---
name: pentest-mobile
description: Mobile application pentest — Android/iOS, MASTG/MASVS, Frida/Objection dynamic analiz, sertifika pinning bypass, IPC test advisory. Triggers on Android pentest, iOS pentest, Frida, Objection, MobSF, MASTG, MASVS, certificate pinning, root detection, jailbreak detection, IPC, deep link.
license: MIT
compatibility: Works with Claude Code
allowed-tools: Read Write Edit Bash Grep
metadata:
  author: badi
  badi-version: ">=1.24.0"
  category: pentest
  scope: advisory
  inspired-by: 0xSteph/pentest-ai-agents mobile-pentester
---

# pentest-mobile

Mobile app pentest advisory. **Not**: `mobile` skill `react-native`/`flutter` development tarafi icin; `pentest-mobile` engagement-level mobile sec testi icindir.

## Triggers

- "Android APK pentest"
- "iOS app guvenlik testi"
- "Frida hook"
- "cert pinning bypass"
- "MobSF rapor analizi"
- "MASTG/MASVS kontrol"

## OWASP MASVS (Mobile Application Security Verification Standard)

| Kategori | Kapsam |
|----------|--------|
| MASVS-STORAGE | Sensitive data local storage |
| MASVS-CRYPTO | Cryptographic protocol use |
| MASVS-AUTH | Authentication + session |
| MASVS-NETWORK | TLS, cert pinning |
| MASVS-PLATFORM | IPC, deep link, WebView |
| MASVS-CODE | Code quality, anti-tampering |
| MASVS-RESILIENCE | Root/jailbreak detect, RASP |
| MASVS-PRIVACY | PII handling, permissions |

## Android Methodology

```
1. APK extraction: apktool d <app>.apk
2. Static: jadx-gui <app>.apk, MobSF upload
3. Manifest: permission listesi, exported components
4. Dynamic: emulator + Frida + Burp proxy
5. Storage: /data/data/<pkg>/ dump (root cihaz)
6. Network: cert pinning bypass + intercept
7. IPC: exported activity, service, broadcast receiver test
8. WebView: file:// scheme, JavaScriptInterface
```

### Onerilen Komutlar

```bash
# QUIET — static analiz
apktool d -o ./app-decompiled <app>.apk
jadx -d ./jadx-out <app>.apk

# MobSF (lokal, offline)
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf

# Dynamic: Frida (jailbroken/rooted cihaz)
frida-ps -U                                  # USB cihaz process list
frida -U -l hooks.js -f com.example.app     # spawn + hook

# Cert pinning bypass (yaygin script)
# frida-codeshare: 'fdciabdul/Universal-Android-SSL-Pinning-Bypass'
frida --codeshare fdciabdul/universal-android-ssl-pinning-bypass-2 -U -f com.example.app

# Objection (Frida wrapper)
objection -g com.example.app explore
# > android sslpinning disable
# > android root disable
```

## iOS Methodology

```
1. IPA extract: unzip -d ./ipa-out <app>.ipa
2. Static: class-dump + Hopper / Ghidra
3. Plist: Info.plist permissions, URL schemes
4. Dynamic: jailbroken iPhone + Frida + Burp
5. Storage: /var/mobile/Containers/Data/Application/<uuid>/
6. Network: cert pinning bypass (Frida script)
7. URL scheme: deep link injection test
8. Keychain: keychain dumper
```

### Onerilen Komutlar

```bash
# QUIET — static
unzip <app>.ipa -d ./ipa-out
otool -L ./ipa-out/Payload/<app>.app/<binary>

# Frida (jailbroken cihaz)
frida-ps -U
frida --codeshare federicodotta/ios-ssl-cert-bypass -U -f com.example.app

# Objection
objection -g com.example.app explore
# > ios sslpinning disable
# > ios jailbreak disable
# > ios keychain dump
```

## Sertifika Pinning Bypass Yaklasimlar

1. **Frida script** (universal) — runtime hook
2. **Objection** — `android sslpinning disable`
3. **APK patching** — network_security_config.xml degistir + re-sign
4. **iOS** — Frida + class-dump ile pin method bul
5. **WebView pinning** — TrustManager override

## IPC / Deep Link Test

```xml
<!-- Manifest'te exported activity -->
<activity android:name=".LoginActivity" android:exported="true">
  <intent-filter>
    <action android:name="android.intent.action.VIEW" />
    <data android:scheme="myapp" android:host="auth" />
  </intent-filter>
</activity>
```

```bash
# Deep link probe (ADB shell)
adb shell am start -W -a android.intent.action.VIEW -d "myapp://auth?token=test"
adb shell am start -n com.example.app/.LoginActivity --es token "bypass"
```

## Yaygin Bulgu Kategorisi

| Bulgu | Sinif | Severity (genel) |
|-------|-------|------------------|
| Sertifika pinning yok | MASVS-NETWORK | MEDIUM |
| Sensitive data SharedPref clear text | MASVS-STORAGE | HIGH |
| Hard-coded API key APK icinde | MASVS-CRYPTO | HIGH |
| WebView + addJavascriptInterface | MASVS-PLATFORM | HIGH (RCE) |
| Root detection bypass kolay | MASVS-RESILIENCE | MEDIUM |
| Deep link auth bypass | MASVS-AUTH | HIGH |
| Logcat'e sensitive log | MASVS-PRIVACY | MEDIUM |

## Out-of-Scope

- App Store / Play Store policy ihlali sebep olacak teknik (cihaz rooting hizmeti)
- Cihaz fiziksel sokme (chip-off, JTAG)
- 3. taraf SDK trafik analizi (ToS ihlali)