workers-app-tester
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseWorkers App Tester
Workers 应用测试工具
Pentest Android apps through a rooted device. Drives the device UI, intercepts network traffic, and uses Frida for runtime analysis.
For detailed guides, load these on demand:
- references/testing-methodology.md — IDOR, auth, exposure, local storage, deeplinks, exported components, logging
- references/frida.md — SSL bypass, root bypass, codeshare scripts, hooking patterns, custom certs
- agents/reverse-agent.md — APK decompilation sub-agent, reads codebase for endpoints, secrets, components
通过已root设备对Android应用进行渗透测试。可操控设备UI、拦截网络流量,并使用Frida开展运行时分析。
如需详细指南,可按需加载以下文档:
- references/testing-methodology.md — IDOR、鉴权、数据暴露、本地存储、深度链接、导出组件、日志检测
- references/frida.md — SSL绕过、root检测绕过、codeshare脚本、hook模式、自定义证书
- agents/reverse-agent.md — APK反编译子Agent,可读取代码库提取端点、密钥、组件信息
Session Setup
会话设置
1. Pick the target
1. 选择测试目标
bash
adb shell pm list packages -3
adb shell dumpsys activity activities | grep -m 1 -E 'topResumedActivity=|ResumedActivity:|mFocusedApp='bash
adb shell pm list packages -3
adb shell dumpsys activity activities | grep -m 1 -E 'topResumedActivity=|ResumedActivity:|mFocusedApp='2. Create session directory
2. 创建会话目录
bash
SESSION_DIR=/tmp/workers-app-tester-$(date +%Y%m%d-%H%M%S)
mkdir -p "$SESSION_DIR"bash
SESSION_DIR=/tmp/workers-app-tester-$(date +%Y%m%d-%H%M%S)
mkdir -p "$SESSION_DIR"3. Start traffic interception
3. 启动流量拦截
Set so auth headers are logged in full, not redacted.
PRESERVE_AUTH=1bash
adb shell settings put global http_proxy 10.0.2.2:8080
ANDROID_APP_TESTER_OUT_DIR="$SESSION_DIR" \
ANDROID_APP_TESTER_PACKAGE="<package>" \
ANDROID_APP_TESTER_PRESERVE_AUTH=1 \
nohup mitmdump --set block_global=false --listen-host 0.0.0.0 --listen-port 8080 \
-s scripts/capture.py >"$SESSION_DIR/mitmdump.log" 2>&1 &
echo $! >"$SESSION_DIR/mitmdump.pid"For physical devices, replace with the host IP.
10.0.2.2设置以完整记录鉴权头,不做脱敏处理。
PRESERVE_AUTH=1bash
adb shell settings put global http_proxy 10.0.2.2:8080
ANDROID_APP_TESTER_OUT_DIR="$SESSION_DIR" \
ANDROID_APP_TESTER_PACKAGE="<package>" \
ANDROID_APP_TESTER_PRESERVE_AUTH=1 \
nohup mitmdump --set block_global=false --listen-host 0.0.0.0 --listen-port 8080 \
-s scripts/capture.py >"$SESSION_DIR/mitmdump.log" 2>&1 &
echo $! >"$SESSION_DIR/mitmdump.pid"如果使用物理设备,将替换为主机IP。
10.0.2.24. Launch the app
4. 启动应用
bash
adb shell am force-stop <package> || true
adb shell monkey -p <package> -c android.intent.category.LAUNCHER 1bash
adb shell am force-stop <package> || true
adb shell monkey -p <package> -c android.intent.category.LAUNCHER 15. If no HTTPS traffic appears
5. 如果没有HTTPS流量出现
The app uses SSL pinning. See references/frida.md — start frida-server, then spawn the app with .
bypass.js说明应用启用了SSL pinning。请参考references/frida.md:启动frida-server,然后通过启动应用。
bypass.jsStatic Analysis
静态分析
Dispatch to the reverse-agent with the package name and session directory. It will:
- Pull the APK from the device
- Decompile with apktool (manifest, smali, resources)
- Grep for hardcoded secrets, API endpoints, security anti-patterns
- Read through interesting files for deeper context
Returns: exported components, deeplink schemes, API endpoints, hardcoded secrets, security issues.
Use these findings to drive targeted testing in The Loop.
将包名和会话目录传给reverse-agent执行,它会完成以下操作:
- 从设备拉取APK
- 使用apktool反编译(清单文件、smali代码、资源文件)
- 检索硬编码密钥、API端点、安全反模式
- 读取高价值文件以获取更深层上下文
返回结果:导出组件、深度链接协议、API端点、硬编码密钥、安全问题。
可基于这些发现在循环测试环节开展定向测试。
The Loop
循环测试
1. Observe
1. 观察
bash
python3 scripts/ui.pyReturns a compact numbered list of interactive elements:
[1] "Sign In" btn @ (540,1200) bounds=[380,1150][700,1250] clickable
[2] "Email" input @ (540,400) bounds=[100,350][980,450] focusablebash
python3 scripts/ui.py返回带编号的精简可交互元素列表:
[1] "Sign In" btn @ (540,1200) bounds=[380,1150][700,1250] clickable
[2] "Email" input @ (540,400) bounds=[100,350][980,450] focusable2. Act
2. 执行操作
One action per cycle. Tap element [1]:
bash
adb shell input tap 540 1200For text fields, tap then type:
bash
adb shell input tap 540 400
adb shell input text "test@example.com"每个周期仅执行一个操作。点击元素[1]:
bash
adb shell input tap 540 1200针对文本输入框,先点击再输入内容:
bash
adb shell input tap 540 400
adb shell input text "test@example.com"3. Intercept
3. 拦截流量
bash
python3 scripts/traffic.py --input "$SESSION_DIR/traffic.jsonl" --since-seconds 15 --limit 10With headers and bodies:
bash
python3 scripts/traffic.py --input "$SESSION_DIR/traffic.jsonl" --since-seconds 15 --show-headers --show-bodybash
python3 scripts/traffic.py --input "$SESSION_DIR/traffic.jsonl" --since-seconds 15 --limit 10如需查看请求头和请求体:
bash
python3 scripts/traffic.py --input "$SESSION_DIR/traffic.jsonl" --since-seconds 15 --show-headers --show-body4. Decide next step and repeat
4. 确定下一步操作并重复
Security Analysis
安全分析
After exercising the app's main flows, run the analyzer:
bash
python3 scripts/analyze.py --input "$SESSION_DIR/traffic.jsonl" --mode fullIndividual modes: , , , , .
endpointsidorauthexposureheadersSee references/testing-methodology.md for what to do with each finding.
跑完应用的主要流程后,运行分析工具:
bash
python3 scripts/analyze.py --input "$SESSION_DIR/traffic.jsonl" --mode full支持的单个模式:、、、、。
endpointsidorauthexposureheaders各发现项的处置方法请参考references/testing-methodology.md。
ADB Reference
ADB参考
| Action | Command |
|---|---|
| Tap | |
| Type | |
| Scroll down | |
| Scroll up | |
| Back | |
| Home | |
| Enter | |
| Long press | |
| Launch app | |
| Force stop | |
| 操作 | 命令 |
|---|---|
| 点击 | |
| 输入 | |
| 向下滚动 | |
| 向上滚动 | |
| 返回 | |
| 主页 | |
| 回车 | |
| 长按 | |
| 启动应用 | |
| 强制停止 | |
Session Teardown
会话清理
bash
kill "$(cat "$SESSION_DIR/mitmdump.pid")" 2>/dev/null || true
adb shell settings delete global http_proxy
adb shell "su -c 'pkill frida-server'" 2>/dev/null || truebash
kill "$(cat "$SESSION_DIR/mitmdump.pid")" 2>/dev/null || true
adb shell settings delete global http_proxy
adb shell "su -c 'pkill frida-server'" 2>/dev/null || trueRules
使用规则
- One UI action per cycle. Observe, act, intercept, then decide.
- Always run before acting so coordinates match the current screen.
ui.py - Always tear down the session when done. The proxy setting persists across reboots.
- Document findings: endpoint, vulnerability type, reproduction steps, evidence.
- NEVER use in any command. No
sleep, nosleep 1, nosleep 2. Run commands directly.sleep && commandhandles its own timing. Chain withui.pyif needed.&& - Be fast. No unnecessary delays between actions.
- 每个周期仅执行一个UI操作:先观察、再操作、再拦截,最后确定下一步。
- 执行操作前务必运行,确保坐标与当前屏幕匹配。
ui.py - 测试完成后务必清理会话,代理设置会在设备重启后仍然生效。
- 记录发现项:端点、漏洞类型、复现步骤、证据。
- 严禁在任何命令中使用,不允许
sleep、sleep 1、sleep 2这类写法。直接运行命令即可,sleep && 命令会自行处理时序问题,如有需要可使用ui.py串联命令。&& - 操作要快,动作之间不要有不必要的延迟。
Bundled Scripts
内置脚本
| Script | Purpose |
|---|---|
| Smart UI parser. Filters to interactive elements with spatial dedup. |
| mitmproxy addon. Logs to JSONL. Set |
| Traffic viewer. |
| Security analyzer. Modes: |
| SSL pinning bypass. TrustManagerImpl, OkHttp3, SSLContext, Conscrypt. |
| 脚本 | 用途 |
|---|---|
| 智能UI解析器,可过滤可交互元素并做空间去重。 |
| mitmproxy插件,日志输出为JSONL格式。设置 |
| 流量查看工具,支持参数 |
| 安全分析工具,支持模式: |
| SSL pinning绕过脚本,支持TrustManagerImpl、OkHttp3、SSLContext、Conscrypt。 |