‹ 首页

mobile-application-security

@masriyan · 收录于 1 周前

Android and iOS application security testing — static and dynamic analysis, APK/IPA inspection, OWASP MASVS/MASTG verification, secure-storage and transport review, and mobile malware triage for authorized assessments

适合你,如果你需要评估移动应用的安全性并发现潜在风险。

/ 下载安装
mobile-application-security.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add masriyan/claude-code-cybersecurity-skill/mobile-application-security
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- masriyan/claude-code-cybersecurity-skill/mobile-application-security
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify masriyan/claude-code-cybersecurity-skill/mobile-application-security
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
160GitHub stars
~1.6K最小装载
~3.1K含声明引用
~3.5K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 2c864e3

Mobile Application Security

Purpose

Enable Claude to assess Android and iOS application security against the OWASP MASVS (Mobile Application Security Verification Standard) and execute tests from the OWASP MASTG (Mobile Application Security Testing Guide). Claude performs static analysis on APK/IPA artifacts, guides dynamic instrumentation (Frida/objection), reviews secure storage, transport, and platform-interaction controls, and triages potentially malicious mobile apps.

Authorization Required: Only test applications you own or are explicitly authorized to assess. Decompiling and modifying third-party apps may violate licenses and law. Confirm written scope before proceeding.

Activation Triggers

This skill activates when the user asks about:

  • Android (APK/AAB) or iOS (IPA) application security testing
  • OWASP MASVS / MASTG verification or a mobile pentest checklist
  • Decompiling, reversing, or static analysis of a mobile app
  • Insecure data storage, hardcoded secrets, or keystore/keychain review
  • Certificate pinning, SSL bypass, or mobile TLS/transport security
  • Frida / objection dynamic instrumentation or runtime hooking
  • AndroidManifest.xml, exported components, deep links, or Info.plist review
  • Mobile malware analysis or suspicious APK triage
  • Root/jailbreak detection, tampering, or anti-RE controls

Prerequisites
pip install requests pyaxmlparser

Optional enhanced capabilities:

  • apktool — APK decode/rebuild
  • jadx — Dalvik → Java decompiler
  • apkid — packer/obfuscator/compiler fingerprinting
  • frida / objection — dynamic instrumentation
  • mobsf (MobSF) — automated static+dynamic analysis platform
  • Android SDK platform-tools (adb), unzip, openssl

Core Capabilities
1. APK Static Analysis

When asked to analyze an APK:

  1. Unpack & decodeapktool d app.apk; extract AndroidManifest.xml, classes*.dex, resources.arsc, native libs (lib/), and assets.
  2. Manifest review — flag:
  3. android:debuggable="true", android:allowBackup="true"
  4. Exported components (activity/service/receiver/provider with exported="true" or implicit via intent-filter) lacking permissions
  5. usesCleartextTraffic="true" / permissive network_security_config
  6. Dangerous/excessive permissions; custom permissions with weak protectionLevel
  7. Deep links / android:autoVerify (app-link hijack), exported ContentProvider paths
  8. Secret hunting — scan decompiled sources/resources/assets for API keys, tokens, private keys, cloud creds, hardcoded crypto keys/IVs, and backend URLs.
  9. Decompilejadx to Java; review auth, crypto, WebView (addJavascriptInterface, setJavaScriptEnabled, loadUrl with untrusted input), and SQL.
  10. Native & packingapkid for packers/obfuscators; inspect lib/*/*.so for JNI entry points and hardcoded data.
  11. Signature — verify signing scheme (v1/v2/v3), debug-cert use, and integrity.

Use scripts/apk_analyzer.py for an automated first pass.

2. iOS (IPA) Static Analysis

When asked to analyze an IPA:

  1. Unzip the IPA; locate Payload/<App>.app/.
  2. Info.plistNSAppTransportSecurity exceptions (NSAllowsArbitraryLoads), URL schemes, UIFileSharingEnabled, permission usage strings.
  3. Binary checks — encryption (cryptid), PIE, stack canaries, ARC; detect missing hardening via otool/class-dump.
  4. Secret huntingstrings and resource scan for keys, endpoints, tokens.
  5. Data storageNSUserDefaults, Core Data, Keychain accessibility classes (avoid kSecAttrAccessibleAlways), plist data at rest.
  6. Embedded provisioning profile — entitlements, ad-hoc vs. enterprise distribution.
3. Insecure Data Storage (MASVS-STORAGE)

Review where sensitive data lands at rest:

  • Android: SharedPreferences, SQLite, internal/external files, logs, WebView cache, clipboard. Verify Keystore-backed keys for sensitive material.
  • iOS: Keychain (correct accessibility), no secrets in NSUserDefaults/plists, no sensitive data in app snapshots/backups.
  • Flag any PII, tokens, or credentials stored plaintext or with app-derived keys.
4. Network & Transport (MASVS-NETWORK)
  • Confirm TLS everywhere; no cleartext fallback.
  • Certificate/public-key pinning present and validated; document bypass via objection/Frida for testing.
  • Inspect API traffic with an intercepting proxy (Burp/mitmproxy); test for the same API flaws as web (→ Skill 09): IDOR, broken auth, mass assignment.
5. Dynamic Analysis & Instrumentation

Guide runtime testing on a rooted/jailbroken test device or emulator:

  • objection quick wins: android sslpinning disable, android root disable, keystore/keychain dump, list activities, start exported components.
  • Frida hooks for crypto APIs, auth checks, root/jailbreak detection bypass, and tracing sensitive method calls.
  • Observe filesystem and logcat for data leakage during use.
6. Platform Interaction & Anti-Tampering (MASVS-PLATFORM / RESILIENCE)
  • IPC: validate exported components, intent handling, ContentProvider permissions, custom URL schemes / deep-link validation.
  • WebView: disable JS where not needed; never expose privileged JS interfaces to untrusted content.
  • Resilience (defense-in-depth, not a vuln by itself): root/jailbreak detection, anti-debug, anti-hook, code obfuscation, integrity checks.
7. Mobile Malware Triage

For suspicious APKs: apkid packing, requested permissions vs. stated function, accessibility-service abuse, SMS/dialer/overlay permissions (banking-trojan markers), C2 URLs in strings, dynamic code loading (DexClassLoader). Hand confirmed IOCs to → Skill 06, deeper RE to → Skill 04/05.


Output Standards
# Mobile App Security Assessment — [App / Package]
Date: [Date] | Platform: [Android/iOS] | Version: [x.y.z] | Analyst: [Name]

## Executive Summary
[Posture, count by severity, top risks]

## MASVS Coverage
| Category | Result | Notes |
|----------|--------|-------|
| STORAGE | Fail | Token in SharedPreferences plaintext |
| CRYPTO  | Pass  | ... |
| NETWORK | Partial | No pinning |
| PLATFORM | ... |
| CODE / RESILIENCE | ... |

## Findings
### [M-01] Hardcoded API Key in resources  (High)
- MASTG-TEST ref / MASVS-STORAGE
- Evidence: res/values/strings.xml:api_key=...
- Impact / Remediation: [rotate, move to backend, ...]

## Recommendations (Prioritized)

Script Reference
apk_analyzer.py
# Static triage of an APK: manifest flags, permissions, exported components, secrets
python scripts/apk_analyzer.py --apk app.apk --output apk_report.json

# Secret-scan the decoded sources too (point at an apktool/jadx output dir)
python scripts/apk_analyzer.py --apk app.apk --sources ./jadx_out --output apk_report.json

Skill Integration

| Next Step | Condition | Target Skill | |-----------|-----------|--------------| | Backend API testing | App talks to REST/GraphQL API | → Skill 09 | | Deeper native/binary RE | .so / obfuscated logic | → Skill 04 | | Malware classification | Suspicious/packed APK | → Skill 05 | | IOC correlation | C2 / malicious infra found | → Skill 06 | | Crypto implementation review | Custom crypto in app | → Skill 13 |


References
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。