security-mcp 1.1.4 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. package/README.md +116 -264
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/security-policy.json +2 -2
  9. package/dist/cli/index.js +0 -0
  10. package/dist/gate/baseline.js +82 -7
  11. package/dist/gate/catalog.js +10 -2
  12. package/dist/gate/checks/ai.js +757 -39
  13. package/dist/gate/checks/auth-deep.js +920 -216
  14. package/dist/gate/checks/business-logic.js +751 -0
  15. package/dist/gate/checks/ci-pipeline.js +399 -4
  16. package/dist/gate/checks/crypto.js +423 -2
  17. package/dist/gate/checks/dependencies.js +571 -15
  18. package/dist/gate/checks/graphql.js +201 -19
  19. package/dist/gate/checks/infra.js +246 -1
  20. package/dist/gate/checks/injection-deep.js +827 -184
  21. package/dist/gate/checks/k8s.js +114 -1
  22. package/dist/gate/checks/mobile-android.js +917 -3
  23. package/dist/gate/checks/mobile-ios.js +797 -5
  24. package/dist/gate/checks/required-artifacts.js +194 -0
  25. package/dist/gate/checks/runtime.js +178 -0
  26. package/dist/gate/checks/secrets.js +244 -13
  27. package/dist/gate/checks/supply-chain-deep.js +787 -0
  28. package/dist/gate/checks/web-nextjs.js +572 -48
  29. package/dist/gate/diff.js +17 -5
  30. package/dist/gate/evidence.js +8 -1
  31. package/dist/gate/exceptions.js +131 -9
  32. package/dist/gate/policy.js +280 -131
  33. package/dist/mcp/audit-chain.js +122 -28
  34. package/dist/mcp/auth.js +169 -0
  35. package/dist/mcp/learning.js +129 -4
  36. package/dist/mcp/model-router.js +158 -21
  37. package/dist/mcp/orchestration.js +186 -51
  38. package/dist/mcp/server.js +337 -53
  39. package/dist/repo/fs.js +24 -1
  40. package/dist/repo/search.js +31 -6
  41. package/dist/review/store.js +52 -1
  42. package/package.json +7 -7
  43. package/skills/_TEMPLATE/SKILL.md +99 -0
  44. package/skills/advanced-dos-tester/SKILL.md +109 -0
  45. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  46. package/skills/ai-llm-redteam/SKILL.md +104 -0
  47. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  48. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  49. package/skills/android-penetration-tester/SKILL.md +455 -46
  50. package/skills/anti-replay-tester/SKILL.md +106 -0
  51. package/skills/appsec-code-auditor/SKILL.md +85 -0
  52. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  53. package/skills/attack-navigator/SKILL.md +467 -8
  54. package/skills/auth-session-hacker/SKILL.md +102 -0
  55. package/skills/aws-penetration-tester/SKILL.md +456 -0
  56. package/skills/azure-penetration-tester/SKILL.md +490 -3
  57. package/skills/binary-auth-validator/SKILL.md +111 -0
  58. package/skills/bot-detection-specialist/SKILL.md +109 -0
  59. package/skills/business-logic-attacker/SKILL.md +231 -0
  60. package/skills/capec-code-mapper/SKILL.md +84 -0
  61. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  62. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  63. package/skills/ciso-orchestrator/SKILL.md +454 -43
  64. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  65. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  66. package/skills/compliance-grc/SKILL.md +85 -0
  67. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  68. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  69. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  70. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  71. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  72. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  73. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  74. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  75. package/skills/dos-resilience-tester/SKILL.md +97 -0
  76. package/skills/dread-scorer/SKILL.md +84 -0
  77. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  78. package/skills/evidence-collector/SKILL.md +98 -0
  79. package/skills/file-upload-attacker/SKILL.md +109 -0
  80. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  81. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  82. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  83. package/skills/incident-responder/SKILL.md +111 -0
  84. package/skills/injection-specialist/SKILL.md +102 -0
  85. package/skills/ios-security-auditor/SKILL.md +282 -0
  86. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  87. package/skills/k8s-container-escaper/SKILL.md +384 -0
  88. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  89. package/skills/kill-switch-engineer/SKILL.md +102 -0
  90. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  91. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  92. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  93. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  94. package/skills/mobile-security-specialist/SKILL.md +85 -0
  95. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  96. package/skills/model-extraction-attacker/SKILL.md +219 -0
  97. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  98. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  99. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  100. package/skills/pentest-infra/SKILL.md +98 -0
  101. package/skills/pentest-social/SKILL.md +201 -0
  102. package/skills/pentest-team/SKILL.md +87 -0
  103. package/skills/pentest-web-api/SKILL.md +98 -0
  104. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  105. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  106. package/skills/quantum-migration-planner/SKILL.md +96 -0
  107. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  108. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  109. package/skills/rotation-validation-agent/SKILL.md +112 -0
  110. package/skills/samm-assessor/SKILL.md +85 -0
  111. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  112. package/skills/senior-security-engineer/SKILL.md +167 -0
  113. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  114. package/skills/session-timeout-tester/SKILL.md +161 -0
  115. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  116. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  117. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  118. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  119. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  120. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  121. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  122. package/skills/threat-modeler/SKILL.md +85 -0
  123. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  124. package/skills/token-reuse-detector/SKILL.md +95 -0
  125. package/skills/trike-risk-modeler/SKILL.md +84 -0
  126. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  127. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  128. package/skills/webhook-security-tester/SKILL.md +102 -0
  129. package/skills/zero-trust-architect/SKILL.md +109 -0
@@ -79,3 +79,424 @@ certificate pinning bypass vectors, and GraphQL/REST endpoint exposure gaps.
79
79
  - Hardcoded secret location or API vulnerability
80
80
  - Mobile-specific exploit scenario
81
81
  - Fix applied to code or API configuration
82
+
83
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
84
+ ```json
85
+ {
86
+ "intelligenceForOtherAgents": {
87
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
88
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
89
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
90
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
91
+ }
92
+ }
93
+ ```
94
+
95
+ ---
96
+
97
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
98
+
99
+ ### Expansion 1 — Frida-Based Certificate Pinning Bypass (CVE-Class: Platform Trust Abuse)
100
+
101
+ **Technique:** Use Frida dynamic instrumentation to hook `SecTrustEvaluate` (iOS) or
102
+ `X509TrustManager.checkServerTrusted` (Android) at runtime and force a trust decision of
103
+ `errSecSuccess` / no-throw regardless of the certificate presented. This defeats both native
104
+ cert pinning and most SDK-level pinning (TrustKit, OkHttp `CertificatePinner`).
105
+
106
+ **Concrete test:**
107
+ ```bash
108
+ # Attach Frida to running app process
109
+ frida -U -l ssl_bypass.js -f com.target.app --no-pause
110
+ # ssl_bypass.js — universal bypass script (objection ships one)
111
+ objection -g com.target.app explore
112
+ # then: ios sslpinning disable OR android sslpinning disable
113
+ ```
114
+ **Finding if:** MitM proxy (Burp/Charles) captures decrypted API traffic after Frida hook
115
+ is active. Indicates pinning is bypassable at runtime — even if statically verified.
116
+
117
+ **Mitigation check:** Verify the app uses jailbreak/root detection AND integrity attestation
118
+ (Google Play Integrity API / Apple DeviceCheck) so that a Frida-attached process is refused
119
+ by the backend, not just by the client-side pin.
120
+
121
+ ---
122
+
123
+ ### Expansion 2 — Binary Secret Extraction via strings + Radare2 / jadx
124
+
125
+ **Technique:** Strip the IPA or APK, run `strings` over the binary, and pipe through entropy
126
+ analysis to surface high-entropy blobs (API keys, JWT secrets, AES keys). Then use `jadx` or
127
+ `r2` to find the call site and understand how the secret is used.
128
+
129
+ **Concrete test:**
130
+ ```bash
131
+ # Android: decompile APK
132
+ jadx -d out/ target.apk
133
+ grep -rE '[A-Za-z0-9_\-]{32,}' out/ | grep -viE 'import|package|class|layout'
134
+
135
+ # iOS: extract binary from IPA, scan with rabin2
136
+ unzip -o target.ipa && rabin2 -z Payload/App.app/App | awk 'length($NF) > 30'
137
+
138
+ # Entropy sweep (detect base64 keys)
139
+ python3 -c "
140
+ import math, re, sys
141
+ data = open(sys.argv[1]).read()
142
+ for m in re.findall(r'[A-Za-z0-9+/=]{32,}', data):
143
+ h = -sum(p*math.log2(p) for c in set(m) if (p := m.count(c)/len(m)) > 0)
144
+ if h > 4.5: print(h, m)
145
+ " out/sources/com/target/app/BuildConfig.java
146
+ ```
147
+ **Finding if:** Secret with entropy > 4.5 found in decompiled source that matches a live
148
+ credential (confirm with a real API call).
149
+
150
+ ---
151
+
152
+ ### Expansion 3 — OAuth PKCE Downgrade via Custom URI Scheme Hijacking (CVE-2019-9700 class)
153
+
154
+ **Technique:** Android apps that register a custom URI scheme (`myapp://callback`) for OAuth
155
+ redirect are vulnerable to scheme hijacking: a malicious app registers the same scheme and
156
+ intercepts the authorization code. Without PKCE, the hijacker can exchange the code for tokens.
157
+
158
+ **Concrete test:**
159
+ 1. Inspect `AndroidManifest.xml` for `<intent-filter>` with `<data android:scheme="myapp"/>`.
160
+ 2. Register a second test APK with the identical scheme.
161
+ 3. Initiate OAuth login on the victim app — observe which app receives the callback.
162
+ 4. Without PKCE (`code_challenge` absent in `/authorize` request), exchange the code:
163
+ ```bash
164
+ curl -X POST https://auth.target.com/oauth/token \
165
+ -d 'grant_type=authorization_code&code=INTERCEPTED_CODE&redirect_uri=myapp://callback&client_id=...'
166
+ ```
167
+ **Finding if:** Token exchange succeeds without `code_verifier`.
168
+
169
+ ---
170
+
171
+ ### Expansion 4 — GraphQL Batch Query Amplification DoS
172
+
173
+ **Technique:** GraphQL allows multiple operations in a single HTTP request (batching). Without
174
+ a per-request complexity budget, an attacker sends a batch of 100 identical expensive queries,
175
+ each resolving N+1 DB calls, multiplying backend load by 100× with a single HTTP request.
176
+
177
+ **Concrete test:**
178
+ ```bash
179
+ curl -X POST https://api.target.com/graphql \
180
+ -H 'Content-Type: application/json' \
181
+ -d '[
182
+ {"query": "{ users { id orders { id items { id product { id reviews { id } } } } } }"},
183
+ {"query": "{ users { id orders { id items { id product { id reviews { id } } } } } }"}
184
+ ]'
185
+ # Repeat 100x in the array; measure response time vs single query
186
+ ```
187
+ **Finding if:** Batch of 50 queries completes in < 2× the time of a single query (server is
188
+ parallelising without complexity limits), or the server returns HTTP 200 with all results
189
+ (no batch size limit).
190
+
191
+ ---
192
+
193
+ ### Expansion 5 — Firebase Security Rules Privilege Escalation (CVE-class: Misconfigured NoSQL)
194
+
195
+ **Technique:** Firebase Realtime Database and Firestore rules are frequently misconfigured to
196
+ allow reads or writes when `auth != null`, without validating the authenticated user's
197
+ relationship to the data being accessed (i.e., horizontal privilege escalation).
198
+
199
+ **Concrete test:**
200
+ ```javascript
201
+ // Using Firebase JS SDK with a legitimately authenticated user
202
+ const db = firebase.firestore();
203
+ // Try reading another user's private document
204
+ const snap = await db.collection('users').doc('victim-uid').get();
205
+ console.log(snap.exists, snap.data());
206
+ // Try writing to another user's document
207
+ await db.collection('users').doc('victim-uid').update({ email: 'attacker@evil.com' });
208
+ ```
209
+ Also check rules source directly:
210
+ ```bash
211
+ # Download rules via Firebase CLI
212
+ firebase firestore:rules:list
213
+ # Look for: allow read, write: if request.auth != null;
214
+ # (no uid check = IDOR for all authenticated users)
215
+ ```
216
+
217
+ ---
218
+
219
+ ### Expansion 6 — AI-Assisted API Fuzzing via LLM-Generated Payloads (Post-2024 Threat)
220
+
221
+ **Technique:** Adversaries now use LLMs (GPT-4o, local Llama 3 fine-tuned on API specs) to
222
+ auto-generate semantically valid but malicious request bodies that pass schema validation
223
+ while exploiting business logic. Unlike dumb fuzzing, LLM fuzzing understands field semantics
224
+ (e.g., sets `quantity: -1` or `role: "admin"` in a user-supplied patch body).
225
+
226
+ **Concrete test:**
227
+ ```python
228
+ # Feed OpenAPI spec to LLM, ask for adversarial payloads
229
+ import anthropic
230
+ client = anthropic.Anthropic()
231
+ spec = open("openapi.yaml").read()
232
+ response = client.messages.create(
233
+ model="claude-sonnet-4-6",
234
+ max_tokens=2048,
235
+ messages=[{
236
+ "role": "user",
237
+ "content": f"Given this API spec, generate 10 adversarial payloads targeting IDOR, privilege escalation, and negative quantity exploits:\n{spec}"
238
+ }]
239
+ )
240
+ # Send each generated payload to the API; measure server behaviour
241
+ ```
242
+ **Finding if:** Server returns HTTP 200 or 201 for payloads that should be rejected by
243
+ business logic (negative values, escalated roles, cross-user resource IDs).
244
+
245
+ ---
246
+
247
+ ### Expansion 7 — LLM-Assisted Mobile Binary Analysis for Obfuscated Secrets (Post-2024 Threat)
248
+
249
+ **Technique:** Attackers (and defenders) now feed decompiled smali/LLVM IR to LLMs to
250
+ identify obfuscated secret assembly — strings split across multiple functions, XOR-decoded at
251
+ runtime, or base64-encoded fragments concatenated at call time. Classic `strings` misses these.
252
+
253
+ **Concrete test:**
254
+ 1. Decompile APK to smali with `apktool d target.apk`.
255
+ 2. Feed suspicious smali classes to an LLM with prompt: "Identify any string construction
256
+ patterns that assemble a secret key or API credential at runtime."
257
+ 3. Trace identified assembly patterns through dynamic analysis (Frida `Interceptor.attach`
258
+ on the final concatenation point) to capture the runtime value.
259
+
260
+ **Finding if:** Runtime-captured string matches a live API credential or secret format
261
+ (UUID, JWT, AWS key prefix `AKIA`, Stripe key prefix `sk_live_`).
262
+
263
+ ---
264
+
265
+ ### Expansion 8 — API Gateway Bypass via Host Header Injection to Internal Services
266
+
267
+ **Technique:** Mobile apps sometimes contact an API gateway that proxies to internal
268
+ microservices. If the gateway routes based on the `Host` header and does not validate it
269
+ against an allowlist, an attacker can inject a host header pointing to an internal service
270
+ address, potentially bypassing gateway-level auth enforcement.
271
+
272
+ **Concrete test:**
273
+ ```bash
274
+ # Standard request through gateway
275
+ curl -H 'Host: api.target.com' https://api.target.com/v1/users
276
+
277
+ # Inject internal host to attempt bypass
278
+ curl -H 'Host: internal-users-service.default.svc.cluster.local' \
279
+ -H 'X-Forwarded-Host: internal-users-service.default.svc.cluster.local' \
280
+ https://api.target.com/v1/users
281
+
282
+ # Check if response differs (bypasses auth, returns different data, or errors reveal internals)
283
+ ```
284
+ **Finding if:** Response status, body, or headers differ when internal host is injected,
285
+ or if `Server` / `X-Powered-By` headers reveal an internal service name.
286
+
287
+ ---
288
+
289
+ ## §MOBILE_API_NETWORK_ATTACKER-CHECKLIST
290
+
291
+ 1. **Hardcoded credential sweep** — Run entropy analysis + regex scan across all
292
+ decompiled/source files. Search for patterns: `api_key`, `client_secret`, `AKIA`,
293
+ `sk_live_`, `Bearer `. Finding: any credential with entropy > 4.5 present in binary.
294
+
295
+ 2. **Certificate pinning bypass via Frida** — Attach Frida/objection to the running app,
296
+ execute `ssl_pinning disable`, and attempt MitM with Burp. Finding: decrypted API traffic
297
+ captured in proxy after bypass.
298
+
299
+ 3. **Network Security Config review (Android)** — Read `res/xml/network_security_config.xml`.
300
+ Check `cleartextTrafficPermitted`, `<trust-anchors>` scope, and `<pin-set>` backup pins.
301
+ Finding: `cleartextTrafficPermitted="true"` in production config, or missing backup pins.
302
+
303
+ 4. **iOS App Transport Security exceptions** — Parse `Info.plist` for
304
+ `NSAppTransportSecurity` keys. Finding: `NSAllowsArbitraryLoads: true` or domain-specific
305
+ exceptions for production hosts.
306
+
307
+ 5. **Token storage security** — Check iOS Keychain usage class (`kSecAttrAccessible*`);
308
+ check Android `EncryptedSharedPreferences` vs plain `SharedPreferences`. Finding: tokens
309
+ stored in `UserDefaults` / plain `SharedPreferences` / accessible after device unlock.
310
+
311
+ 6. **OAuth PKCE enforcement** — Intercept `/authorize` request; confirm `code_challenge`
312
+ and `code_challenge_method=S256` present. Finding: absent `code_challenge`, or
313
+ `code_challenge_method=plain` used.
314
+
315
+ 7. **Custom URI scheme hijacking risk** — Inspect `AndroidManifest.xml` for custom schemes.
316
+ Register a competing APK with the same scheme. Finding: competing app receives OAuth callback.
317
+
318
+ 8. **GraphQL introspection in production** — Send `{ __schema { types { name } } }` to
319
+ the GraphQL endpoint without auth. Finding: full type list returned (200 OK with schema).
320
+
321
+ 9. **GraphQL depth and complexity limits** — Send a deeply nested query (10+ levels) and a
322
+ batch of 50 queries. Finding: server returns all results without HTTP 400 or complexity error.
323
+
324
+ 10. **API versioning gap** — Enumerate `/api/v1/`, `/api/v2/`, `/api/` (versionless), and
325
+ `/api/internal/` paths. Finding: older version or internal path accessible with no auth or
326
+ different, weaker auth than the current version.
327
+
328
+ 11. **Push notification payload PII** — Review server-side push notification construction
329
+ code. Search for PII fields passed in APNs/FCM `data` payload. Finding: `email`, `phone`,
330
+ `name`, or financial data present in notification payload body.
331
+
332
+ 12. **Firebase / Firestore rules IDOR** — Authenticate as User A; attempt read/write on
333
+ User B's documents using the Firebase SDK. Finding: operation succeeds, or rules contain
334
+ `allow read, write: if request.auth != null` without UID-scoped path matching.
335
+
336
+ ---
337
+
338
+ ## §POC-REQUIREMENT
339
+
340
+ Every finding reported by this agent MUST follow this exact lifecycle before being recorded
341
+ at the assigned severity:
342
+
343
+ 1. **Write working PoC FIRST** — Document the exact payload, request, tool command, or
344
+ code snippet used. Include observed server response (status code, body excerpt, screenshot
345
+ reference). This must be reproducible by a person who was not present during the test.
346
+
347
+ 2. **Confirm reproduction** — Execute the PoC a second time (different session, different
348
+ token if applicable) and confirm the same result. Note any environmental preconditions
349
+ (Frida attached, specific app version, authenticated vs unauthenticated).
350
+
351
+ 3. **Write fix** — Implement the remediation in code or configuration. Document what changed
352
+ and why it closes the attack path.
353
+
354
+ 4. **Verify PoC fails against fix** — Re-execute the identical PoC against the patched
355
+ code or configuration. Confirm the attack no longer succeeds (expected: HTTP 400/401/403,
356
+ pinning error, or no traffic captured).
357
+
358
+ 5. **Record in findings JSON** — Add the `exploitPoC` field to the finding object:
359
+ ```json
360
+ {
361
+ "exploitPoC": {
362
+ "command": "objection -g com.target.app explore -- ios sslpinning disable",
363
+ "observedImpact": "All HTTPS traffic decrypted in Burp proxy",
364
+ "reproduced": true,
365
+ "fixVerified": true
366
+ }
367
+ }
368
+ ```
369
+
370
+ **PoC skipping = severity automatically downgraded to MEDIUM**, regardless of the theoretical
371
+ severity assigned. This rule is enforced by the orchestrator during Phase 2 synthesis.
372
+
373
+ ---
374
+
375
+ ## §PROJECT-ESCALATION
376
+
377
+ Immediately halt current work, emit an `ESCALATION` event to the orchestrator, and mark the
378
+ run as `REPRIORITIZE` if any of the following conditions are observed:
379
+
380
+ 1. **Live production credentials found in binary** — Any API key, JWT secret, OAuth client
381
+ secret, or cloud provider key (`AKIA*`, `sk_live_*`, private key PEM block) found in a
382
+ decompiled production binary. Impact: immediate account takeover or data exfiltration.
383
+ Escalate before attempting any further exploitation.
384
+
385
+ 2. **Authentication bypass on a production mobile endpoint** — A mobile-only API endpoint
386
+ accepts requests without any authentication token and returns non-public data (user
387
+ records, financial data, PII). This is a P0 data breach condition.
388
+
389
+ 3. **GraphQL introspection + zero field-level authorization** — Introspection is enabled
390
+ AND at least one sensitive type (user, payment, admin) has resolvers with no `@auth`
391
+ directive or middleware guard. Combination creates a full schema + data extraction path.
392
+
393
+ 4. **Firebase rules `allow read, write: if true`** — Open database rules in production.
394
+ This is a complete data breach; all data is publicly readable and writable. No further
395
+ testing needed — escalate immediately.
396
+
397
+ 5. **Certificate pinning absent AND token not bound to device** — If MitM succeeds (no
398
+ pinning) AND the access token can be replayed from a different device/IP without error,
399
+ the session is fully portable. An attacker who intercepts once can replay indefinitely.
400
+
401
+ 6. **Supply chain secret in a third-party SDK bundled into the app** — A bundled SDK
402
+ (analytics, payments, ads) contains hardcoded credentials that are shared across all
403
+ apps using that SDK version. This is a multi-tenant credential exposure affecting all
404
+ users of the SDK, not just this app.
405
+
406
+ 7. **OAuth authorization code interceptable + PKCE absent** — Custom URI scheme registered
407
+ without PKCE enforcement, confirmed by successful token exchange with an intercepted code.
408
+ This is a complete account takeover vector requiring no user interaction beyond initiating
409
+ a login flow.
410
+
411
+ 8. **LLM-generated payload causes server-side data mutation** — During AI-assisted fuzzing,
412
+ a generated payload causes an unintended write (role escalation, balance manipulation,
413
+ data deletion) in a staging or production environment. Indicates business logic is
414
+ exploitable at scale by automated adversaries.
415
+
416
+ ---
417
+
418
+ ## §EDGE-CASE-MATRIX
419
+
420
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
421
+
422
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
423
+ |---|-----------|----------------------|---------------|
424
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
425
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
426
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
427
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
428
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
429
+
430
+ ---
431
+
432
+ ## §TEMPORAL-THREATS
433
+
434
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
435
+
436
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
437
+ |--------|--------------|--------------------------|----------------|
438
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
439
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
440
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
441
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
442
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
443
+
444
+ ---
445
+
446
+ ## §DETECTION-GAP
447
+
448
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
449
+
450
+ **Standard gaps that MUST be checked:**
451
+
452
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
453
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
454
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
455
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
456
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
457
+
458
+ **Mobile-API-specific detection gaps:**
459
+
460
+ - **Runtime pinning bypass via Frida**: No network log entry differs from a legitimate request. Need: backend DeviceCheck / Play Integrity attestation verification on every sensitive API call — reject requests from processes that fail integrity attestation.
461
+ - **Binary secret extraction**: Occurs entirely offline before any network request is made. Need: rotate credentials on a schedule short enough that extracted credentials expire before they can be exploited; enforce per-device, short-lived token issuance.
462
+ - **GraphQL complexity abuse**: Standard WAF rules match on string patterns, not on query depth or resolver fan-out. Need: server-side query complexity analysis library (e.g., `graphql-cost-analysis`) with hard reject above threshold.
463
+ - **OAuth code interception via URI scheme**: Legitimate and malicious app both appear as valid redirects in OS logs. Need: enforce PKCE S256 server-side and reject any `/token` request lacking `code_verifier`.
464
+
465
+ ---
466
+
467
+ ## §ZERO-MISS-MANDATE
468
+
469
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
470
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
471
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
472
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
473
+
474
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
475
+
476
+ The output findings JSON MUST include a `coverageManifest` key:
477
+ ```json
478
+ {
479
+ "coverageManifest": {
480
+ "attackClassesCovered": [{ "class": "Hardcoded Secrets", "filesReviewed": 312, "patterns": ["api_key", "client_secret", "AKIA", "sk_live_", "Bearer "], "result": "CLEAN" }],
481
+ "filesReviewed": 312,
482
+ "negativeAssertions": ["Hardcoded Secrets: entropy + regex sweep across 312 decompiled files — 0 matches above threshold"],
483
+ "uncoveredReason": {}
484
+ }
485
+ }
486
+ ```
487
+
488
+ ---
489
+
490
+ ## LEARNING SIGNAL
491
+
492
+ On every finding resolved, emit:
493
+ ```json
494
+ {
495
+ "findingId": "FINDING_ID",
496
+ "agentName": "mobile-api-network-attacker",
497
+ "resolved": true,
498
+ "remediationTemplate": "one-line description of what was done",
499
+ "falsePositive": false
500
+ }
501
+ ```
502
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
@@ -197,3 +197,105 @@ module.exports = {
197
197
  - `requiredActions`: ordered action list
198
198
  - `complianceImpact`: framework mappings
199
199
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
200
+
201
+ Every findings JSON MUST also include `intelligenceForOtherAgents`:
202
+ ```json
203
+ {
204
+ "intelligenceForOtherAgents": {
205
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "e.g. Frida-injectable process — debuggable release flag set", "exploitHint": "Attach Frida to PID; hook target class methods to bypass auth checks" }],
206
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "e.g. hardcoded AES key in NDK native library", "location": "lib/arm64-v8a/libnative.so offset 0x2a10" }],
207
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "e.g. hardcoded cloud endpoint in BuildConfig", "escalationPath": "Endpoint accepts unauthenticated requests if binary is repackaged with modified flag" }],
208
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 6.3.3", "OWASP M7:2024"], "releaseBlock": true }]
209
+ }
210
+ }
211
+ ```
212
+
213
+ ---
214
+
215
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
216
+
217
+ - **AI-Assisted Semantic Deobfuscation via LLM-Enhanced Jadx (ATT&CK T1027.002):** Modern toolchains (e.g., jadx-ai forks, GPT-4-augmented decompilers) recover semantic class/method names from ProGuard-obfuscated bytecode by pattern-matching against training data of known Android SDK call graphs. ProGuard dictionary obfuscation alone is defeated. Test by: decompile a release APK with jadx 1.4+; feed output to GPT-4 with the prompt "identify what this class does"; if the model names the class function correctly (e.g., "payment processor", "biometric auth"), obfuscation is insufficient. Finding threshold: any class handling PII, auth, or payment that is semantically recoverable in <3 LLM prompts.
218
+
219
+ - **Supply Chain: Malicious AAR/Gradle Plugin Injecting Backdoored Native Library (CVE-2023-26048 pattern, ATT&CK T1195.001):** Compromised Gradle plugins or transitive AAR dependencies have injected `libmalicious.so` into `jniLibs/` during the build phase — invisible to source code review. The Jetpack / Google Maven supply chain was targeted in the ShadowSDK campaign (2024). Test by: run `./gradlew dependencies --configuration releaseRuntimeClasspath > deps.txt`; cross-reference every native `.so` in the final APK against the dependency tree using `apktool d` + `sha256sum`; any `.so` not traceable to a pinned dependency version is a finding. Finding threshold: one unattributed native library.
220
+
221
+ - **Post-Quantum Threat: Harvest-Now-Decrypt APK Code-Signing (NIST FIPS 204 / ML-DSA migration):** Adversaries are archiving signed APKs and IPA bundles today. When a Cryptographically Relevant Quantum Computer (CRQC) becomes available (~2029–2032), RSA-2048 and ECDSA P-256 code-signing certificates used today will be forgeable retroactively, enabling undetectable APK repackaging of archived builds. Test by: run `apksigner verify --print-certs app-release.apk | grep -E "algorithm|key size"`; flag any signing cert using RSA < 4096 or ECDSA P-256/P-384. Finding threshold: any release signing key not on the ML-DSA (FIPS 204) migration roadmap documented in the project.
222
+
223
+ - **EU Cyber Resilience Act (CRA) SBOM Mandate — Missing Build Provenance Attestation (Regulatory, effective 2027):** The EU CRA requires manufacturers of apps with "digital elements" to provide a machine-readable SBOM (CycloneDX or SPDX) and SLSA build provenance attestation per release. Non-compliance blocks EU market access. Test by: verify a `cyclonedx-gradle-plugin` or `spdx-gradle-plugin` task is wired into the release build; run `./gradlew cyclonedxBom` and confirm output exists; check that the CI pipeline uploads a signed SLSA provenance attestation (`slsa-github-generator` or equivalent). Finding threshold: any release build lacking a valid signed SBOM artifact.
224
+
225
+ - **Dynamic Code Loading Integrity Bypass via OTA JS Bundle Replacement (CVE-2022-22972 pattern, ATT&CK T1055.001):** React Native and Expo apps using CodePush or custom OTA update mechanisms fetch JS bundles over HTTPS but often skip signature verification of the bundle payload itself. A MitM or compromised CDN delivers a malicious bundle that executes arbitrary JS in the app's native context, bypassing App Store review entirely. Test by: grep for `DexClassLoader`, `PathClassLoader`, `codePush.sync`, `Updates.fetchUpdateAsync` in source; intercept OTA traffic with mitmproxy and replace the bundle with a modified version; if the app executes the replaced bundle without rejecting it, the control is absent. Finding threshold: any OTA update path lacking ECDSA/RSA bundle signature verification checked at load time.
226
+
227
+ - **Frida Gadget Embedded in Third-Party SDK — Detection Evasion via Renamed Library (ATT&CK T1036.005):** Security researchers (NCC Group, 2024) documented Frida gadget (`libfrida-gadget.so`) shipped inside commercial analytics and ad-network SDKs under renamed filenames (e.g., `libmetrics_core.so`, `libanalytics_rt.so`) to evade name-based detection. The gadget enables remote JS injection into a production app at runtime on non-rooted devices via the Frida server protocol. Test by: extract APK with `apktool d`; for every `.so` in `lib/`, run `strings <lib>.so | grep -i "frida\|gadget\|gum-js\|GumScript"`; additionally check ELF section names with `readelf -S <lib>.so | grep frida`. Finding threshold: any `.so` whose strings or ELF sections reference Frida internals, regardless of filename.
228
+
229
+ ---
230
+
231
+ ## §EDGE-CASE-MATRIX
232
+
233
+ The 5 attack cases in mobile binary hardening that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
234
+
235
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
236
+ |---|-----------|----------------------|---------------|
237
+ | 1 | ProGuard rule `keep` wildcard preserving entire sensitive packages | Static analysis sees `minifyEnabled = true` and marks it safe; wildcard `-keep class com.example.**` negates all obfuscation for that subtree | Parse all `proguard-rules.pro` / consumer-rules files; flag any `-keep class <pkg>.**` covering auth, crypto, or networking packages |
238
+ | 2 | Frida-gadget embedded in third-party SDK inside the APK | Scanner audits first-party code; vendored or repackaged SDKs may ship `libfrida-gadget.so` in `lib/` | Run `find . -name "libfrida-gadget.so" -o -name "frida-gadget*"` inside extracted APK; check `jniLibs/` and AAR exploded directories |
239
+ | 3 | Debug signing certificate used in an APK labelled `release` | Build pipeline misconfiguration; scanner checks `debuggable` flag but not signing certificate DN | Run `apksigner verify --print-certs app.apk` and confirm `CN` is not `Android Debug` or self-signed with `O=Android` |
240
+ | 4 | React Native / Flutter JS bundle bypassing native ProGuard entirely | ProGuard only operates on JVM bytecode; the JS/Dart bundle at `assets/index.android.bundle` ships in plaintext | Extract APK; check that `assets/index.android.bundle` is minified and does not contain raw source identifiers, internal URLs, or `console.log` |
241
+ | 5 | iOS App Store binary containing dyld-injectable `@rpath` entries pointing to non-existent frameworks (dylib hijacking surface) | Xcode project compiles cleanly; hijack surface only visible in linked binary's load commands | Run `otool -L YourApp.app/YourApp` and verify every `@rpath` entry resolves to a framework shipped in the `.app` bundle; flag dangling entries |
242
+
243
+ ---
244
+
245
+ ## §TEMPORAL-THREATS
246
+
247
+ Threats materialising in the 2025–2030 window that mobile binary hardening defences designed today must account for.
248
+
249
+ | Threat | Est. Timeline | Relevance to Mobile Binary Hardening | Prepare Now By |
250
+ |--------|--------------|---------------------------------------|----------------|
251
+ | AI-assisted APK deobfuscation at scale | 2025–2027 (active) | LLM + symbolic execution tools (e.g. LLM-enhanced jadx) recover semantic class names from obfuscated bytecode; ProGuard-only obfuscation is no longer a meaningful barrier | Layer RASP runtime checks and jailbreak/root detection on top of obfuscation; treat obfuscation as delay, not defence |
252
+ | Cryptographically Relevant Quantum Computer (CRQC) breaking RSA/ECDSA code-signing | 2028–2032 | Harvest-now-execute-later: adversaries archive signed APKs today and will forge equivalent signatures when CRQC arrives, enabling undetected repackaging | Inventory all RSA/ECDSA signing key sizes; plan migration to ML-DSA (FIPS 204) as Google Play and Apple App Store add support |
253
+ | Mandatory SBOM + build provenance for mobile apps (EU CRA / US EO 14028) | 2025–2026 (active) | Regulators will require CycloneDX/SPDX SBOM and SLSA build attestation for app store submissions in regulated sectors | Generate SBOM per release build; achieve SLSA L2 minimum (hosted build, signed provenance) |
254
+ | Dynamic Code Loading (DCL) abuse via legitimate update frameworks | 2026–2027 | Attackers target apps that use `DexClassLoader` or OTA JS bundle updates to push malicious payloads post-install, bypassing store review | Audit all `DexClassLoader`, `PathClassLoader`, and JS engine bundle-load paths; enforce code-signing verification before any dynamic load |
255
+ | Side-channel attacks on ARM TrustZone via shared cache timing | 2027–2029 | Sensitive key material in Keystore/Secure Enclave increasingly targeted by cache-timing attacks on shared CPU resources | Use hardware-backed Keystore with `StrongBoxKeymaster`; avoid in-process key derivation for high-value secrets |
256
+
257
+ ---
258
+
259
+ ## §DETECTION-GAP
260
+
261
+ What current mobile binary security monitoring CANNOT detect, and what to build to close each gap.
262
+
263
+ **Standard gaps that MUST be checked:**
264
+
265
+ - **Frida/debugger attach post-ship**: Store review tooling and static SAST see no debuggable flag; a rooted device attaches Frida to the running process invisibly. Need: in-app RASP that calls `ptrace(PTRACE_TRACEME)` and checks `/proc/self/status TracerPid` at runtime; alert or terminate if non-zero.
266
+ - **ProGuard rule drift over releases**: CI compares the current build but does not diff `proguard-rules.pro` changes across releases; a newly added `-keep` rule silently re-exposes a class. Need: git diff check on all ProGuard consumer rule files as part of release gate; fail build if any new `-keep class` rule covers a sensitive package.
267
+ - **Repackaged APK distribution outside Play Store**: Legitimate store binary is clean; attacker strips, modifies, and redistributes via third-party APK sites. Standard monitoring sees only the canonical store listing. Need: enrol in Play Integrity API / Apple DeviceCheck; verify attestation token server-side on sensitive API calls to reject non-certified installs.
268
+ - **Native library symbol exposure in stripped binaries**: `STRIP_INSTALLED_PRODUCT = YES` is set but the `dSYM` or unstripped `.so` is accidentally bundled in the app package rather than uploaded separately to Crashlytics/Sentry. Need: automated post-build check — `nm -U` on every `.so` / `otool -l` on every framework — assert symbol table is absent from the artifact submitted to the store.
269
+ - **Cross-agent chain: static secret in binary + cloud endpoint without attestation**: Binary hardening agent finds a hardcoded endpoint URL (LOW finding); cloud specialist finds the same endpoint lacks Play Integrity verification (MEDIUM finding). Together: CRITICAL — attacker extracts URL from unobfuscated binary and calls endpoint from a tampered app. Need: CISO orchestrator Phase 1 synthesis step to correlate binary findings with cloud/API findings before Phase 2.
270
+
271
+ ---
272
+
273
+ ## §ZERO-MISS-MANDATE
274
+
275
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
276
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
277
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
278
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
279
+
280
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
281
+
282
+ The output findings JSON MUST include a `coverageManifest` key:
283
+ ```json
284
+ {
285
+ "coverageManifest": {
286
+ "attackClassesCovered": [
287
+ { "class": "Debuggable Release Build", "filesReviewed": 3, "patterns": ["debuggable true", "isDebuggable = true"], "result": "CLEAN" },
288
+ { "class": "ProGuard Disabled", "filesReviewed": 5, "patterns": ["minifyEnabled false", "isMinifyEnabled = false"], "result": "CLEAN" },
289
+ { "class": "Hardcoded Secrets in Source", "filesReviewed": 142, "patterns": ["API_KEY", "SECRET", "password", "Bearer "], "result": "2 findings, both fixed" },
290
+ { "class": "Debug Symbols in Release Binary", "filesReviewed": 4, "patterns": ["STRIP_INSTALLED_PRODUCT", "debugSymbolLevel", "apktool output class names"], "result": "CLEAN" },
291
+ { "class": "allowBackup Enabled", "filesReviewed": 1, "patterns": ["allowBackup=\"true\""], "result": "CLEAN" }
292
+ ],
293
+ "filesReviewed": 155,
294
+ "negativeAssertions": [
295
+ "Debuggable release: searched build.gradle, AndroidManifest.xml — 0 matches",
296
+ "ProGuard disabled: searched all buildType configs — minifyEnabled is true in release"
297
+ ],
298
+ "uncoveredReason": {}
299
+ }
300
+ }
301
+ ```
@@ -122,3 +122,88 @@ If internet permitted:
122
122
  Write `.mcp/agent-runs/{agentRunId}/mobile-findings.json`
123
123
  Every finding maps to: MASVS control ID, MSTG test case ID, CWE, CVSSv4.
124
124
  Code fixes written directly in the affected mobile source files.
125
+
126
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
127
+ ```json
128
+ {
129
+ "intelligenceForOtherAgents": {
130
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
131
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
132
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
133
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
134
+ }
135
+ }
136
+ ```
137
+
138
+ ## LEARNING SIGNAL
139
+
140
+ On every finding resolved, emit:
141
+ ```json
142
+ {
143
+ "findingId": "FINDING_ID",
144
+ "agentName": "AGENT_NAME",
145
+ "resolved": true,
146
+ "remediationTemplate": "one-line description of what was done",
147
+ "falsePositive": false
148
+ }
149
+ ```
150
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
151
+
152
+ ---
153
+
154
+ ## §EDGE-CASE-MATRIX
155
+
156
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
157
+
158
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
159
+ |---|-----------|----------------------|---------------|
160
+ | 1 | Deep link / URL scheme parameter injection into WebView | Static scanners match URL handler registration, not downstream parameter consumption in WebView | Register a custom URL scheme; pass `javascript:` or `file://` as a parameter and confirm whether the embedded WebView evaluates it |
161
+ | 2 | Keychain / Keystore item accessible after device unlock (kSecAttrAccessibleAlways) | Scanners flag string literals but miss the accessibility constant in programmatic API calls | Dump Keychain entries using `objection` or `frida-ios-dump`; confirm kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly or stricter is set for every sensitive item |
162
+ | 3 | Certificate pinning bypass via dynamic pin update over HTTP | Scanner sees pinning code present and marks it clean; misses the pin being fetched from an unauthenticated endpoint | Intercept the pin-update call with a MITM proxy; substitute an attacker-controlled certificate fingerprint |
163
+ | 4 | Second-order deserialization in push notification / silent push payload | Scanner checks incoming payload parsing but not deferred execution after background wake | Send a crafted APNs / FCM silent push payload with a nested serialized object; verify the deserialization code path handles malformed data without code execution |
164
+ | 5 | Race condition in biometric + crypto object creation (TOCTOU on Android BiometricPrompt) | Sequential scanners model one authentication flow; concurrent requests to the same CryptoObject are not tested | Spawn two simultaneous authentication attempts sharing the same `CryptoObject` instance; confirm only one succeeds and no crash / bypass occurs |
165
+
166
+ ## §TEMPORAL-THREATS
167
+
168
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
169
+
170
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
171
+ |--------|--------------|--------------------------|----------------|
172
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later: RSA/ECDSA keys protecting long-lived mobile session tokens or stored health data signed today will be decryptable | Inventory all RSA/ECDSA key usage in mobile crypto stack; migrate long-lived secrets to ML-KEM (FIPS 203) and hybrid TLS; begin with Secure Enclave / StrongBox key rotation plan |
173
+ | AI-powered binary analysis (LLM-assisted reversing) | 2025–2027 (active) | Automated reverse engineering using GPT-4/Claude-level models identifies obfuscated logic, hardcoded secrets, and anti-tamper bypass paths in minutes, not days | Assume every binary will be fully deobfuscated; remove all secret material from binaries entirely; enforce hardware-backed key storage with no software fallback |
174
+ | SIM-swap / eSIM hijack escalation | 2025–2026 (active) | GSMA eSIM transfer APIs (CVE-2023-38185 class) allow carrier-assisted SIM swap without physical store; any SMS OTP auth is now trivially bypassed for targeted users | Migrate all security-sensitive authentication from SMS OTP to TOTP or FIDO2 passkeys; treat phone number as identifier only, never as authenticator |
175
+ | Malicious SDK update via compromised package registry | 2025–2026 (active) | Supply-chain attack on CocoaPods (CVE-2024-38368), npm packages used by React Native, or Maven Central compromises millions of apps silently | Pin SDK versions with hash verification; adopt SLSA L2 for mobile build pipeline; subscribe to vendor security advisories for every third-party SDK |
176
+ | EU CRA / US EO 14028 mandatory SBOM enforcement | 2025–2026 (active) | Mobile apps shipping to EU markets must provide SBOM and demonstrate software supply chain provenance; non-compliant apps face market withdrawal | Generate CycloneDX SBOM per mobile release build; achieve SLSA L2 minimum; document all SDK provenance |
177
+
178
+ ## §DETECTION-GAP
179
+
180
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
181
+
182
+ **Standard gaps that MUST be checked:**
183
+
184
+ - **Silent data exfiltration via third-party SDK analytics:** The SDK call looks like telemetry; no anomaly in network logs because the SDK domain is allowlisted. Need: per-SDK network traffic volume baseline; alert when any single SDK domain receives more than 3× its 30-day data volume baseline within a session.
185
+ - **Jailbreak / root detection bypass at runtime:** Frida/Objection hooks are injected post-launch; device integrity checks pass at startup and never re-run. Need: periodic re-attestation using Apple DeviceCheck / Android Play Integrity API throughout the session, not only at login.
186
+ - **Keychain item exfiltration on jailbroken device:** No log event emitted; attacker reads Keychain directly from SQLite on device. Need: server-side anomaly detection — flag authentication tokens used from a new device fingerprint without re-authentication.
187
+ - **OTA code injection via compromised Expo / CodePush update:** Update download looks legitimate; only difference is the bundle hash. Need: enforce code signing verification (EAS Code Signing / CodePush code signing) and log bundle hash on every update; alert on hash mismatch or unexpected update outside release window.
188
+ - **Cross-agent attack chains:** A weak certificate pin (mobile finding) + an SSRF endpoint (cloud finding) = a full MITM-to-IMDS chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
189
+
190
+ ## §ZERO-MISS-MANDATE
191
+
192
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
193
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
194
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
195
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
196
+
197
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
198
+
199
+ The output findings JSON MUST include a `coverageManifest` key:
200
+ ```json
201
+ {
202
+ "coverageManifest": {
203
+ "attackClassesCovered": [{ "class": "Insecure Keychain/Keystore Storage", "filesReviewed": 23, "patterns": ["kSecAttrAccessible", "KeyStore.getInstance"], "result": "CLEAN" }],
204
+ "filesReviewed": 23,
205
+ "negativeAssertions": ["Insecure storage: kSecAttrAccessibleAlways pattern searched across 23 files — 0 matches"],
206
+ "uncoveredReason": {}
207
+ }
208
+ }
209
+ ```