawn: unable to find process with name 'com.example.app'"

错误: "Failed to spawn: unable to find process with name 'com.example.app'"

Solution 1: Verify Frida server is running

解决方案1: 验证Frida服务器正在运行

adb shell "su -c '/data/local/tmp/frida-server &'"
adb shell "su -c '/data/local/tmp/frida-server &'"

Solution 2: Check Frida server version matches client

解决方案2: 检查Frida服务器版本与客户端匹配

frida --version # Client version adb shell "/data/local/tmp/frida-server --version" # Server version
frida --version # 客户端版本 adb shell "/data/local/tmp/frida-server --version" # 服务器版本

Solution 3: Use spawn mode instead of attach

解决方案3: 使用spawn模式而非attach模式

frida -U -f com.example.app # Spawn mode
frida -U -f com.example.app # Spawn模式

Instead of:

替代:

frida -U com.example.app # Attach mode
undefined
frida -U com.example.app # Attach模式
undefined

Issue: SSL Pinning Bypass Not Working

问题: SSL固定绕过无效

bash
undefined
bash
undefined

Flutter apps use native BoringSSL - Java hooks won't work

Flutter应用使用原生BoringSSL - Java钩子无效

Solution: Use Flutter-specific native hooks

解决方案: 使用Flutter特定的原生钩子

frida -U -f com.example.flutter
-l assets/frida-scripts/flutter-ssl-bypass.js
frida -U -f com.example.flutter
-l assets/frida-scripts/flutter-ssl-bypass.js

React Native apps may use custom native modules

React Native应用可能使用自定义原生模块

Solution: Hook both Java and native SSL functions

解决方案: 同时Hook Java和原生SSL函数

frida -U -f com.example.rn
-l assets/frida-scripts/ssl-pinning-bypass.js
-l assets/frida-scripts/native-hook.js
undefined
frida -U -f com.example.rn
-l assets/frida-scripts/ssl-pinning-bypass.js
-l assets/frida-scripts/native-hook.js
undefined

Issue: Runtime Defense Analysis Returns Empty Results

问题: 运行时防御分析返回空结果

bash
undefined
bash
undefined

Passive mode only checks static indicators

被动模式仅检查静态指标

Solution: Use --active-mode with authorized lab

解决方案: 在授权测试环境中使用--active-mode

bash scripts/02-rasp/runtime-defense-analyzer.sh
app.apk com.example.app
--active-mode
--authorized-lab
--output findings-rda.json
bash scripts/02-rasp/runtime-defense-analyzer.sh
app.apk com.example.app
--active-mode
--authorized-lab
--output findings-rda.json

Ensure device/emulator is accessible

确保设备/模拟器可访问

adb devices # Should show device
adb devices # 应显示设备

Ensure app is debuggable or use root

确保应用可调试或使用root权限

adb shell "su -c 'pm list packages | grep example'"
undefined
adb shell "su -c 'pm list packages | grep example'"
undefined

Issue: MASVS Scorer Shows Low Score

问题: MASVS评分器显示低分

bash
undefined
bash
undefined

Low scores indicate security gaps - this is expected behavior

低分表示存在安全漏洞 - 这是预期行为

Review failed controls:

查看未通过的控制项:

python3 scripts/05-reporting/masvs-scorer.py findings-merged.json --verbose
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json --verbose

Common failure patterns:

常见未通过模式:

- MASVS-STORAGE-1: Hardcoded secrets → Use Android Keystore

- MASVS-STORAGE-1: 硬编码密钥 → 使用Android Keystore

- MASVS-CRYPTO-1: Weak crypto → Upgrade to AES-256-GCM

- MASVS-CRYPTO-1: 弱加密 → 升级至AES-256-GCM

- MASVS-NETWORK-1: No SSL pinning → Implement certificate pinning

- MASVS-NETWORK-1: 未启用SSL固定 → 实现证书固定

- MASVS-RESILIENCE-1: No obfuscation → Apply ProGuard/R8

- MASVS-RESILIENCE-1: 未混淆 → 应用ProGuard/R8

undefined
undefined

Agent Usage Examples

Agent使用示例

Example 1: Quick APK Audit

示例1: 快速APK审计

User: "Audit this APK: ~/Downloads/banking-app.apk"
Agent Actions:
bash
cd dragonjar-android-pentesting
bash scripts/auto-audit-static.sh ~/Downloads/banking-app.apk --semgrep
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
Agent Response: "Found 8 security issues: 2 CRITICAL (hardcoded API keys), 3 HIGH (exported activities without permissions), 2 MEDIUM (weak crypto), 1 LOW (debug logs). MASVS score: 68.2/100 (Grade: D). Report saved to findings-merged.json."
用户: "审计此APK: ~/Downloads/banking-app.apk"
Agent操作:
bash
cd dragonjar-android-pentesting
bash scripts/auto-audit-static.sh ~/Downloads/banking-app.apk --semgrep
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
Agent回复: "发现8个安全问题: 2个CRITICAL(硬编码API密钥)、3个HIGH(无权限的导出活动)、2个MEDIUM(弱加密)、1个LOW(调试日志)。MASVS得分: 68.2/100(等级: D)。报告已保存至findings-merged.json。"

Example 2: Bypass SSL Pinning

示例2: 绕过SSL固定

User: "This banking app has SSL pinning. I need to intercept the login request."
Agent Actions:
bash
undefined
用户: "这款银行应用有SSL固定,我需要拦截登录请求。"
Agent操作:
bash
undefined

Start Frida with SSL bypass

启动带有SSL绕过的Frida

python3 scripts/07-tools/frida-exploit-helper.py
-p com.banking.app
--script ssl-pinning-bypass

**Agent Response**: "SSL pinning bypassed (OkHttp3 CertificatePinner detected). Configure your proxy (Burp/ZAP) to 127.0.0.1:8080. Restart the app and attempt login."
python3 scripts/07-tools/frida-exploit-helper.py
-p com.banking.app
--script ssl-pinning-bypass

**Agent回复**: "SSL固定已绕过(检测到OkHttp3 CertificatePinner)。将你的代理(Burp/ZAP)配置为127.0.0.1:8080,重启应用并尝试登录。"

Example 3: Detect RASP Protections

示例3: 检测RASP防护

User: "Check what runtime protections this app has."
Agent Actions:
bash
bash scripts/02-rasp/runtime-defense-analyzer.sh \
  ~/Downloads/app.apk com.protected.app \
  --active-mode --authorized-lab \
  --output findings-rda.json
cat findings-rda.json
Agent Response: "Detected 4 protections: RootBeer (root detection), custom emulator checks, Frida detection (anti-instrumentation), DexGuard obfuscation. Bypass profiles available: rootbeer_standard, frida_detection, emulator_detection. Run rasp-bypass-runner.sh to generate bypass command."
用户: "检查这款应用有哪些运行时防护机制。"
Agent操作:
bash
bash scripts/02-rasp/runtime-defense-analyzer.sh \
  ~/Downloads/app.apk com.protected.app \
  --active-mode --authorized-lab \
  --output findings-rda.json
cat findings-rda.json
Agent回复: "检测到4种防护机制: RootBeer(root检测)、自定义模拟器检查、Frida检测(反插桩)、DexGuard混淆。可用绕过配置文件: rootbeer_standard、frida_detection、emulator_detection。运行rasp-bypass-runner.sh生成绕过命令。"

Example 4: Find Hardcoded Secrets in React Native

示例4: 在React Native应用中查找硬编码密钥

User: "This is a React Native app. Find any hardcoded API keys in the JavaScript bundle."
Agent Actions:
bash
bash scripts/auto-audit-static.sh ~/Downloads/rn-app.apk
grep -r "API_KEY\|api_key\|apiKey" decoded/assets/*.bundle
Agent Response: "Found 3 hardcoded secrets in assets/index.android.bundle: Firebase API key (line 4521), Stripe publishable key (line 8912), AWS access key ID (line 12045). Evidence saved to findings-merged.json with MASVS-STORAGE-1 control failure."
用户: "这是一款React Native应用,在JavaScript包中查找任何硬编码API密钥。"
Agent操作:
bash
bash scripts/auto-audit-static.sh ~/Downloads/rn-app.apk
grep -r "API_KEY\|api_key\|apiKey" decoded/assets/*.bundle
Agent回复: "在assets/index.android.bundle中发现3个硬编码密钥: Firebase API密钥(第4521行)、Stripe发布密钥(第8912行)、AWS访问密钥ID(第12045行)。证据已保存至findings-merged.json,标记为MASVS-STORAGE-1控制项未通过。"

Advanced Topics

高级主题

Native Code Analysis

原生代码分析

bash
undefined
bash
undefined

Extract native libraries

提取原生库

unzip app.apk "lib/*" -d native/
unzip app.apk "lib/*" -d native/

Analyze with Ghidra/IDA (manual)

使用Ghidra/IDA分析(手动)

Or use Frida for runtime analysis:

或使用Frida进行运行时分析:

python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--hook JNI_OnLoad,RegisterNatives
python3 scripts/07-tools/frida-exploit-helper.py
-p com.example.app
--hook JNI_OnLoad,RegisterNatives

Hook specific native function by offset

通过偏移量Hook特定原生函数

frida -U -f com.example.app -l - << 'EOF' var base = Module.findBaseAddress('libnative.so'); Interceptor.attach(base.add(0x1234), { onEnter: function(args) { console.log('[+] Native function called'); console.log('Arg0: ' + args[0]); } }); EOF
undefined
frida -U -f com.example.app -l - << 'EOF' var base = Module.findBaseAddress('libnative.so'); Interceptor.attach(base.add(0x1234), { onEnter: function(args) { console.log('[+] Native function called'); console.log('Arg0: ' + args[0]); } }); EOF
undefined

Attestation Bypass Limitations

验证绕过限制

markdown
**Important**: Client-side hooks cannot forge server-verified attestation:

- ❌ Play Integrity verdicts (Google server-signed)
- ❌ SafetyNet attestation responses
- ❌ Approov tokens (server-side verification)
- ❌ App Attest (Apple server validation)

**Authorized Testing Approaches**:
- ✅ Use test tenant with backend allowlist
- ✅ Configure mock verifier in staging environment
- ✅ Request official pentest exception from vendor
- ✅ Use approved lab environment with vendor cooperation
markdown
**重要提示**: 客户端钩子无法伪造服务端验证的结果:

- ❌ Play Integrity verdicts(Google服务端签名)
- ❌ SafetyNet验证响应
- ❌ Approov令牌(服务端验证)
- ❌ App Attest(Apple服务端验证)

**授权测试方法**:
- ✅ 使用带有后端白名单的测试租户
- ✅ 在预发布环境中配置模拟验证器
- ✅ 向供应商申请正式渗透测试豁免
- ✅ 在供应商合作的批准测试环境中进行测试

Custom Semgrep Rules

自定义Semgrep规则

yaml
undefined
yaml
undefined

Add custom rule to scripts/03-static-analysis/semgrep-rules/

将自定义规则添加到scripts/03-static-analysis/semgrep-rules/

rules:
  • id: custom-api-key-pattern pattern: | const-string $VAR, "cust_$KEY" message: Custom API key pattern detected severity: ERROR languages: [smali] metadata: owasp_mobile: M1 masvs_control: MASVS-STORAGE-1
undefined
rules:
  • id: custom-api-key-pattern pattern: | const-string $VAR, "cust_$KEY" message: Custom API key pattern detected severity: ERROR languages: [smali] metadata: owasp_mobile: M1 masvs_control: MASVS-STORAGE-1
undefined

References

参考资料

License

许可证

Apache 2.0 - See LICENSE file for details.
Apache 2.0 - 详见LICENSE文件。