security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -22,6 +22,15 @@ from the web API — often with different, weaker controls.
22
22
  Find mobile-specific API security issues: hardcoded credentials, missing versioning,
23
23
  certificate pinning bypass vectors, and GraphQL/REST endpoint exposure gaps.
24
24
 
25
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
26
+
27
+ The `mobile-android.ts`, `mobile-ios.ts`, and `api.ts` detection modules (`src/gate/checks/mobile-android.ts`, `src/gate/checks/mobile-ios.ts`, `src/gate/checks/api.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
28
+
29
+ - **Cross-file / data-flow reasoning the regex can't do:** a hardcoded key flagged in `BuildConfig.java` becomes a full account-takeover only when you join it to the `api.ts` endpoint it authenticates and confirm that endpoint lacks device attestation — and a mobile-only route may enforce weaker auth than its web twin, visible only by comparing the two route definitions across files. Trace token storage (Keychain/EncryptedSharedPreferences) through to its transmission header and the server's validation.
30
+ - **Semantic / effective-state analysis:** certificate pinning that compares the full cert (not the SPKI hash) breaks on renewal and is often disabled in practice; OAuth on a custom URI scheme without PKCE S256 is *effectively* interceptable. Judge the real trust decision and whether the `/token` endpoint actually requires `code_verifier`, not the presence of a pinning block.
31
+ - **External corroboration:** WebSearch/WebFetch current advisories for the mobile stack (OAuth URI-scheme hijack CVE-2019-9700 class, Firebase rules misconfig, GraphQL introspection exposure) and the targeted SDK versions.
32
+ - **Apply & prove:** apply the config/code fix inline, then re-run `src/gate/checks/mobile-android.ts`/`mobile-ios.ts`/`api.ts` plus a `mobsf` scan, a `frida`/`objection` pinning-bypass attempt against a `mitmproxy`/Burp MitM, and an introspection probe (`{ __schema { types { name } } }`) as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs (e.g. strict pinning complicating cert rotation) against the secure default.
33
+
25
34
  ## EXECUTION
26
35
 
27
36
  1. **Hardcoded secrets in mobile code:**
@@ -79,3 +88,424 @@ certificate pinning bypass vectors, and GraphQL/REST endpoint exposure gaps.
79
88
  - Hardcoded secret location or API vulnerability
80
89
  - Mobile-specific exploit scenario
81
90
  - Fix applied to code or API configuration
91
+
92
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
93
+ ```json
94
+ {
95
+ "intelligenceForOtherAgents": {
96
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "...", "exploitHint": "..." }],
97
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "...", "location": "..." }],
98
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "...", "escalationPath": "..." }],
99
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["..."], "releaseBlock": true }]
100
+ }
101
+ }
102
+ ```
103
+
104
+ ---
105
+
106
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
107
+
108
+ ### Expansion 1 — Frida-Based Certificate Pinning Bypass (CVE-Class: Platform Trust Abuse)
109
+
110
+ **Technique:** Use Frida dynamic instrumentation to hook `SecTrustEvaluate` (iOS) or
111
+ `X509TrustManager.checkServerTrusted` (Android) at runtime and force a trust decision of
112
+ `errSecSuccess` / no-throw regardless of the certificate presented. This defeats both native
113
+ cert pinning and most SDK-level pinning (TrustKit, OkHttp `CertificatePinner`).
114
+
115
+ **Concrete test:**
116
+ ```bash
117
+ # Attach Frida to running app process
118
+ frida -U -l ssl_bypass.js -f com.target.app --no-pause
119
+ # ssl_bypass.js — universal bypass script (objection ships one)
120
+ objection -g com.target.app explore
121
+ # then: ios sslpinning disable OR android sslpinning disable
122
+ ```
123
+ **Finding if:** MitM proxy (Burp/Charles) captures decrypted API traffic after Frida hook
124
+ is active. Indicates pinning is bypassable at runtime — even if statically verified.
125
+
126
+ **Mitigation check:** Verify the app uses jailbreak/root detection AND integrity attestation
127
+ (Google Play Integrity API / Apple DeviceCheck) so that a Frida-attached process is refused
128
+ by the backend, not just by the client-side pin.
129
+
130
+ ---
131
+
132
+ ### Expansion 2 — Binary Secret Extraction via strings + Radare2 / jadx
133
+
134
+ **Technique:** Strip the IPA or APK, run `strings` over the binary, and pipe through entropy
135
+ analysis to surface high-entropy blobs (API keys, JWT secrets, AES keys). Then use `jadx` or
136
+ `r2` to find the call site and understand how the secret is used.
137
+
138
+ **Concrete test:**
139
+ ```bash
140
+ # Android: decompile APK
141
+ jadx -d out/ target.apk
142
+ grep -rE '[A-Za-z0-9_\-]{32,}' out/ | grep -viE 'import|package|class|layout'
143
+
144
+ # iOS: extract binary from IPA, scan with rabin2
145
+ unzip -o target.ipa && rabin2 -z Payload/App.app/App | awk 'length($NF) > 30'
146
+
147
+ # Entropy sweep (detect base64 keys)
148
+ python3 -c "
149
+ import math, re, sys
150
+ data = open(sys.argv[1]).read()
151
+ for m in re.findall(r'[A-Za-z0-9+/=]{32,}', data):
152
+ h = -sum(p*math.log2(p) for c in set(m) if (p := m.count(c)/len(m)) > 0)
153
+ if h > 4.5: print(h, m)
154
+ " out/sources/com/target/app/BuildConfig.java
155
+ ```
156
+ **Finding if:** Secret with entropy > 4.5 found in decompiled source that matches a live
157
+ credential (confirm with a real API call).
158
+
159
+ ---
160
+
161
+ ### Expansion 3 — OAuth PKCE Downgrade via Custom URI Scheme Hijacking (CVE-2019-9700 class)
162
+
163
+ **Technique:** Android apps that register a custom URI scheme (`myapp://callback`) for OAuth
164
+ redirect are vulnerable to scheme hijacking: a malicious app registers the same scheme and
165
+ intercepts the authorization code. Without PKCE, the hijacker can exchange the code for tokens.
166
+
167
+ **Concrete test:**
168
+ 1. Inspect `AndroidManifest.xml` for `<intent-filter>` with `<data android:scheme="myapp"/>`.
169
+ 2. Register a second test APK with the identical scheme.
170
+ 3. Initiate OAuth login on the victim app — observe which app receives the callback.
171
+ 4. Without PKCE (`code_challenge` absent in `/authorize` request), exchange the code:
172
+ ```bash
173
+ curl -X POST https://auth.target.com/oauth/token \
174
+ -d 'grant_type=authorization_code&code=INTERCEPTED_CODE&redirect_uri=myapp://callback&client_id=...'
175
+ ```
176
+ **Finding if:** Token exchange succeeds without `code_verifier`.
177
+
178
+ ---
179
+
180
+ ### Expansion 4 — GraphQL Batch Query Amplification DoS
181
+
182
+ **Technique:** GraphQL allows multiple operations in a single HTTP request (batching). Without
183
+ a per-request complexity budget, an attacker sends a batch of 100 identical expensive queries,
184
+ each resolving N+1 DB calls, multiplying backend load by 100× with a single HTTP request.
185
+
186
+ **Concrete test:**
187
+ ```bash
188
+ curl -X POST https://api.target.com/graphql \
189
+ -H 'Content-Type: application/json' \
190
+ -d '[
191
+ {"query": "{ users { id orders { id items { id product { id reviews { id } } } } } }"},
192
+ {"query": "{ users { id orders { id items { id product { id reviews { id } } } } } }"}
193
+ ]'
194
+ # Repeat 100x in the array; measure response time vs single query
195
+ ```
196
+ **Finding if:** Batch of 50 queries completes in < 2× the time of a single query (server is
197
+ parallelising without complexity limits), or the server returns HTTP 200 with all results
198
+ (no batch size limit).
199
+
200
+ ---
201
+
202
+ ### Expansion 5 — Firebase Security Rules Privilege Escalation (CVE-class: Misconfigured NoSQL)
203
+
204
+ **Technique:** Firebase Realtime Database and Firestore rules are frequently misconfigured to
205
+ allow reads or writes when `auth != null`, without validating the authenticated user's
206
+ relationship to the data being accessed (i.e., horizontal privilege escalation).
207
+
208
+ **Concrete test:**
209
+ ```javascript
210
+ // Using Firebase JS SDK with a legitimately authenticated user
211
+ const db = firebase.firestore();
212
+ // Try reading another user's private document
213
+ const snap = await db.collection('users').doc('victim-uid').get();
214
+ console.log(snap.exists, snap.data());
215
+ // Try writing to another user's document
216
+ await db.collection('users').doc('victim-uid').update({ email: 'attacker@evil.com' });
217
+ ```
218
+ Also check rules source directly:
219
+ ```bash
220
+ # Download rules via Firebase CLI
221
+ firebase firestore:rules:list
222
+ # Look for: allow read, write: if request.auth != null;
223
+ # (no uid check = IDOR for all authenticated users)
224
+ ```
225
+
226
+ ---
227
+
228
+ ### Expansion 6 — AI-Assisted API Fuzzing via LLM-Generated Payloads (Post-2024 Threat)
229
+
230
+ **Technique:** Adversaries now use LLMs (GPT-4o, local Llama 3 fine-tuned on API specs) to
231
+ auto-generate semantically valid but malicious request bodies that pass schema validation
232
+ while exploiting business logic. Unlike dumb fuzzing, LLM fuzzing understands field semantics
233
+ (e.g., sets `quantity: -1` or `role: "admin"` in a user-supplied patch body).
234
+
235
+ **Concrete test:**
236
+ ```python
237
+ # Feed OpenAPI spec to LLM, ask for adversarial payloads
238
+ import anthropic
239
+ client = anthropic.Anthropic()
240
+ spec = open("openapi.yaml").read()
241
+ response = client.messages.create(
242
+ model="claude-sonnet-4-6",
243
+ max_tokens=2048,
244
+ messages=[{
245
+ "role": "user",
246
+ "content": f"Given this API spec, generate 10 adversarial payloads targeting IDOR, privilege escalation, and negative quantity exploits:\n{spec}"
247
+ }]
248
+ )
249
+ # Send each generated payload to the API; measure server behaviour
250
+ ```
251
+ **Finding if:** Server returns HTTP 200 or 201 for payloads that should be rejected by
252
+ business logic (negative values, escalated roles, cross-user resource IDs).
253
+
254
+ ---
255
+
256
+ ### Expansion 7 — LLM-Assisted Mobile Binary Analysis for Obfuscated Secrets (Post-2024 Threat)
257
+
258
+ **Technique:** Attackers (and defenders) now feed decompiled smali/LLVM IR to LLMs to
259
+ identify obfuscated secret assembly — strings split across multiple functions, XOR-decoded at
260
+ runtime, or base64-encoded fragments concatenated at call time. Classic `strings` misses these.
261
+
262
+ **Concrete test:**
263
+ 1. Decompile APK to smali with `apktool d target.apk`.
264
+ 2. Feed suspicious smali classes to an LLM with prompt: "Identify any string construction
265
+ patterns that assemble a secret key or API credential at runtime."
266
+ 3. Trace identified assembly patterns through dynamic analysis (Frida `Interceptor.attach`
267
+ on the final concatenation point) to capture the runtime value.
268
+
269
+ **Finding if:** Runtime-captured string matches a live API credential or secret format
270
+ (UUID, JWT, AWS key prefix `AKIA`, Stripe key prefix `sk_live_`).
271
+
272
+ ---
273
+
274
+ ### Expansion 8 — API Gateway Bypass via Host Header Injection to Internal Services
275
+
276
+ **Technique:** Mobile apps sometimes contact an API gateway that proxies to internal
277
+ microservices. If the gateway routes based on the `Host` header and does not validate it
278
+ against an allowlist, an attacker can inject a host header pointing to an internal service
279
+ address, potentially bypassing gateway-level auth enforcement.
280
+
281
+ **Concrete test:**
282
+ ```bash
283
+ # Standard request through gateway
284
+ curl -H 'Host: api.target.com' https://api.target.com/v1/users
285
+
286
+ # Inject internal host to attempt bypass
287
+ curl -H 'Host: internal-users-service.default.svc.cluster.local' \
288
+ -H 'X-Forwarded-Host: internal-users-service.default.svc.cluster.local' \
289
+ https://api.target.com/v1/users
290
+
291
+ # Check if response differs (bypasses auth, returns different data, or errors reveal internals)
292
+ ```
293
+ **Finding if:** Response status, body, or headers differ when internal host is injected,
294
+ or if `Server` / `X-Powered-By` headers reveal an internal service name.
295
+
296
+ ---
297
+
298
+ ## §MOBILE_API_NETWORK_ATTACKER-CHECKLIST
299
+
300
+ 1. **Hardcoded credential sweep** — Run entropy analysis + regex scan across all
301
+ decompiled/source files. Search for patterns: `api_key`, `client_secret`, `AKIA`,
302
+ `sk_live_`, `Bearer `. Finding: any credential with entropy > 4.5 present in binary.
303
+
304
+ 2. **Certificate pinning bypass via Frida** — Attach Frida/objection to the running app,
305
+ execute `ssl_pinning disable`, and attempt MitM with Burp. Finding: decrypted API traffic
306
+ captured in proxy after bypass.
307
+
308
+ 3. **Network Security Config review (Android)** — Read `res/xml/network_security_config.xml`.
309
+ Check `cleartextTrafficPermitted`, `<trust-anchors>` scope, and `<pin-set>` backup pins.
310
+ Finding: `cleartextTrafficPermitted="true"` in production config, or missing backup pins.
311
+
312
+ 4. **iOS App Transport Security exceptions** — Parse `Info.plist` for
313
+ `NSAppTransportSecurity` keys. Finding: `NSAllowsArbitraryLoads: true` or domain-specific
314
+ exceptions for production hosts.
315
+
316
+ 5. **Token storage security** — Check iOS Keychain usage class (`kSecAttrAccessible*`);
317
+ check Android `EncryptedSharedPreferences` vs plain `SharedPreferences`. Finding: tokens
318
+ stored in `UserDefaults` / plain `SharedPreferences` / accessible after device unlock.
319
+
320
+ 6. **OAuth PKCE enforcement** — Intercept `/authorize` request; confirm `code_challenge`
321
+ and `code_challenge_method=S256` present. Finding: absent `code_challenge`, or
322
+ `code_challenge_method=plain` used.
323
+
324
+ 7. **Custom URI scheme hijacking risk** — Inspect `AndroidManifest.xml` for custom schemes.
325
+ Register a competing APK with the same scheme. Finding: competing app receives OAuth callback.
326
+
327
+ 8. **GraphQL introspection in production** — Send `{ __schema { types { name } } }` to
328
+ the GraphQL endpoint without auth. Finding: full type list returned (200 OK with schema).
329
+
330
+ 9. **GraphQL depth and complexity limits** — Send a deeply nested query (10+ levels) and a
331
+ batch of 50 queries. Finding: server returns all results without HTTP 400 or complexity error.
332
+
333
+ 10. **API versioning gap** — Enumerate `/api/v1/`, `/api/v2/`, `/api/` (versionless), and
334
+ `/api/internal/` paths. Finding: older version or internal path accessible with no auth or
335
+ different, weaker auth than the current version.
336
+
337
+ 11. **Push notification payload PII** — Review server-side push notification construction
338
+ code. Search for PII fields passed in APNs/FCM `data` payload. Finding: `email`, `phone`,
339
+ `name`, or financial data present in notification payload body.
340
+
341
+ 12. **Firebase / Firestore rules IDOR** — Authenticate as User A; attempt read/write on
342
+ User B's documents using the Firebase SDK. Finding: operation succeeds, or rules contain
343
+ `allow read, write: if request.auth != null` without UID-scoped path matching.
344
+
345
+ ---
346
+
347
+ ## §POC-REQUIREMENT
348
+
349
+ Every finding reported by this agent MUST follow this exact lifecycle before being recorded
350
+ at the assigned severity:
351
+
352
+ 1. **Write working PoC FIRST** — Document the exact payload, request, tool command, or
353
+ code snippet used. Include observed server response (status code, body excerpt, screenshot
354
+ reference). This must be reproducible by a person who was not present during the test.
355
+
356
+ 2. **Confirm reproduction** — Execute the PoC a second time (different session, different
357
+ token if applicable) and confirm the same result. Note any environmental preconditions
358
+ (Frida attached, specific app version, authenticated vs unauthenticated).
359
+
360
+ 3. **Write fix** — Implement the remediation in code or configuration. Document what changed
361
+ and why it closes the attack path.
362
+
363
+ 4. **Verify PoC fails against fix** — Re-execute the identical PoC against the patched
364
+ code or configuration. Confirm the attack no longer succeeds (expected: HTTP 400/401/403,
365
+ pinning error, or no traffic captured).
366
+
367
+ 5. **Record in findings JSON** — Add the `exploitPoC` field to the finding object:
368
+ ```json
369
+ {
370
+ "exploitPoC": {
371
+ "command": "objection -g com.target.app explore -- ios sslpinning disable",
372
+ "observedImpact": "All HTTPS traffic decrypted in Burp proxy",
373
+ "reproduced": true,
374
+ "fixVerified": true
375
+ }
376
+ }
377
+ ```
378
+
379
+ **PoC skipping = severity automatically downgraded to MEDIUM**, regardless of the theoretical
380
+ severity assigned. This rule is enforced by the orchestrator during Phase 2 synthesis.
381
+
382
+ ---
383
+
384
+ ## §PROJECT-ESCALATION
385
+
386
+ Immediately halt current work, emit an `ESCALATION` event to the orchestrator, and mark the
387
+ run as `REPRIORITIZE` if any of the following conditions are observed:
388
+
389
+ 1. **Live production credentials found in binary** — Any API key, JWT secret, OAuth client
390
+ secret, or cloud provider key (`AKIA*`, `sk_live_*`, private key PEM block) found in a
391
+ decompiled production binary. Impact: immediate account takeover or data exfiltration.
392
+ Escalate before attempting any further exploitation.
393
+
394
+ 2. **Authentication bypass on a production mobile endpoint** — A mobile-only API endpoint
395
+ accepts requests without any authentication token and returns non-public data (user
396
+ records, financial data, PII). This is a P0 data breach condition.
397
+
398
+ 3. **GraphQL introspection + zero field-level authorization** — Introspection is enabled
399
+ AND at least one sensitive type (user, payment, admin) has resolvers with no `@auth`
400
+ directive or middleware guard. Combination creates a full schema + data extraction path.
401
+
402
+ 4. **Firebase rules `allow read, write: if true`** — Open database rules in production.
403
+ This is a complete data breach; all data is publicly readable and writable. No further
404
+ testing needed — escalate immediately.
405
+
406
+ 5. **Certificate pinning absent AND token not bound to device** — If MitM succeeds (no
407
+ pinning) AND the access token can be replayed from a different device/IP without error,
408
+ the session is fully portable. An attacker who intercepts once can replay indefinitely.
409
+
410
+ 6. **Supply chain secret in a third-party SDK bundled into the app** — A bundled SDK
411
+ (analytics, payments, ads) contains hardcoded credentials that are shared across all
412
+ apps using that SDK version. This is a multi-tenant credential exposure affecting all
413
+ users of the SDK, not just this app.
414
+
415
+ 7. **OAuth authorization code interceptable + PKCE absent** — Custom URI scheme registered
416
+ without PKCE enforcement, confirmed by successful token exchange with an intercepted code.
417
+ This is a complete account takeover vector requiring no user interaction beyond initiating
418
+ a login flow.
419
+
420
+ 8. **LLM-generated payload causes server-side data mutation** — During AI-assisted fuzzing,
421
+ a generated payload causes an unintended write (role escalation, balance manipulation,
422
+ data deletion) in a staging or production environment. Indicates business logic is
423
+ exploitable at scale by automated adversaries.
424
+
425
+ ---
426
+
427
+ ## §EDGE-CASE-MATRIX
428
+
429
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
430
+
431
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
432
+ |---|-----------|----------------------|---------------|
433
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
434
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
435
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
436
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
437
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
438
+
439
+ ---
440
+
441
+ ## §TEMPORAL-THREATS
442
+
443
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
444
+
445
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
446
+ |--------|--------------|--------------------------|----------------|
447
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
448
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
449
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
450
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
451
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
452
+
453
+ ---
454
+
455
+ ## §DETECTION-GAP
456
+
457
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
458
+
459
+ **Standard gaps that MUST be checked:**
460
+
461
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
462
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
463
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
464
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
465
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
466
+
467
+ **Mobile-API-specific detection gaps:**
468
+
469
+ - **Runtime pinning bypass via Frida**: No network log entry differs from a legitimate request. Need: backend DeviceCheck / Play Integrity attestation verification on every sensitive API call — reject requests from processes that fail integrity attestation.
470
+ - **Binary secret extraction**: Occurs entirely offline before any network request is made. Need: rotate credentials on a schedule short enough that extracted credentials expire before they can be exploited; enforce per-device, short-lived token issuance.
471
+ - **GraphQL complexity abuse**: Standard WAF rules match on string patterns, not on query depth or resolver fan-out. Need: server-side query complexity analysis library (e.g., `graphql-cost-analysis`) with hard reject above threshold.
472
+ - **OAuth code interception via URI scheme**: Legitimate and malicious app both appear as valid redirects in OS logs. Need: enforce PKCE S256 server-side and reject any `/token` request lacking `code_verifier`.
473
+
474
+ ---
475
+
476
+ ## §ZERO-MISS-MANDATE
477
+
478
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
479
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
480
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
481
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
482
+
483
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
484
+
485
+ The output findings JSON MUST include a `coverageManifest` key:
486
+ ```json
487
+ {
488
+ "coverageManifest": {
489
+ "attackClassesCovered": [{ "class": "Hardcoded Secrets", "filesReviewed": 312, "patterns": ["api_key", "client_secret", "AKIA", "sk_live_", "Bearer "], "result": "CLEAN" }],
490
+ "filesReviewed": 312,
491
+ "negativeAssertions": ["Hardcoded Secrets: entropy + regex sweep across 312 decompiled files — 0 matches above threshold"],
492
+ "uncoveredReason": {}
493
+ }
494
+ }
495
+ ```
496
+
497
+ ---
498
+
499
+ ## LEARNING SIGNAL
500
+
501
+ On every finding resolved, emit:
502
+ ```json
503
+ {
504
+ "findingId": "FINDING_ID",
505
+ "agentName": "mobile-api-network-attacker",
506
+ "resolved": true,
507
+ "remediationTemplate": "one-line description of what was done",
508
+ "falsePositive": false
509
+ }
510
+ ```
511
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
@@ -34,6 +34,15 @@ On every finding resolved, emit:
34
34
  }
35
35
  ```
36
36
 
37
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
38
+
39
+ The `mobile-android.ts` and `mobile-ios.ts` detection modules (`src/gate/checks/mobile-android.ts`, `src/gate/checks/mobile-ios.ts`) are your deterministic floor, not your ceiling. Treat their finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
40
+
41
+ - **Cross-file / data-flow reasoning the regex can't do:** `minifyEnabled = true` in `build.gradle` is negated by a `-keep class com.example.**` wildcard in a consumer `proguard-rules.pro` three modules away, and a stripped native binary still leaks symbols if an unstripped `.so`/`dSYM` is bundled in the artifact rather than uploaded separately. Cross-reference build config, ProGuard rules, the actual APK/IPA contents, and the dependency tree — not one file.
42
+ - **Semantic / effective-state analysis:** a ProGuard-obfuscated class is *effectively* recoverable by an LLM-augmented decompiler; an OTA/CodePush update path that fetches over HTTPS but skips bundle signature verification is effectively unsigned dynamic code loading. Judge the real reverse-engineering and tamper resistance, not the literal `minifyEnabled` flag.
43
+ - **External corroboration:** WebSearch/WebFetch current advisories (Frida-gadget-in-SDK reports, malicious AAR/Gradle plugin campaigns like ShadowSDK, ML-DSA code-signing migration, EU CRA SBOM mandate) for the detected toolchain.
44
+ - **Apply & prove:** harden the release config, ProGuard rules, and signature-verification path inline, then re-run `src/gate/checks/mobile-android.ts`/`mobile-ios.ts` plus a `mobsf` static scan, `apktool d` + `apksigner verify --print-certs`, `readelf -S`/`strings` Frida-gadget sweep over every `.so`, and a `frida` attach attempt as a regression floor, then re-audit. Emit the LEARNING SIGNAL per fix; surface trade-offs (e.g. aggressive obfuscation breaking reflection-based libraries) against the secure default.
45
+
37
46
  ## EXECUTION
38
47
 
39
48
  ### Phase 1 — Reconnaissance
@@ -197,3 +206,105 @@ module.exports = {
197
206
  - `requiredActions`: ordered action list
198
207
  - `complianceImpact`: framework mappings
199
208
  - `beyondSkillMd`: true if finding goes beyond the SKILL.md mandate
209
+
210
+ Every findings JSON MUST also include `intelligenceForOtherAgents`:
211
+ ```json
212
+ {
213
+ "intelligenceForOtherAgents": {
214
+ "forPentestTeam": [{ "type": "HIGH_VALUE_TARGET", "description": "e.g. Frida-injectable process — debuggable release flag set", "exploitHint": "Attach Frida to PID; hook target class methods to bypass auth checks" }],
215
+ "forCryptoSpecialist": [{ "type": "CRYPTO_WEAKNESS_REFERENCE", "algorithm": "e.g. hardcoded AES key in NDK native library", "location": "lib/arm64-v8a/libnative.so offset 0x2a10" }],
216
+ "forCloudSpecialist": [{ "type": "SSRF_TO_CLOUD_CHAIN", "ssrfLocation": "e.g. hardcoded cloud endpoint in BuildConfig", "escalationPath": "Endpoint accepts unauthenticated requests if binary is repackaged with modified flag" }],
217
+ "forComplianceGrc": [{ "type": "COMPLIANCE_BLOCKER", "frameworks": ["PCI DSS Req 6.3.3", "OWASP M7:2024"], "releaseBlock": true }]
218
+ }
219
+ }
220
+ ```
221
+
222
+ ---
223
+
224
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
225
+
226
+ - **AI-Assisted Semantic Deobfuscation via LLM-Enhanced Jadx (ATT&CK T1027.002):** Modern toolchains (e.g., jadx-ai forks, GPT-4-augmented decompilers) recover semantic class/method names from ProGuard-obfuscated bytecode by pattern-matching against training data of known Android SDK call graphs. ProGuard dictionary obfuscation alone is defeated. Test by: decompile a release APK with jadx 1.4+; feed output to GPT-4 with the prompt "identify what this class does"; if the model names the class function correctly (e.g., "payment processor", "biometric auth"), obfuscation is insufficient. Finding threshold: any class handling PII, auth, or payment that is semantically recoverable in <3 LLM prompts.
227
+
228
+ - **Supply Chain: Malicious AAR/Gradle Plugin Injecting Backdoored Native Library (CVE-2023-26048 pattern, ATT&CK T1195.001):** Compromised Gradle plugins or transitive AAR dependencies have injected `libmalicious.so` into `jniLibs/` during the build phase — invisible to source code review. The Jetpack / Google Maven supply chain was targeted in the ShadowSDK campaign (2024). Test by: run `./gradlew dependencies --configuration releaseRuntimeClasspath > deps.txt`; cross-reference every native `.so` in the final APK against the dependency tree using `apktool d` + `sha256sum`; any `.so` not traceable to a pinned dependency version is a finding. Finding threshold: one unattributed native library.
229
+
230
+ - **Post-Quantum Threat: Harvest-Now-Decrypt APK Code-Signing (NIST FIPS 204 / ML-DSA migration):** Adversaries are archiving signed APKs and IPA bundles today. When a Cryptographically Relevant Quantum Computer (CRQC) becomes available (~2029–2032), RSA-2048 and ECDSA P-256 code-signing certificates used today will be forgeable retroactively, enabling undetectable APK repackaging of archived builds. Test by: run `apksigner verify --print-certs app-release.apk | grep -E "algorithm|key size"`; flag any signing cert using RSA < 4096 or ECDSA P-256/P-384. Finding threshold: any release signing key not on the ML-DSA (FIPS 204) migration roadmap documented in the project.
231
+
232
+ - **EU Cyber Resilience Act (CRA) SBOM Mandate — Missing Build Provenance Attestation (Regulatory, effective 2027):** The EU CRA requires manufacturers of apps with "digital elements" to provide a machine-readable SBOM (CycloneDX or SPDX) and SLSA build provenance attestation per release. Non-compliance blocks EU market access. Test by: verify a `cyclonedx-gradle-plugin` or `spdx-gradle-plugin` task is wired into the release build; run `./gradlew cyclonedxBom` and confirm output exists; check that the CI pipeline uploads a signed SLSA provenance attestation (`slsa-github-generator` or equivalent). Finding threshold: any release build lacking a valid signed SBOM artifact.
233
+
234
+ - **Dynamic Code Loading Integrity Bypass via OTA JS Bundle Replacement (CVE-2022-22972 pattern, ATT&CK T1055.001):** React Native and Expo apps using CodePush or custom OTA update mechanisms fetch JS bundles over HTTPS but often skip signature verification of the bundle payload itself. A MitM or compromised CDN delivers a malicious bundle that executes arbitrary JS in the app's native context, bypassing App Store review entirely. Test by: grep for `DexClassLoader`, `PathClassLoader`, `codePush.sync`, `Updates.fetchUpdateAsync` in source; intercept OTA traffic with mitmproxy and replace the bundle with a modified version; if the app executes the replaced bundle without rejecting it, the control is absent. Finding threshold: any OTA update path lacking ECDSA/RSA bundle signature verification checked at load time.
235
+
236
+ - **Frida Gadget Embedded in Third-Party SDK — Detection Evasion via Renamed Library (ATT&CK T1036.005):** Security researchers (NCC Group, 2024) documented Frida gadget (`libfrida-gadget.so`) shipped inside commercial analytics and ad-network SDKs under renamed filenames (e.g., `libmetrics_core.so`, `libanalytics_rt.so`) to evade name-based detection. The gadget enables remote JS injection into a production app at runtime on non-rooted devices via the Frida server protocol. Test by: extract APK with `apktool d`; for every `.so` in `lib/`, run `strings <lib>.so | grep -i "frida\|gadget\|gum-js\|GumScript"`; additionally check ELF section names with `readelf -S <lib>.so | grep frida`. Finding threshold: any `.so` whose strings or ELF sections reference Frida internals, regardless of filename.
237
+
238
+ ---
239
+
240
+ ## §EDGE-CASE-MATRIX
241
+
242
+ The 5 attack cases in mobile binary hardening that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
243
+
244
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
245
+ |---|-----------|----------------------|---------------|
246
+ | 1 | ProGuard rule `keep` wildcard preserving entire sensitive packages | Static analysis sees `minifyEnabled = true` and marks it safe; wildcard `-keep class com.example.**` negates all obfuscation for that subtree | Parse all `proguard-rules.pro` / consumer-rules files; flag any `-keep class <pkg>.**` covering auth, crypto, or networking packages |
247
+ | 2 | Frida-gadget embedded in third-party SDK inside the APK | Scanner audits first-party code; vendored or repackaged SDKs may ship `libfrida-gadget.so` in `lib/` | Run `find . -name "libfrida-gadget.so" -o -name "frida-gadget*"` inside extracted APK; check `jniLibs/` and AAR exploded directories |
248
+ | 3 | Debug signing certificate used in an APK labelled `release` | Build pipeline misconfiguration; scanner checks `debuggable` flag but not signing certificate DN | Run `apksigner verify --print-certs app.apk` and confirm `CN` is not `Android Debug` or self-signed with `O=Android` |
249
+ | 4 | React Native / Flutter JS bundle bypassing native ProGuard entirely | ProGuard only operates on JVM bytecode; the JS/Dart bundle at `assets/index.android.bundle` ships in plaintext | Extract APK; check that `assets/index.android.bundle` is minified and does not contain raw source identifiers, internal URLs, or `console.log` |
250
+ | 5 | iOS App Store binary containing dyld-injectable `@rpath` entries pointing to non-existent frameworks (dylib hijacking surface) | Xcode project compiles cleanly; hijack surface only visible in linked binary's load commands | Run `otool -L YourApp.app/YourApp` and verify every `@rpath` entry resolves to a framework shipped in the `.app` bundle; flag dangling entries |
251
+
252
+ ---
253
+
254
+ ## §TEMPORAL-THREATS
255
+
256
+ Threats materialising in the 2025–2030 window that mobile binary hardening defences designed today must account for.
257
+
258
+ | Threat | Est. Timeline | Relevance to Mobile Binary Hardening | Prepare Now By |
259
+ |--------|--------------|---------------------------------------|----------------|
260
+ | AI-assisted APK deobfuscation at scale | 2025–2027 (active) | LLM + symbolic execution tools (e.g. LLM-enhanced jadx) recover semantic class names from obfuscated bytecode; ProGuard-only obfuscation is no longer a meaningful barrier | Layer RASP runtime checks and jailbreak/root detection on top of obfuscation; treat obfuscation as delay, not defence |
261
+ | Cryptographically Relevant Quantum Computer (CRQC) breaking RSA/ECDSA code-signing | 2028–2032 | Harvest-now-execute-later: adversaries archive signed APKs today and will forge equivalent signatures when CRQC arrives, enabling undetected repackaging | Inventory all RSA/ECDSA signing key sizes; plan migration to ML-DSA (FIPS 204) as Google Play and Apple App Store add support |
262
+ | Mandatory SBOM + build provenance for mobile apps (EU CRA / US EO 14028) | 2025–2026 (active) | Regulators will require CycloneDX/SPDX SBOM and SLSA build attestation for app store submissions in regulated sectors | Generate SBOM per release build; achieve SLSA L2 minimum (hosted build, signed provenance) |
263
+ | Dynamic Code Loading (DCL) abuse via legitimate update frameworks | 2026–2027 | Attackers target apps that use `DexClassLoader` or OTA JS bundle updates to push malicious payloads post-install, bypassing store review | Audit all `DexClassLoader`, `PathClassLoader`, and JS engine bundle-load paths; enforce code-signing verification before any dynamic load |
264
+ | Side-channel attacks on ARM TrustZone via shared cache timing | 2027–2029 | Sensitive key material in Keystore/Secure Enclave increasingly targeted by cache-timing attacks on shared CPU resources | Use hardware-backed Keystore with `StrongBoxKeymaster`; avoid in-process key derivation for high-value secrets |
265
+
266
+ ---
267
+
268
+ ## §DETECTION-GAP
269
+
270
+ What current mobile binary security monitoring CANNOT detect, and what to build to close each gap.
271
+
272
+ **Standard gaps that MUST be checked:**
273
+
274
+ - **Frida/debugger attach post-ship**: Store review tooling and static SAST see no debuggable flag; a rooted device attaches Frida to the running process invisibly. Need: in-app RASP that calls `ptrace(PTRACE_TRACEME)` and checks `/proc/self/status TracerPid` at runtime; alert or terminate if non-zero.
275
+ - **ProGuard rule drift over releases**: CI compares the current build but does not diff `proguard-rules.pro` changes across releases; a newly added `-keep` rule silently re-exposes a class. Need: git diff check on all ProGuard consumer rule files as part of release gate; fail build if any new `-keep class` rule covers a sensitive package.
276
+ - **Repackaged APK distribution outside Play Store**: Legitimate store binary is clean; attacker strips, modifies, and redistributes via third-party APK sites. Standard monitoring sees only the canonical store listing. Need: enrol in Play Integrity API / Apple DeviceCheck; verify attestation token server-side on sensitive API calls to reject non-certified installs.
277
+ - **Native library symbol exposure in stripped binaries**: `STRIP_INSTALLED_PRODUCT = YES` is set but the `dSYM` or unstripped `.so` is accidentally bundled in the app package rather than uploaded separately to Crashlytics/Sentry. Need: automated post-build check — `nm -U` on every `.so` / `otool -l` on every framework — assert symbol table is absent from the artifact submitted to the store.
278
+ - **Cross-agent chain: static secret in binary + cloud endpoint without attestation**: Binary hardening agent finds a hardcoded endpoint URL (LOW finding); cloud specialist finds the same endpoint lacks Play Integrity verification (MEDIUM finding). Together: CRITICAL — attacker extracts URL from unobfuscated binary and calls endpoint from a tampered app. Need: CISO orchestrator Phase 1 synthesis step to correlate binary findings with cloud/API findings before Phase 2.
279
+
280
+ ---
281
+
282
+ ## §ZERO-MISS-MANDATE
283
+
284
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
285
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
286
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
287
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
288
+
289
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
290
+
291
+ The output findings JSON MUST include a `coverageManifest` key:
292
+ ```json
293
+ {
294
+ "coverageManifest": {
295
+ "attackClassesCovered": [
296
+ { "class": "Debuggable Release Build", "filesReviewed": 3, "patterns": ["debuggable true", "isDebuggable = true"], "result": "CLEAN" },
297
+ { "class": "ProGuard Disabled", "filesReviewed": 5, "patterns": ["minifyEnabled false", "isMinifyEnabled = false"], "result": "CLEAN" },
298
+ { "class": "Hardcoded Secrets in Source", "filesReviewed": 142, "patterns": ["API_KEY", "SECRET", "password", "Bearer "], "result": "2 findings, both fixed" },
299
+ { "class": "Debug Symbols in Release Binary", "filesReviewed": 4, "patterns": ["STRIP_INSTALLED_PRODUCT", "debugSymbolLevel", "apktool output class names"], "result": "CLEAN" },
300
+ { "class": "allowBackup Enabled", "filesReviewed": 1, "patterns": ["allowBackup=\"true\""], "result": "CLEAN" }
301
+ ],
302
+ "filesReviewed": 155,
303
+ "negativeAssertions": [
304
+ "Debuggable release: searched build.gradle, AndroidManifest.xml — 0 matches",
305
+ "ProGuard disabled: searched all buildType configs — minifyEnabled is true in release"
306
+ ],
307
+ "uncoveredReason": {}
308
+ }
309
+ }
310
+ ```