security-mcp 1.1.4 → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +116 -264
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/security-policy.json +2 -2
- package/dist/cli/index.js +0 -0
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/dependencies.js +571 -15
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +114 -1
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +244 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +131 -9
- package/dist/gate/policy.js +280 -131
- package/dist/mcp/audit-chain.js +122 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +158 -21
- package/dist/mcp/orchestration.js +186 -51
- package/dist/mcp/server.js +337 -53
- package/dist/repo/fs.js +24 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +52 -1
- package/package.json +7 -7
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +109 -0
- package/skills/agentic-loop-exploiter/SKILL.md +368 -0
- package/skills/ai-llm-redteam/SKILL.md +104 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
- package/skills/android-penetration-tester/SKILL.md +455 -46
- package/skills/anti-replay-tester/SKILL.md +106 -0
- package/skills/appsec-code-auditor/SKILL.md +85 -0
- package/skills/artifact-integrity-analyst/SKILL.md +441 -0
- package/skills/attack-navigator/SKILL.md +467 -8
- package/skills/auth-session-hacker/SKILL.md +102 -0
- package/skills/aws-penetration-tester/SKILL.md +456 -0
- package/skills/azure-penetration-tester/SKILL.md +490 -3
- package/skills/binary-auth-validator/SKILL.md +111 -0
- package/skills/bot-detection-specialist/SKILL.md +109 -0
- package/skills/business-logic-attacker/SKILL.md +231 -0
- package/skills/capec-code-mapper/SKILL.md +84 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
- package/skills/ciso-orchestrator/SKILL.md +454 -43
- package/skills/cloud-infra-specialist/SKILL.md +118 -0
- package/skills/compliance-gap-analyst/SKILL.md +422 -0
- package/skills/compliance-grc/SKILL.md +85 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
- package/skills/credential-stuffing-specialist/SKILL.md +102 -0
- package/skills/crypto-pki-specialist/SKILL.md +87 -0
- package/skills/csa-ccm-mapper/SKILL.md +84 -0
- package/skills/csf2-governance-mapper/SKILL.md +84 -0
- package/skills/deep-link-fuzzer/SKILL.md +109 -0
- package/skills/dependency-confusion-attacker/SKILL.md +415 -0
- package/skills/device-integrity-aggregator/SKILL.md +108 -0
- package/skills/dos-resilience-tester/SKILL.md +97 -0
- package/skills/dread-scorer/SKILL.md +84 -0
- package/skills/egress-policy-enforcer/SKILL.md +99 -0
- package/skills/evidence-collector/SKILL.md +98 -0
- package/skills/file-upload-attacker/SKILL.md +109 -0
- package/skills/gcp-penetration-tester/SKILL.md +459 -2
- package/skills/git-history-secret-scanner/SKILL.md +106 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
- package/skills/incident-responder/SKILL.md +111 -0
- package/skills/injection-specialist/SKILL.md +102 -0
- package/skills/ios-security-auditor/SKILL.md +282 -0
- package/skills/json-ambiguity-tester/SKILL.md +0 -0
- package/skills/k8s-container-escaper/SKILL.md +384 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
- package/skills/kill-switch-engineer/SKILL.md +102 -0
- package/skills/linddun-privacy-analyst/SKILL.md +102 -0
- package/skills/logic-race-fuzzer/SKILL.md +443 -0
- package/skills/mobile-api-network-attacker/SKILL.md +421 -0
- package/skills/mobile-binary-hardener/SKILL.md +102 -0
- package/skills/mobile-security-specialist/SKILL.md +85 -0
- package/skills/mobile-webview-auditor/SKILL.md +96 -0
- package/skills/model-extraction-attacker/SKILL.md +219 -0
- package/skills/multipart-abuse-tester/SKILL.md +84 -0
- package/skills/oauth-pkce-specialist/SKILL.md +104 -0
- package/skills/parser-exhaustion-tester/SKILL.md +142 -0
- package/skills/pentest-infra/SKILL.md +98 -0
- package/skills/pentest-social/SKILL.md +201 -0
- package/skills/pentest-team/SKILL.md +87 -0
- package/skills/pentest-web-api/SKILL.md +98 -0
- package/skills/privacy-flow-analyst/SKILL.md +234 -0
- package/skills/prompt-injection-specialist/SKILL.md +394 -0
- package/skills/quantum-migration-planner/SKILL.md +96 -0
- package/skills/rag-poisoning-specialist/SKILL.md +358 -0
- package/skills/registry-mirror-enforcer/SKILL.md +84 -0
- package/skills/rotation-validation-agent/SKILL.md +112 -0
- package/skills/samm-assessor/SKILL.md +85 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
- package/skills/senior-security-engineer/SKILL.md +167 -0
- package/skills/serialization-memory-attacker/SKILL.md +332 -0
- package/skills/session-timeout-tester/SKILL.md +161 -0
- package/skills/slsa-level3-enforcer/SKILL.md +112 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
- package/skills/ssrf-detection-validator/SKILL.md +108 -0
- package/skills/step-up-auth-enforcer/SKILL.md +84 -0
- package/skills/stride-pasta-analyst/SKILL.md +420 -0
- package/skills/supply-chain-devsecops/SKILL.md +98 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
- package/skills/threat-modeler/SKILL.md +85 -0
- package/skills/tls-certificate-auditor/SKILL.md +573 -18
- package/skills/token-reuse-detector/SKILL.md +95 -0
- package/skills/trike-risk-modeler/SKILL.md +84 -0
- package/skills/unicode-homograph-tester/SKILL.md +84 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
- package/skills/webhook-security-tester/SKILL.md +102 -0
- package/skills/zero-trust-architect/SKILL.md +109 -0
|
@@ -79,3 +79,424 @@ certificate pinning bypass vectors, and GraphQL/REST endpoint exposure gaps.
|
|
|
79
79
|
- Hardcoded secret location or API vulnerability
|
|
80
80
|
- Mobile-specific exploit scenario
|
|
81
81
|
- Fix applied to code or API configuration
|
|
82
|
+
|
|
83
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
84
|
+
```json
|
|
85
|
+
{
|
|
86
|
+
"intelligenceForOtherAgents": {
|
|
87
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
88
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
89
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
90
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
98
|
+
|
|
99
|
+
### Expansion 1 — Frida-Based Certificate Pinning Bypass (CVE-Class: Platform Trust Abuse)
|
|
100
|
+
|
|
101
|
+
**Technique:** Use Frida dynamic instrumentation to hook `SecTrustEvaluate` (iOS) or
|
|
102
|
+
`X509TrustManager.checkServerTrusted` (Android) at runtime and force a trust decision of
|
|
103
|
+
`errSecSuccess` / no-throw regardless of the certificate presented. This defeats both native
|
|
104
|
+
cert pinning and most SDK-level pinning (TrustKit, OkHttp `CertificatePinner`).
|
|
105
|
+
|
|
106
|
+
**Concrete test:**
|
|
107
|
+
```bash
|
|
108
|
+
# Attach Frida to running app process
|
|
109
|
+
frida -U -l ssl_bypass.js -f com.target.app --no-pause
|
|
110
|
+
# ssl_bypass.js — universal bypass script (objection ships one)
|
|
111
|
+
objection -g com.target.app explore
|
|
112
|
+
# then: ios sslpinning disable OR android sslpinning disable
|
|
113
|
+
```
|
|
114
|
+
**Finding if:** MitM proxy (Burp/Charles) captures decrypted API traffic after Frida hook
|
|
115
|
+
is active. Indicates pinning is bypassable at runtime — even if statically verified.
|
|
116
|
+
|
|
117
|
+
**Mitigation check:** Verify the app uses jailbreak/root detection AND integrity attestation
|
|
118
|
+
(Google Play Integrity API / Apple DeviceCheck) so that a Frida-attached process is refused
|
|
119
|
+
by the backend, not just by the client-side pin.
|
|
120
|
+
|
|
121
|
+
---
|
|
122
|
+
|
|
123
|
+
### Expansion 2 — Binary Secret Extraction via strings + Radare2 / jadx
|
|
124
|
+
|
|
125
|
+
**Technique:** Strip the IPA or APK, run `strings` over the binary, and pipe through entropy
|
|
126
|
+
analysis to surface high-entropy blobs (API keys, JWT secrets, AES keys). Then use `jadx` or
|
|
127
|
+
`r2` to find the call site and understand how the secret is used.
|
|
128
|
+
|
|
129
|
+
**Concrete test:**
|
|
130
|
+
```bash
|
|
131
|
+
# Android: decompile APK
|
|
132
|
+
jadx -d out/ target.apk
|
|
133
|
+
grep -rE '[A-Za-z0-9_\-]{32,}' out/ | grep -viE 'import|package|class|layout'
|
|
134
|
+
|
|
135
|
+
# iOS: extract binary from IPA, scan with rabin2
|
|
136
|
+
unzip -o target.ipa && rabin2 -z Payload/App.app/App | awk 'length($NF) > 30'
|
|
137
|
+
|
|
138
|
+
# Entropy sweep (detect base64 keys)
|
|
139
|
+
python3 -c "
|
|
140
|
+
import math, re, sys
|
|
141
|
+
data = open(sys.argv[1]).read()
|
|
142
|
+
for m in re.findall(r'[A-Za-z0-9+/=]{32,}', data):
|
|
143
|
+
h = -sum(p*math.log2(p) for c in set(m) if (p := m.count(c)/len(m)) > 0)
|
|
144
|
+
if h > 4.5: print(h, m)
|
|
145
|
+
" out/sources/com/target/app/BuildConfig.java
|
|
146
|
+
```
|
|
147
|
+
**Finding if:** Secret with entropy > 4.5 found in decompiled source that matches a live
|
|
148
|
+
credential (confirm with a real API call).
|
|
149
|
+
|
|
150
|
+
---
|
|
151
|
+
|
|
152
|
+
### Expansion 3 — OAuth PKCE Downgrade via Custom URI Scheme Hijacking (CVE-2019-9700 class)
|
|
153
|
+
|
|
154
|
+
**Technique:** Android apps that register a custom URI scheme (`myapp://callback`) for OAuth
|
|
155
|
+
redirect are vulnerable to scheme hijacking: a malicious app registers the same scheme and
|
|
156
|
+
intercepts the authorization code. Without PKCE, the hijacker can exchange the code for tokens.
|
|
157
|
+
|
|
158
|
+
**Concrete test:**
|
|
159
|
+
1. Inspect `AndroidManifest.xml` for `<intent-filter>` with `<data android:scheme="myapp"/>`.
|
|
160
|
+
2. Register a second test APK with the identical scheme.
|
|
161
|
+
3. Initiate OAuth login on the victim app — observe which app receives the callback.
|
|
162
|
+
4. Without PKCE (`code_challenge` absent in `/authorize` request), exchange the code:
|
|
163
|
+
```bash
|
|
164
|
+
curl -X POST https://auth.target.com/oauth/token \
|
|
165
|
+
-d 'grant_type=authorization_code&code=INTERCEPTED_CODE&redirect_uri=myapp://callback&client_id=...'
|
|
166
|
+
```
|
|
167
|
+
**Finding if:** Token exchange succeeds without `code_verifier`.
|
|
168
|
+
|
|
169
|
+
---
|
|
170
|
+
|
|
171
|
+
### Expansion 4 — GraphQL Batch Query Amplification DoS
|
|
172
|
+
|
|
173
|
+
**Technique:** GraphQL allows multiple operations in a single HTTP request (batching). Without
|
|
174
|
+
a per-request complexity budget, an attacker sends a batch of 100 identical expensive queries,
|
|
175
|
+
each resolving N+1 DB calls, multiplying backend load by 100× with a single HTTP request.
|
|
176
|
+
|
|
177
|
+
**Concrete test:**
|
|
178
|
+
```bash
|
|
179
|
+
curl -X POST https://api.target.com/graphql \
|
|
180
|
+
-H 'Content-Type: application/json' \
|
|
181
|
+
-d '[
|
|
182
|
+
{"query": "{ users { id orders { id items { id product { id reviews { id } } } } } }"},
|
|
183
|
+
{"query": "{ users { id orders { id items { id product { id reviews { id } } } } } }"}
|
|
184
|
+
]'
|
|
185
|
+
# Repeat 100x in the array; measure response time vs single query
|
|
186
|
+
```
|
|
187
|
+
**Finding if:** Batch of 50 queries completes in < 2× the time of a single query (server is
|
|
188
|
+
parallelising without complexity limits), or the server returns HTTP 200 with all results
|
|
189
|
+
(no batch size limit).
|
|
190
|
+
|
|
191
|
+
---
|
|
192
|
+
|
|
193
|
+
### Expansion 5 — Firebase Security Rules Privilege Escalation (CVE-class: Misconfigured NoSQL)
|
|
194
|
+
|
|
195
|
+
**Technique:** Firebase Realtime Database and Firestore rules are frequently misconfigured to
|
|
196
|
+
allow reads or writes when `auth != null`, without validating the authenticated user's
|
|
197
|
+
relationship to the data being accessed (i.e., horizontal privilege escalation).
|
|
198
|
+
|
|
199
|
+
**Concrete test:**
|
|
200
|
+
```javascript
|
|
201
|
+
// Using Firebase JS SDK with a legitimately authenticated user
|
|
202
|
+
const db = firebase.firestore();
|
|
203
|
+
// Try reading another user's private document
|
|
204
|
+
const snap = await db.collection('users').doc('victim-uid').get();
|
|
205
|
+
console.log(snap.exists, snap.data());
|
|
206
|
+
// Try writing to another user's document
|
|
207
|
+
await db.collection('users').doc('victim-uid').update({ email: 'attacker@evil.com' });
|
|
208
|
+
```
|
|
209
|
+
Also check rules source directly:
|
|
210
|
+
```bash
|
|
211
|
+
# Download rules via Firebase CLI
|
|
212
|
+
firebase firestore:rules:list
|
|
213
|
+
# Look for: allow read, write: if request.auth != null;
|
|
214
|
+
# (no uid check = IDOR for all authenticated users)
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
---
|
|
218
|
+
|
|
219
|
+
### Expansion 6 — AI-Assisted API Fuzzing via LLM-Generated Payloads (Post-2024 Threat)
|
|
220
|
+
|
|
221
|
+
**Technique:** Adversaries now use LLMs (GPT-4o, local Llama 3 fine-tuned on API specs) to
|
|
222
|
+
auto-generate semantically valid but malicious request bodies that pass schema validation
|
|
223
|
+
while exploiting business logic. Unlike dumb fuzzing, LLM fuzzing understands field semantics
|
|
224
|
+
(e.g., sets `quantity: -1` or `role: "admin"` in a user-supplied patch body).
|
|
225
|
+
|
|
226
|
+
**Concrete test:**
|
|
227
|
+
```python
|
|
228
|
+
# Feed OpenAPI spec to LLM, ask for adversarial payloads
|
|
229
|
+
import anthropic
|
|
230
|
+
client = anthropic.Anthropic()
|
|
231
|
+
spec = open("openapi.yaml").read()
|
|
232
|
+
response = client.messages.create(
|
|
233
|
+
model="claude-sonnet-4-6",
|
|
234
|
+
max_tokens=2048,
|
|
235
|
+
messages=[{
|
|
236
|
+
"role": "user",
|
|
237
|
+
"content": f"Given this API spec, generate 10 adversarial payloads targeting IDOR, privilege escalation, and negative quantity exploits:\n{spec}"
|
|
238
|
+
}]
|
|
239
|
+
)
|
|
240
|
+
# Send each generated payload to the API; measure server behaviour
|
|
241
|
+
```
|
|
242
|
+
**Finding if:** Server returns HTTP 200 or 201 for payloads that should be rejected by
|
|
243
|
+
business logic (negative values, escalated roles, cross-user resource IDs).
|
|
244
|
+
|
|
245
|
+
---
|
|
246
|
+
|
|
247
|
+
### Expansion 7 — LLM-Assisted Mobile Binary Analysis for Obfuscated Secrets (Post-2024 Threat)
|
|
248
|
+
|
|
249
|
+
**Technique:** Attackers (and defenders) now feed decompiled smali/LLVM IR to LLMs to
|
|
250
|
+
identify obfuscated secret assembly — strings split across multiple functions, XOR-decoded at
|
|
251
|
+
runtime, or base64-encoded fragments concatenated at call time. Classic `strings` misses these.
|
|
252
|
+
|
|
253
|
+
**Concrete test:**
|
|
254
|
+
1. Decompile APK to smali with `apktool d target.apk`.
|
|
255
|
+
2. Feed suspicious smali classes to an LLM with prompt: "Identify any string construction
|
|
256
|
+
patterns that assemble a secret key or API credential at runtime."
|
|
257
|
+
3. Trace identified assembly patterns through dynamic analysis (Frida `Interceptor.attach`
|
|
258
|
+
on the final concatenation point) to capture the runtime value.
|
|
259
|
+
|
|
260
|
+
**Finding if:** Runtime-captured string matches a live API credential or secret format
|
|
261
|
+
(UUID, JWT, AWS key prefix `AKIA`, Stripe key prefix `sk_live_`).
|
|
262
|
+
|
|
263
|
+
---
|
|
264
|
+
|
|
265
|
+
### Expansion 8 — API Gateway Bypass via Host Header Injection to Internal Services
|
|
266
|
+
|
|
267
|
+
**Technique:** Mobile apps sometimes contact an API gateway that proxies to internal
|
|
268
|
+
microservices. If the gateway routes based on the `Host` header and does not validate it
|
|
269
|
+
against an allowlist, an attacker can inject a host header pointing to an internal service
|
|
270
|
+
address, potentially bypassing gateway-level auth enforcement.
|
|
271
|
+
|
|
272
|
+
**Concrete test:**
|
|
273
|
+
```bash
|
|
274
|
+
# Standard request through gateway
|
|
275
|
+
curl -H 'Host: api.target.com' https://api.target.com/v1/users
|
|
276
|
+
|
|
277
|
+
# Inject internal host to attempt bypass
|
|
278
|
+
curl -H 'Host: internal-users-service.default.svc.cluster.local' \
|
|
279
|
+
-H 'X-Forwarded-Host: internal-users-service.default.svc.cluster.local' \
|
|
280
|
+
https://api.target.com/v1/users
|
|
281
|
+
|
|
282
|
+
# Check if response differs (bypasses auth, returns different data, or errors reveal internals)
|
|
283
|
+
```
|
|
284
|
+
**Finding if:** Response status, body, or headers differ when internal host is injected,
|
|
285
|
+
or if `Server` / `X-Powered-By` headers reveal an internal service name.
|
|
286
|
+
|
|
287
|
+
---
|
|
288
|
+
|
|
289
|
+
## §MOBILE_API_NETWORK_ATTACKER-CHECKLIST
|
|
290
|
+
|
|
291
|
+
1. **Hardcoded credential sweep** — Run entropy analysis + regex scan across all
|
|
292
|
+
decompiled/source files. Search for patterns: `api_key`, `client_secret`, `AKIA`,
|
|
293
|
+
`sk_live_`, `Bearer `. Finding: any credential with entropy > 4.5 present in binary.
|
|
294
|
+
|
|
295
|
+
2. **Certificate pinning bypass via Frida** — Attach Frida/objection to the running app,
|
|
296
|
+
execute `ssl_pinning disable`, and attempt MitM with Burp. Finding: decrypted API traffic
|
|
297
|
+
captured in proxy after bypass.
|
|
298
|
+
|
|
299
|
+
3. **Network Security Config review (Android)** — Read `res/xml/network_security_config.xml`.
|
|
300
|
+
Check `cleartextTrafficPermitted`, `<trust-anchors>` scope, and `<pin-set>` backup pins.
|
|
301
|
+
Finding: `cleartextTrafficPermitted="true"` in production config, or missing backup pins.
|
|
302
|
+
|
|
303
|
+
4. **iOS App Transport Security exceptions** — Parse `Info.plist` for
|
|
304
|
+
`NSAppTransportSecurity` keys. Finding: `NSAllowsArbitraryLoads: true` or domain-specific
|
|
305
|
+
exceptions for production hosts.
|
|
306
|
+
|
|
307
|
+
5. **Token storage security** — Check iOS Keychain usage class (`kSecAttrAccessible*`);
|
|
308
|
+
check Android `EncryptedSharedPreferences` vs plain `SharedPreferences`. Finding: tokens
|
|
309
|
+
stored in `UserDefaults` / plain `SharedPreferences` / accessible after device unlock.
|
|
310
|
+
|
|
311
|
+
6. **OAuth PKCE enforcement** — Intercept `/authorize` request; confirm `code_challenge`
|
|
312
|
+
and `code_challenge_method=S256` present. Finding: absent `code_challenge`, or
|
|
313
|
+
`code_challenge_method=plain` used.
|
|
314
|
+
|
|
315
|
+
7. **Custom URI scheme hijacking risk** — Inspect `AndroidManifest.xml` for custom schemes.
|
|
316
|
+
Register a competing APK with the same scheme. Finding: competing app receives OAuth callback.
|
|
317
|
+
|
|
318
|
+
8. **GraphQL introspection in production** — Send `{ __schema { types { name } } }` to
|
|
319
|
+
the GraphQL endpoint without auth. Finding: full type list returned (200 OK with schema).
|
|
320
|
+
|
|
321
|
+
9. **GraphQL depth and complexity limits** — Send a deeply nested query (10+ levels) and a
|
|
322
|
+
batch of 50 queries. Finding: server returns all results without HTTP 400 or complexity error.
|
|
323
|
+
|
|
324
|
+
10. **API versioning gap** — Enumerate `/api/v1/`, `/api/v2/`, `/api/` (versionless), and
|
|
325
|
+
`/api/internal/` paths. Finding: older version or internal path accessible with no auth or
|
|
326
|
+
different, weaker auth than the current version.
|
|
327
|
+
|
|
328
|
+
11. **Push notification payload PII** — Review server-side push notification construction
|
|
329
|
+
code. Search for PII fields passed in APNs/FCM `data` payload. Finding: `email`, `phone`,
|
|
330
|
+
`name`, or financial data present in notification payload body.
|
|
331
|
+
|
|
332
|
+
12. **Firebase / Firestore rules IDOR** — Authenticate as User A; attempt read/write on
|
|
333
|
+
User B's documents using the Firebase SDK. Finding: operation succeeds, or rules contain
|
|
334
|
+
`allow read, write: if request.auth != null` without UID-scoped path matching.
|
|
335
|
+
|
|
336
|
+
---
|
|
337
|
+
|
|
338
|
+
## §POC-REQUIREMENT
|
|
339
|
+
|
|
340
|
+
Every finding reported by this agent MUST follow this exact lifecycle before being recorded
|
|
341
|
+
at the assigned severity:
|
|
342
|
+
|
|
343
|
+
1. **Write working PoC FIRST** — Document the exact payload, request, tool command, or
|
|
344
|
+
code snippet used. Include observed server response (status code, body excerpt, screenshot
|
|
345
|
+
reference). This must be reproducible by a person who was not present during the test.
|
|
346
|
+
|
|
347
|
+
2. **Confirm reproduction** — Execute the PoC a second time (different session, different
|
|
348
|
+
token if applicable) and confirm the same result. Note any environmental preconditions
|
|
349
|
+
(Frida attached, specific app version, authenticated vs unauthenticated).
|
|
350
|
+
|
|
351
|
+
3. **Write fix** — Implement the remediation in code or configuration. Document what changed
|
|
352
|
+
and why it closes the attack path.
|
|
353
|
+
|
|
354
|
+
4. **Verify PoC fails against fix** — Re-execute the identical PoC against the patched
|
|
355
|
+
code or configuration. Confirm the attack no longer succeeds (expected: HTTP 400/401/403,
|
|
356
|
+
pinning error, or no traffic captured).
|
|
357
|
+
|
|
358
|
+
5. **Record in findings JSON** — Add the `exploitPoC` field to the finding object:
|
|
359
|
+
```json
|
|
360
|
+
{
|
|
361
|
+
"exploitPoC": {
|
|
362
|
+
"command": "objection -g com.target.app explore -- ios sslpinning disable",
|
|
363
|
+
"observedImpact": "All HTTPS traffic decrypted in Burp proxy",
|
|
364
|
+
"reproduced": true,
|
|
365
|
+
"fixVerified": true
|
|
366
|
+
}
|
|
367
|
+
}
|
|
368
|
+
```
|
|
369
|
+
|
|
370
|
+
**PoC skipping = severity automatically downgraded to MEDIUM**, regardless of the theoretical
|
|
371
|
+
severity assigned. This rule is enforced by the orchestrator during Phase 2 synthesis.
|
|
372
|
+
|
|
373
|
+
---
|
|
374
|
+
|
|
375
|
+
## §PROJECT-ESCALATION
|
|
376
|
+
|
|
377
|
+
Immediately halt current work, emit an `ESCALATION` event to the orchestrator, and mark the
|
|
378
|
+
run as `REPRIORITIZE` if any of the following conditions are observed:
|
|
379
|
+
|
|
380
|
+
1. **Live production credentials found in binary** — Any API key, JWT secret, OAuth client
|
|
381
|
+
secret, or cloud provider key (`AKIA*`, `sk_live_*`, private key PEM block) found in a
|
|
382
|
+
decompiled production binary. Impact: immediate account takeover or data exfiltration.
|
|
383
|
+
Escalate before attempting any further exploitation.
|
|
384
|
+
|
|
385
|
+
2. **Authentication bypass on a production mobile endpoint** — A mobile-only API endpoint
|
|
386
|
+
accepts requests without any authentication token and returns non-public data (user
|
|
387
|
+
records, financial data, PII). This is a P0 data breach condition.
|
|
388
|
+
|
|
389
|
+
3. **GraphQL introspection + zero field-level authorization** — Introspection is enabled
|
|
390
|
+
AND at least one sensitive type (user, payment, admin) has resolvers with no `@auth`
|
|
391
|
+
directive or middleware guard. Combination creates a full schema + data extraction path.
|
|
392
|
+
|
|
393
|
+
4. **Firebase rules `allow read, write: if true`** — Open database rules in production.
|
|
394
|
+
This is a complete data breach; all data is publicly readable and writable. No further
|
|
395
|
+
testing needed — escalate immediately.
|
|
396
|
+
|
|
397
|
+
5. **Certificate pinning absent AND token not bound to device** — If MitM succeeds (no
|
|
398
|
+
pinning) AND the access token can be replayed from a different device/IP without error,
|
|
399
|
+
the session is fully portable. An attacker who intercepts once can replay indefinitely.
|
|
400
|
+
|
|
401
|
+
6. **Supply chain secret in a third-party SDK bundled into the app** — A bundled SDK
|
|
402
|
+
(analytics, payments, ads) contains hardcoded credentials that are shared across all
|
|
403
|
+
apps using that SDK version. This is a multi-tenant credential exposure affecting all
|
|
404
|
+
users of the SDK, not just this app.
|
|
405
|
+
|
|
406
|
+
7. **OAuth authorization code interceptable + PKCE absent** — Custom URI scheme registered
|
|
407
|
+
without PKCE enforcement, confirmed by successful token exchange with an intercepted code.
|
|
408
|
+
This is a complete account takeover vector requiring no user interaction beyond initiating
|
|
409
|
+
a login flow.
|
|
410
|
+
|
|
411
|
+
8. **LLM-generated payload causes server-side data mutation** — During AI-assisted fuzzing,
|
|
412
|
+
a generated payload causes an unintended write (role escalation, balance manipulation,
|
|
413
|
+
data deletion) in a staging or production environment. Indicates business logic is
|
|
414
|
+
exploitable at scale by automated adversaries.
|
|
415
|
+
|
|
416
|
+
---
|
|
417
|
+
|
|
418
|
+
## §EDGE-CASE-MATRIX
|
|
419
|
+
|
|
420
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
421
|
+
|
|
422
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
423
|
+
|---|-----------|----------------------|---------------|
|
|
424
|
+
| 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
|
|
425
|
+
| 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
|
|
426
|
+
| 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
|
|
427
|
+
| 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
|
|
428
|
+
| 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
|
|
429
|
+
|
|
430
|
+
---
|
|
431
|
+
|
|
432
|
+
## §TEMPORAL-THREATS
|
|
433
|
+
|
|
434
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
435
|
+
|
|
436
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
437
|
+
|--------|--------------|--------------------------|----------------|
|
|
438
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
|
|
439
|
+
| AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
|
|
440
|
+
| EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
|
|
441
|
+
| Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
|
|
442
|
+
| Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
|
|
443
|
+
|
|
444
|
+
---
|
|
445
|
+
|
|
446
|
+
## §DETECTION-GAP
|
|
447
|
+
|
|
448
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
449
|
+
|
|
450
|
+
**Standard gaps that MUST be checked:**
|
|
451
|
+
|
|
452
|
+
- **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
|
|
453
|
+
- **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
|
|
454
|
+
- **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
|
|
455
|
+
- **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
|
|
456
|
+
- **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
457
|
+
|
|
458
|
+
**Mobile-API-specific detection gaps:**
|
|
459
|
+
|
|
460
|
+
- **Runtime pinning bypass via Frida**: No network log entry differs from a legitimate request. Need: backend DeviceCheck / Play Integrity attestation verification on every sensitive API call — reject requests from processes that fail integrity attestation.
|
|
461
|
+
- **Binary secret extraction**: Occurs entirely offline before any network request is made. Need: rotate credentials on a schedule short enough that extracted credentials expire before they can be exploited; enforce per-device, short-lived token issuance.
|
|
462
|
+
- **GraphQL complexity abuse**: Standard WAF rules match on string patterns, not on query depth or resolver fan-out. Need: server-side query complexity analysis library (e.g., `graphql-cost-analysis`) with hard reject above threshold.
|
|
463
|
+
- **OAuth code interception via URI scheme**: Legitimate and malicious app both appear as valid redirects in OS logs. Need: enforce PKCE S256 server-side and reject any `/token` request lacking `code_verifier`.
|
|
464
|
+
|
|
465
|
+
---
|
|
466
|
+
|
|
467
|
+
## §ZERO-MISS-MANDATE
|
|
468
|
+
|
|
469
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
470
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
471
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
472
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
473
|
+
|
|
474
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
475
|
+
|
|
476
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
477
|
+
```json
|
|
478
|
+
{
|
|
479
|
+
"coverageManifest": {
|
|
480
|
+
"attackClassesCovered": [{ "class": "Hardcoded Secrets", "filesReviewed": 312, "patterns": ["api_key", "client_secret", "AKIA", "sk_live_", "Bearer "], "result": "CLEAN" }],
|
|
481
|
+
"filesReviewed": 312,
|
|
482
|
+
"negativeAssertions": ["Hardcoded Secrets: entropy + regex sweep across 312 decompiled files — 0 matches above threshold"],
|
|
483
|
+
"uncoveredReason": {}
|
|
484
|
+
}
|
|
485
|
+
}
|
|
486
|
+
```
|
|
487
|
+
|
|
488
|
+
---
|
|
489
|
+
|
|
490
|
+
## LEARNING SIGNAL
|
|
491
|
+
|
|
492
|
+
On every finding resolved, emit:
|
|
493
|
+
```json
|
|
494
|
+
{
|
|
495
|
+
"findingId": "FINDING_ID",
|
|
496
|
+
"agentName": "mobile-api-network-attacker",
|
|
497
|
+
"resolved": true,
|
|
498
|
+
"remediationTemplate": "one-line description of what was done",
|
|
499
|
+
"falsePositive": false
|
|
500
|
+
}
|
|
501
|
+
```
|
|
502
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|
|
@@ -197,3 +197,105 @@ module.exports = {
|
|
|
197
197
|
- `requiredActions`: ordered action list
|
|
198
198
|
- `complianceImpact`: framework mappings
|
|
199
199
|
- `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
|
|
200
|
+
|
|
201
|
+
Every findings JSON MUST also include `intelligenceForOtherAgents`:
|
|
202
|
+
```json
|
|
203
|
+
{
|
|
204
|
+
"intelligenceForOtherAgents": {
|
|
205
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "e.g. Frida-injectable process — debuggable release flag set", "exploitHint": "Attach Frida to PID; hook target class methods to bypass auth checks" }],
|
|
206
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "e.g. hardcoded AES key in NDK native library", "location": "lib/arm64-v8a/libnative.so offset 0x2a10" }],
|
|
207
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "e.g. hardcoded cloud endpoint in BuildConfig", "escalationPath": "Endpoint accepts unauthenticated requests if binary is repackaged with modified flag" }],
|
|
208
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 6.3.3", "OWASP M7:2024"], "releaseBlock": true }]
|
|
209
|
+
}
|
|
210
|
+
}
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
---
|
|
214
|
+
|
|
215
|
+
## BEYOND SKILL.MD — MANDATORY EXPANSIONS
|
|
216
|
+
|
|
217
|
+
- **AI-Assisted Semantic Deobfuscation via LLM-Enhanced Jadx (ATT&CK T1027.002):** Modern toolchains (e.g., jadx-ai forks, GPT-4-augmented decompilers) recover semantic class/method names from ProGuard-obfuscated bytecode by pattern-matching against training data of known Android SDK call graphs. ProGuard dictionary obfuscation alone is defeated. Test by: decompile a release APK with jadx 1.4+; feed output to GPT-4 with the prompt "identify what this class does"; if the model names the class function correctly (e.g., "payment processor", "biometric auth"), obfuscation is insufficient. Finding threshold: any class handling PII, auth, or payment that is semantically recoverable in <3 LLM prompts.
|
|
218
|
+
|
|
219
|
+
- **Supply Chain: Malicious AAR/Gradle Plugin Injecting Backdoored Native Library (CVE-2023-26048 pattern, ATT&CK T1195.001):** Compromised Gradle plugins or transitive AAR dependencies have injected `libmalicious.so` into `jniLibs/` during the build phase — invisible to source code review. The Jetpack / Google Maven supply chain was targeted in the ShadowSDK campaign (2024). Test by: run `./gradlew dependencies --configuration releaseRuntimeClasspath > deps.txt`; cross-reference every native `.so` in the final APK against the dependency tree using `apktool d` + `sha256sum`; any `.so` not traceable to a pinned dependency version is a finding. Finding threshold: one unattributed native library.
|
|
220
|
+
|
|
221
|
+
- **Post-Quantum Threat: Harvest-Now-Decrypt APK Code-Signing (NIST FIPS 204 / ML-DSA migration):** Adversaries are archiving signed APKs and IPA bundles today. When a Cryptographically Relevant Quantum Computer (CRQC) becomes available (~2029–2032), RSA-2048 and ECDSA P-256 code-signing certificates used today will be forgeable retroactively, enabling undetectable APK repackaging of archived builds. Test by: run `apksigner verify --print-certs app-release.apk | grep -E "algorithm|key size"`; flag any signing cert using RSA < 4096 or ECDSA P-256/P-384. Finding threshold: any release signing key not on the ML-DSA (FIPS 204) migration roadmap documented in the project.
|
|
222
|
+
|
|
223
|
+
- **EU Cyber Resilience Act (CRA) SBOM Mandate — Missing Build Provenance Attestation (Regulatory, effective 2027):** The EU CRA requires manufacturers of apps with "digital elements" to provide a machine-readable SBOM (CycloneDX or SPDX) and SLSA build provenance attestation per release. Non-compliance blocks EU market access. Test by: verify a `cyclonedx-gradle-plugin` or `spdx-gradle-plugin` task is wired into the release build; run `./gradlew cyclonedxBom` and confirm output exists; check that the CI pipeline uploads a signed SLSA provenance attestation (`slsa-github-generator` or equivalent). Finding threshold: any release build lacking a valid signed SBOM artifact.
|
|
224
|
+
|
|
225
|
+
- **Dynamic Code Loading Integrity Bypass via OTA JS Bundle Replacement (CVE-2022-22972 pattern, ATT&CK T1055.001):** React Native and Expo apps using CodePush or custom OTA update mechanisms fetch JS bundles over HTTPS but often skip signature verification of the bundle payload itself. A MitM or compromised CDN delivers a malicious bundle that executes arbitrary JS in the app's native context, bypassing App Store review entirely. Test by: grep for `DexClassLoader`, `PathClassLoader`, `codePush.sync`, `Updates.fetchUpdateAsync` in source; intercept OTA traffic with mitmproxy and replace the bundle with a modified version; if the app executes the replaced bundle without rejecting it, the control is absent. Finding threshold: any OTA update path lacking ECDSA/RSA bundle signature verification checked at load time.
|
|
226
|
+
|
|
227
|
+
- **Frida Gadget Embedded in Third-Party SDK — Detection Evasion via Renamed Library (ATT&CK T1036.005):** Security researchers (NCC Group, 2024) documented Frida gadget (`libfrida-gadget.so`) shipped inside commercial analytics and ad-network SDKs under renamed filenames (e.g., `libmetrics_core.so`, `libanalytics_rt.so`) to evade name-based detection. The gadget enables remote JS injection into a production app at runtime on non-rooted devices via the Frida server protocol. Test by: extract APK with `apktool d`; for every `.so` in `lib/`, run `strings <lib>.so | grep -i "frida\|gadget\|gum-js\|GumScript"`; additionally check ELF section names with `readelf -S <lib>.so | grep frida`. Finding threshold: any `.so` whose strings or ELF sections reference Frida internals, regardless of filename.
|
|
228
|
+
|
|
229
|
+
---
|
|
230
|
+
|
|
231
|
+
## §EDGE-CASE-MATRIX
|
|
232
|
+
|
|
233
|
+
The 5 attack cases in mobile binary hardening that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
234
|
+
|
|
235
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
236
|
+
|---|-----------|----------------------|---------------|
|
|
237
|
+
| 1 | ProGuard rule `keep` wildcard preserving entire sensitive packages | Static analysis sees `minifyEnabled = true` and marks it safe; wildcard `-keep class com.example.**` negates all obfuscation for that subtree | Parse all `proguard-rules.pro` / consumer-rules files; flag any `-keep class <pkg>.**` covering auth, crypto, or networking packages |
|
|
238
|
+
| 2 | Frida-gadget embedded in third-party SDK inside the APK | Scanner audits first-party code; vendored or repackaged SDKs may ship `libfrida-gadget.so` in `lib/` | Run `find . -name "libfrida-gadget.so" -o -name "frida-gadget*"` inside extracted APK; check `jniLibs/` and AAR exploded directories |
|
|
239
|
+
| 3 | Debug signing certificate used in an APK labelled `release` | Build pipeline misconfiguration; scanner checks `debuggable` flag but not signing certificate DN | Run `apksigner verify --print-certs app.apk` and confirm `CN` is not `Android Debug` or self-signed with `O=Android` |
|
|
240
|
+
| 4 | React Native / Flutter JS bundle bypassing native ProGuard entirely | ProGuard only operates on JVM bytecode; the JS/Dart bundle at `assets/index.android.bundle` ships in plaintext | Extract APK; check that `assets/index.android.bundle` is minified and does not contain raw source identifiers, internal URLs, or `console.log` |
|
|
241
|
+
| 5 | iOS App Store binary containing dyld-injectable `@rpath` entries pointing to non-existent frameworks (dylib hijacking surface) | Xcode project compiles cleanly; hijack surface only visible in linked binary's load commands | Run `otool -L YourApp.app/YourApp` and verify every `@rpath` entry resolves to a framework shipped in the `.app` bundle; flag dangling entries |
|
|
242
|
+
|
|
243
|
+
---
|
|
244
|
+
|
|
245
|
+
## §TEMPORAL-THREATS
|
|
246
|
+
|
|
247
|
+
Threats materialising in the 2025–2030 window that mobile binary hardening defences designed today must account for.
|
|
248
|
+
|
|
249
|
+
| Threat | Est. Timeline | Relevance to Mobile Binary Hardening | Prepare Now By |
|
|
250
|
+
|--------|--------------|---------------------------------------|----------------|
|
|
251
|
+
| AI-assisted APK deobfuscation at scale | 2025–2027 (active) | LLM + symbolic execution tools (e.g. LLM-enhanced jadx) recover semantic class names from obfuscated bytecode; ProGuard-only obfuscation is no longer a meaningful barrier | Layer RASP runtime checks and jailbreak/root detection on top of obfuscation; treat obfuscation as delay, not defence |
|
|
252
|
+
| Cryptographically Relevant Quantum Computer (CRQC) breaking RSA/ECDSA code-signing | 2028–2032 | Harvest-now-execute-later: adversaries archive signed APKs today and will forge equivalent signatures when CRQC arrives, enabling undetected repackaging | Inventory all RSA/ECDSA signing key sizes; plan migration to ML-DSA (FIPS 204) as Google Play and Apple App Store add support |
|
|
253
|
+
| Mandatory SBOM + build provenance for mobile apps (EU CRA / US EO 14028) | 2025–2026 (active) | Regulators will require CycloneDX/SPDX SBOM and SLSA build attestation for app store submissions in regulated sectors | Generate SBOM per release build; achieve SLSA L2 minimum (hosted build, signed provenance) |
|
|
254
|
+
| Dynamic Code Loading (DCL) abuse via legitimate update frameworks | 2026–2027 | Attackers target apps that use `DexClassLoader` or OTA JS bundle updates to push malicious payloads post-install, bypassing store review | Audit all `DexClassLoader`, `PathClassLoader`, and JS engine bundle-load paths; enforce code-signing verification before any dynamic load |
|
|
255
|
+
| Side-channel attacks on ARM TrustZone via shared cache timing | 2027–2029 | Sensitive key material in Keystore/Secure Enclave increasingly targeted by cache-timing attacks on shared CPU resources | Use hardware-backed Keystore with `StrongBoxKeymaster`; avoid in-process key derivation for high-value secrets |
|
|
256
|
+
|
|
257
|
+
---
|
|
258
|
+
|
|
259
|
+
## §DETECTION-GAP
|
|
260
|
+
|
|
261
|
+
What current mobile binary security monitoring CANNOT detect, and what to build to close each gap.
|
|
262
|
+
|
|
263
|
+
**Standard gaps that MUST be checked:**
|
|
264
|
+
|
|
265
|
+
- **Frida/debugger attach post-ship**: Store review tooling and static SAST see no debuggable flag; a rooted device attaches Frida to the running process invisibly. Need: in-app RASP that calls `ptrace(PTRACE_TRACEME)` and checks `/proc/self/status TracerPid` at runtime; alert or terminate if non-zero.
|
|
266
|
+
- **ProGuard rule drift over releases**: CI compares the current build but does not diff `proguard-rules.pro` changes across releases; a newly added `-keep` rule silently re-exposes a class. Need: git diff check on all ProGuard consumer rule files as part of release gate; fail build if any new `-keep class` rule covers a sensitive package.
|
|
267
|
+
- **Repackaged APK distribution outside Play Store**: Legitimate store binary is clean; attacker strips, modifies, and redistributes via third-party APK sites. Standard monitoring sees only the canonical store listing. Need: enrol in Play Integrity API / Apple DeviceCheck; verify attestation token server-side on sensitive API calls to reject non-certified installs.
|
|
268
|
+
- **Native library symbol exposure in stripped binaries**: `STRIP_INSTALLED_PRODUCT = YES` is set but the `dSYM` or unstripped `.so` is accidentally bundled in the app package rather than uploaded separately to Crashlytics/Sentry. Need: automated post-build check — `nm -U` on every `.so` / `otool -l` on every framework — assert symbol table is absent from the artifact submitted to the store.
|
|
269
|
+
- **Cross-agent chain: static secret in binary + cloud endpoint without attestation**: Binary hardening agent finds a hardcoded endpoint URL (LOW finding); cloud specialist finds the same endpoint lacks Play Integrity verification (MEDIUM finding). Together: CRITICAL — attacker extracts URL from unobfuscated binary and calls endpoint from a tampered app. Need: CISO orchestrator Phase 1 synthesis step to correlate binary findings with cloud/API findings before Phase 2.
|
|
270
|
+
|
|
271
|
+
---
|
|
272
|
+
|
|
273
|
+
## §ZERO-MISS-MANDATE
|
|
274
|
+
|
|
275
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
276
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
277
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
278
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
279
|
+
|
|
280
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
281
|
+
|
|
282
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
283
|
+
```json
|
|
284
|
+
{
|
|
285
|
+
"coverageManifest": {
|
|
286
|
+
"attackClassesCovered": [
|
|
287
|
+
{ "class": "Debuggable Release Build", "filesReviewed": 3, "patterns": ["debuggable true", "isDebuggable = true"], "result": "CLEAN" },
|
|
288
|
+
{ "class": "ProGuard Disabled", "filesReviewed": 5, "patterns": ["minifyEnabled false", "isMinifyEnabled = false"], "result": "CLEAN" },
|
|
289
|
+
{ "class": "Hardcoded Secrets in Source", "filesReviewed": 142, "patterns": ["API_KEY", "SECRET", "password", "Bearer "], "result": "2 findings, both fixed" },
|
|
290
|
+
{ "class": "Debug Symbols in Release Binary", "filesReviewed": 4, "patterns": ["STRIP_INSTALLED_PRODUCT", "debugSymbolLevel", "apktool output class names"], "result": "CLEAN" },
|
|
291
|
+
{ "class": "allowBackup Enabled", "filesReviewed": 1, "patterns": ["allowBackup=\"true\""], "result": "CLEAN" }
|
|
292
|
+
],
|
|
293
|
+
"filesReviewed": 155,
|
|
294
|
+
"negativeAssertions": [
|
|
295
|
+
"Debuggable release: searched build.gradle, AndroidManifest.xml — 0 matches",
|
|
296
|
+
"ProGuard disabled: searched all buildType configs — minifyEnabled is true in release"
|
|
297
|
+
],
|
|
298
|
+
"uncoveredReason": {}
|
|
299
|
+
}
|
|
300
|
+
}
|
|
301
|
+
```
|
|
@@ -122,3 +122,88 @@ If internet permitted:
|
|
|
122
122
|
Write `.mcp/agent-runs/{agentRunId}/mobile-findings.json`
|
|
123
123
|
Every finding maps to: MASVS control ID, MSTG test case ID, CWE, CVSSv4.
|
|
124
124
|
Code fixes written directly in the affected mobile source files.
|
|
125
|
+
|
|
126
|
+
Every findings JSON MUST include `intelligenceForOtherAgents`:
|
|
127
|
+
```json
|
|
128
|
+
{
|
|
129
|
+
"intelligenceForOtherAgents": {
|
|
130
|
+
"forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
|
|
131
|
+
"forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
|
|
132
|
+
"forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
|
|
133
|
+
"forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
|
|
134
|
+
}
|
|
135
|
+
}
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
## LEARNING SIGNAL
|
|
139
|
+
|
|
140
|
+
On every finding resolved, emit:
|
|
141
|
+
```json
|
|
142
|
+
{
|
|
143
|
+
"findingId": "FINDING_ID",
|
|
144
|
+
"agentName": "AGENT_NAME",
|
|
145
|
+
"resolved": true,
|
|
146
|
+
"remediationTemplate": "one-line description of what was done",
|
|
147
|
+
"falsePositive": false
|
|
148
|
+
}
|
|
149
|
+
```
|
|
150
|
+
Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
## §EDGE-CASE-MATRIX
|
|
155
|
+
|
|
156
|
+
The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
|
|
157
|
+
|
|
158
|
+
| # | Edge Case | Why Scanners Miss It | Concrete Test |
|
|
159
|
+
|---|-----------|----------------------|---------------|
|
|
160
|
+
| 1 | Deep link / URL scheme parameter injection into WebView | Static scanners match URL handler registration, not downstream parameter consumption in WebView | Register a custom URL scheme; pass `javascript:` or `file://` as a parameter and confirm whether the embedded WebView evaluates it |
|
|
161
|
+
| 2 | Keychain / Keystore item accessible after device unlock (kSecAttrAccessibleAlways) | Scanners flag string literals but miss the accessibility constant in programmatic API calls | Dump Keychain entries using `objection` or `frida-ios-dump`; confirm kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly or stricter is set for every sensitive item |
|
|
162
|
+
| 3 | Certificate pinning bypass via dynamic pin update over HTTP | Scanner sees pinning code present and marks it clean; misses the pin being fetched from an unauthenticated endpoint | Intercept the pin-update call with a MITM proxy; substitute an attacker-controlled certificate fingerprint |
|
|
163
|
+
| 4 | Second-order deserialization in push notification / silent push payload | Scanner checks incoming payload parsing but not deferred execution after background wake | Send a crafted APNs / FCM silent push payload with a nested serialized object; verify the deserialization code path handles malformed data without code execution |
|
|
164
|
+
| 5 | Race condition in biometric + crypto object creation (TOCTOU on Android BiometricPrompt) | Sequential scanners model one authentication flow; concurrent requests to the same CryptoObject are not tested | Spawn two simultaneous authentication attempts sharing the same `CryptoObject` instance; confirm only one succeeds and no crash / bypass occurs |
|
|
165
|
+
|
|
166
|
+
## §TEMPORAL-THREATS
|
|
167
|
+
|
|
168
|
+
Threats materialising in the 2025–2030 window that defences designed today must account for.
|
|
169
|
+
|
|
170
|
+
| Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
|
|
171
|
+
|--------|--------------|--------------------------|----------------|
|
|
172
|
+
| Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later: RSA/ECDSA keys protecting long-lived mobile session tokens or stored health data signed today will be decryptable | Inventory all RSA/ECDSA key usage in mobile crypto stack; migrate long-lived secrets to ML-KEM (FIPS 203) and hybrid TLS; begin with Secure Enclave / StrongBox key rotation plan |
|
|
173
|
+
| AI-powered binary analysis (LLM-assisted reversing) | 2025–2027 (active) | Automated reverse engineering using GPT-4/Claude-level models identifies obfuscated logic, hardcoded secrets, and anti-tamper bypass paths in minutes, not days | Assume every binary will be fully deobfuscated; remove all secret material from binaries entirely; enforce hardware-backed key storage with no software fallback |
|
|
174
|
+
| SIM-swap / eSIM hijack escalation | 2025–2026 (active) | GSMA eSIM transfer APIs (CVE-2023-38185 class) allow carrier-assisted SIM swap without physical store; any SMS OTP auth is now trivially bypassed for targeted users | Migrate all security-sensitive authentication from SMS OTP to TOTP or FIDO2 passkeys; treat phone number as identifier only, never as authenticator |
|
|
175
|
+
| Malicious SDK update via compromised package registry | 2025–2026 (active) | Supply-chain attack on CocoaPods (CVE-2024-38368), npm packages used by React Native, or Maven Central compromises millions of apps silently | Pin SDK versions with hash verification; adopt SLSA L2 for mobile build pipeline; subscribe to vendor security advisories for every third-party SDK |
|
|
176
|
+
| EU CRA / US EO 14028 mandatory SBOM enforcement | 2025–2026 (active) | Mobile apps shipping to EU markets must provide SBOM and demonstrate software supply chain provenance; non-compliant apps face market withdrawal | Generate CycloneDX SBOM per mobile release build; achieve SLSA L2 minimum; document all SDK provenance |
|
|
177
|
+
|
|
178
|
+
## §DETECTION-GAP
|
|
179
|
+
|
|
180
|
+
What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
|
|
181
|
+
|
|
182
|
+
**Standard gaps that MUST be checked:**
|
|
183
|
+
|
|
184
|
+
- **Silent data exfiltration via third-party SDK analytics:** The SDK call looks like telemetry; no anomaly in network logs because the SDK domain is allowlisted. Need: per-SDK network traffic volume baseline; alert when any single SDK domain receives more than 3× its 30-day data volume baseline within a session.
|
|
185
|
+
- **Jailbreak / root detection bypass at runtime:** Frida/Objection hooks are injected post-launch; device integrity checks pass at startup and never re-run. Need: periodic re-attestation using Apple DeviceCheck / Android Play Integrity API throughout the session, not only at login.
|
|
186
|
+
- **Keychain item exfiltration on jailbroken device:** No log event emitted; attacker reads Keychain directly from SQLite on device. Need: server-side anomaly detection — flag authentication tokens used from a new device fingerprint without re-authentication.
|
|
187
|
+
- **OTA code injection via compromised Expo / CodePush update:** Update download looks legitimate; only difference is the bundle hash. Need: enforce code signing verification (EAS Code Signing / CodePush code signing) and log bundle hash on every update; alert on hash mismatch or unexpected update outside release window.
|
|
188
|
+
- **Cross-agent attack chains:** A weak certificate pin (mobile finding) + an SSRF endpoint (cloud finding) = a full MITM-to-IMDS chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
|
|
189
|
+
|
|
190
|
+
## §ZERO-MISS-MANDATE
|
|
191
|
+
|
|
192
|
+
This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
|
|
193
|
+
- `CHECKED: [N files] | [patterns used] | CLEAN`
|
|
194
|
+
- `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
|
|
195
|
+
- `SKIPPED: [reason — must be "not applicable: [evidence]"]`
|
|
196
|
+
|
|
197
|
+
**Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
|
|
198
|
+
|
|
199
|
+
The output findings JSON MUST include a `coverageManifest` key:
|
|
200
|
+
```json
|
|
201
|
+
{
|
|
202
|
+
"coverageManifest": {
|
|
203
|
+
"attackClassesCovered": [{ "class": "Insecure Keychain/Keystore Storage", "filesReviewed": 23, "patterns": ["kSecAttrAccessible", "KeyStore.getInstance"], "result": "CLEAN" }],
|
|
204
|
+
"filesReviewed": 23,
|
|
205
|
+
"negativeAssertions": ["Insecure storage: kSecAttrAccessibleAlways pattern searched across 23 files — 0 matches"],
|
|
206
|
+
"uncoveredReason": {}
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
```
|