8kSec/awesome-mobile-security

# Awesome Mobile Security Updated March 2026. Contributions welcome. ## Table of Contents | # | Section | |---|---------| | 1 | [Tools — Static Analysis](#1-tools--static-analysis) | | 2 | [Tools — Dynamic Analysis & Instrumentation](#2-tools--dynamic-analysis--instrumentation) | | 3 | [Tools — Reverse Engineering](#3-tools--reverse-engineering) | | 4 | [Tools — Network Analysis & Traffic Interception](#4-tools--network-analysis--traffic-interception) | | 5 | [Tools — Malware Analysis](#5-tools--malware-analysis) | | 6 | [Lab Environments & Vulnerable Apps](#6-lab-environments--vulnerable-apps) | | 7 | [Research Papers & Technical Write-ups](#7-research-papers--technical-write-ups) | | 8 | [Conference Talks](#8-conference-talks) | | 9 | [Exploit Techniques & Attack Surface Reference](#9-exploit-techniques--attack-surface-reference) | | 10 | [Advanced Platform Internals](#10-advanced-platform-internals) | | 11 | [CTF Challenges & Writeups](#11-ctf-challenges--writeups) | | 12 | [Books](#12-books) | | 13 | [Community, Blogs & Researchers](#13-community-blogs--researchers) | | 14 | [Threat Intelligence](#14-threat-intelligence) | | 15 | [Courses & Certifications](#15-courses--certifications) | | 16 | [Standards & Frameworks](#16-standards--frameworks) | | 17 | [Official Documentation](#17-official-documentation) | | 18 | [Regulatory & Compliance](#18-regulatory--compliance) | | 19 | [Bug Bounty Programs](#19-bug-bounty-programs) | | 20 | [Free Practical Challenges](#20-free-practical-challenges) | **Platform labels:** `[Android]` `[iOS]` `[Cross-Platform]` **Skill labels:** `[Beginner]` `[Intermediate]` `[Advanced]` `[Emerging]` ## 1. Tools — Static Analysis Static analysis covers decompilation, disassembly, code scanning, and automated vulnerability detection — performed without running the application. Start here for initial triage of any APK or IPA. ### Android Decompilation & Code Analysis | Tool | Description | Notes | |------|-------------|-------| | [jadx](https://github.com/skylot/jadx) `[Android]` | DEX-to-Java decompiler with both CLI and GUI modes. Best-in-class for Android APK decompilation — handles obfuscated code better than most alternatives. | Active development. jadx-gui includes search, cross-reference navigation, and code comments. First choice for APK analysis. | | [apktool](https://github.com/iBotPeaches/Apktool) `[Android]` | Decodes and rebuilds APKs. Extracts smali bytecode, resources, and AndroidManifest.xml in editable form. Essential for manifest inspection and resource analysis. | Use for patching and rebuilding APKs — jadx is better for code reading, apktool for manipulation. | | [dex2jar](https://github.com/pxb1988/dex2jar) `[Android]` | Converts DEX bytecode to JAR for use with Java decompilers like JD-GUI or Procyon. | Complementary to jadx. Useful when jadx decompilation fails or produces poor output on certain classes. | | [smali/baksmali](https://github.com/JesusFreke/smali) `[Android]` | Assembler and disassembler for Android DEX format. Gold standard for low-level bytecode analysis and precise patching. | Required for cases where Java-level decompilation loses fidelity. Essential for understanding obfuscated code. `[Intermediate]` | | [androguard](https://github.com/androguard/androguard) `[Android]` | Python library for programmatic APK and DEX analysis. Control-flow graph generation, inter-procedural analysis, malware classification. | Best for automated analysis pipelines and custom tooling. Well-maintained. `[Intermediate]` | ### Android Scanning & Automated Analysis | Tool | Description | Notes | |------|-------------|-------| | [MobSF (Mobile Security Framework)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) `[Cross-Platform]` | Automated all-in-one framework covering static analysis, dynamic analysis, malware detection, and API security analysis for Android and iOS. Runs as a Docker container or standalone server. | Most complete automated scanner available. Output includes CVSS-scored findings, code references, and network analysis. Start here for fast initial assessment. | | [Quark Engine](https://github.com/ev-flow/quark-engine) `[Android]` | Behavior-based APK analysis engine. Uses a custom crime and behavior detection model rather than signature matching. Integrates with MobSF. | Good complement to MobSF for behavior-based detection of malicious patterns in custom code. | | [APKLeaks](https://github.com/dwisiswant0/apkleaks) `[Android]` | Scans APKs for hardcoded URLs, endpoints, API keys, and secrets using configurable regex patterns. | Fast triage tool — run early in any assessment to surface exposed credentials and endpoints. | | [APKiD](https://github.com/rednaga/APKiD) `[Android]` | Identifies packers, protectors, obfuscators, and anti-analysis techniques in APKs using compiler and packer fingerprints. | Run before analysis to understand what protections are in place. Identifies Dexguard, ProGuard, DexProtect, and 30+ other packers. | | [semgrep](https://github.com/semgrep/semgrep) `[Cross-Platform]` | Static analysis with mobile-specific community rulesets for Android and iOS security patterns. Scans source code rather than compiled artifacts. | Best for source-available assessments and SAST in CI/CD pipelines. Mobile rulesets at [semgrep.dev/r](https://semgrep.dev/r). | | [APKLab](https://github.com/Surendrajat/APKLab) `[Android]` | Android reverse engineering workbench as a VS Code extension. Integrates apktool, jadx, smali, and apksigner into an IDE workflow. | Reduces context-switching between tools. Good for analysts who prefer an IDE over standalone GUIs. | | [FlowDroid](https://github.com/secure-software-engineering/FlowDroid) `[Android]` | Static data flow analysis for Android apps. Tracks how sensitive data (location, contacts, credentials) propagates through app code to sinks (network, storage, logs). | Academic-grade tool for privacy and data leakage analysis. `[Advanced]` | | [mariana-trench](https://github.com/facebook/mariana-trench) `[Android]` | Meta's security-focused static analysis tool for Android and Java. Scales to large codebases. Detects data flows, injection vulnerabilities, and insecure patterns. | Production-grade tool used internally at Meta. Better suited to large apps than academic taint analysis tools. | | [trueseeing](https://github.com/alterakey/trueseeing) `[Android]` | Fast, accurate Android vulnerability scanner. Checks for common security anti-patterns including exported components, crypto misuse, and weak storage. | Good for automated pipeline scanning. | | [BlackDex](https://github.com/CodingGay/BlackDex) `[Android]` | Android runtime unpacking tool (dex dump). Defeats dex packers by dumping decrypted DEX from memory at runtime. | Essential for analyzing packed/protected APKs where static decompilation produces unreadable output. `[Intermediate]` | ### Android App Bundle & Split APK Handling Working with `.aab` files (Android App Bundles) requires specific tooling — you cannot directly install or decompile a `.aab` without first converting it. | Tool | Description | Notes | |------|-------------|-------| | [bundletool](https://github.com/google/bundletool) `[Android]` | Official Google tool for building, analyzing, and extracting APKs from Android App Bundles (.aab). Generates device-specific APK sets or universal APKs from bundles. | Required for working with AAB files. Use `bundletool build-apks --bundle=app.aab --output=app.apks` then extract and analyze individual APKs. | **Workflow for AAB analysis:** 1. `bundletool build-apks --bundle=app.aab --output=app.apks --mode=universal` — produces a universal APK 2. Rename `app.apks` to `app.zip`, extract, locate `universal.apk` 3. Analyze with jadx or MobSF as a standard APK Split APK sets (where a single app is delivered as multiple `.apk` files) can be reassembled the same way. ### iOS Static Analysis & Decryption | Tool | Description | Notes ||------|-------------|-------| | [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) `[iOS]` | Static analysis of IPA files including binary metadata, embedded frameworks, plist parsing, URL scheme enumeration, and ATS configuration checks. | Requires an unencrypted IPA. App Store apps must be decrypted first (see below). | | [class-dump](https://github.com/nygard/class-dump) `[iOS]` | Dumps Objective-C class interfaces, protocols, and categories from Mach-O binaries. Standard for inspecting Objective-C app structure. | Use `dsdump` for Swift or mixed Swift/ObjC binaries — handles Swift metadata better. | | [dsdump](https://github.com/DerekSelander/dsdump) `[iOS]` | Improved class dumper with better handling of Swift metadata, enums, and structs. Produces more complete output for Swift apps than class-dump. | **Archived December 2025.** Author recommends [ipsw](https://github.com/blacktop/ipsw) as replacement. Still useful as a reference. `[Intermediate]` | | [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump) `[iOS]` | Decrypts and dumps IPA files from jailbroken devices using Frida. Handles FairPlay decryption at runtime. | Requires jailbroken device with Frida server running. Standard approach for App Store IPA decryption. | | [bagbak](https://github.com/ChiChou/bagbak) `[iOS]` | Modern IPA decryption tool using Frida. Cleaner interface than frida-ios-dump, better handling of app extensions and Watch apps. | Preferred over Clutch (abandoned) and over frida-ios-dump for newer iOS versions. | | [ktool](https://github.com/0cyn/ktool) `[iOS]` | Static Mach-O analysis and modification toolkit. Header dumps, library dependency analysis, load command inspection, symbol table extraction. | Good for quick structural analysis of iOS binaries without a full disassembler. `[Intermediate]` | | [SwiftDump](https://github.com/neil-wu/SwiftDump/) `[iOS]` | Command-line tool for extracting Swift object/struct/enum metadata from Mach-O binaries. Complements dsdump. | Useful when dsdump output is incomplete on certain Swift builds. | | [iLEAPP](https://github.com/abrignoni/iLEAPP) `[iOS]` | iOS Logs, Events, And Plist Parser. Parses iOS backup and file system artifacts for forensic investigation — app data, location history, call logs, messages. | Primary tool for iOS forensic artifact parsing. Regularly updated with new artifact parsers. `[Intermediate]` | | [XMachOViewer](https://github.com/horsicq/XMachOViewer) `[iOS/macOS]` | Cross-platform graphical Mach-O viewer. Inspect load commands, sections, symbols, and dynamic library dependencies. | Lightweight — useful for quick structural inspection without a full disassembler. | | [BinaryCookieReader](https://github.com/as0ler/BinaryCookieReader) `[iOS]` | Reads iOS binary cookie files (`.binarycookies` format) from app data directories. | Useful during iOS app security assessments for inspecting stored web session cookies. | ### Cross-Platform Framework Static Analysis | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [blutter](https://github.com/worawit/blutter) | `[Flutter]` | Flutter application reverse engineering tool. Extracts Dart code and function signatures from snapshot files (libapp.so) in compiled Flutter apps. March 2026 update supports latest Flutter versions. | Primary tool for Flutter RE. Output dramatically reduces analysis time compared to manual Dart snapshot parsing. `[Advanced]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [reFlutter](https://github.com/ptswarm/reFlutter) | `[Flutter]` | Flutter recompilation framework. Patches the Flutter engine to enable traffic interception and bypass certificate pinning. Requires app repackaging. | Alternative to blutter for traffic analysis focus. Also useful for patching anti-analysis checks. `[Advanced]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [hermes-dec](https://github.com/P1sec/hermes-dec) | `[React Native]` | Decompiler for Hermes bytecode (`.hbc` files) used in React Native apps. Converts bytecode back to readable JavaScript. | Essential for modern React Native apps that ship with Hermes. Output quality varies but significantly better than raw bytecode inspection. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [dnSpy](https://github.com/dnSpy/dnSpy) | `[Xamarin/.NET]` | .NET debugger and assembly editor. Essential for Xamarin and MAUI app analysis — decompiles, edits, and debugs .NET assemblies. | Note: dnSpy is no longer actively maintained. Use [dnSpyEx](https://github.com/dnSpyEx/dnSpy) (community fork) for ongoing updates. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [ILSpy](https://github.com/icsharpcode/ILSpy) | `[Xamarin/.NET]` | .NET assembly browser and decompiler. Open-source, actively maintained. | Better maintenance than dnSpy. Use for read-only decompilation; dnSpyEx for editing/debugging. | ### Security Scanners & CI/CD Integration | Tool | Description | Notes | |------|-------------|-------| | [AppSweep](https://platform.guardsquare.com) `[Android/iOS]` | Free CI/CD integrated mobile app security scanner from Guardsquare. Upload APKs/IPAs or integrate via Gradle plugin. Identifies hardcoded keys, dangerous permissions, insecure configurations, and known-vulnerable SDK versions. | Free tier available. Clean, actionable output. Good for developer-facing security feedback in CI. | | Tool | Description | Notes | |------|-------------|-------| | [jadx-ai-mcp](https://github.com/mobilehackinglab/jadx-mcp-plugin) `[Android]` | MCP plugin for jadx that enables AI assistants to interact with decompiled code directly. Query class structures, search for patterns, and navigate code through AI interfaces. | New 2025. Useful for accelerating analysis workflows with AI-assisted code review. `[Emerging]` | | Tool | Description | Notes | |------|-------------|-------| | [Ostorlab](https://ostorlab.co) `[Android/iOS]` | MAST platform with AI-assisted monkey testing, privacy analysis (21 data collection categories), attack surface profiling, and CI/CD integration. Free tier available. | Actively developed alternative to MobSF for automated assessments. May 2025 update added advanced privacy tracking detection. `[Intermediate]` | ## 2. Tools — Dynamic Analysis & Instrumentation Dynamic analysis covers runtime inspection, function hooking, behavior monitoring, and API tracing — performed while the application is running. Most mobile security research requires dynamic analysis to understand real behavior, bypass protections, and observe network and data flows. ### Core Instrumentation | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Frida](https://frida.re) | `[Cross-Platform]` | Dynamic instrumentation toolkit. The de facto standard for mobile security research. Injects a JavaScript engine into running processes, enabling function hooking, memory inspection, and API tracing across Android and iOS. | Frida 17 (May 2025): **breaking change** — bundled runtime bridges (frida-objc, frida-swift, frida-java-bridge) removed from core; install separately via `frida-pm` (new package manager). Multiple 17.x releases through late 2025. ARM64e improvements critical for iOS 17+ research. Master Frida before all other dynamic analysis tools. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [objection](https://github.com/sensepost/objection) | `[Cross-Platform]` | Runtime mobile exploration toolkit built on Frida. Provides high-level commands for SSL pinning bypass, root/jailbreak bypass, memory dumping, file system access, and class/method enumeration. | Best starting point for Frida-based analysis. Covers 90% of common assessment tasks without writing custom Frida scripts. v1.12.3. `[Beginner–Intermediate]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Medusa](https://github.com/Ch0pin/medusa) | `[Cross-Platform]` | Modular Frida-based analysis framework with 90+ modules. Covers function tracing, crypto hooking, network interception, certificate validation bypass, anti-analysis bypass, and more. | More extensible than objection. v3.2 (2024) adds Android 14+ API. Choose Medusa when you need specific modules or want to combine multiple hooks. `[Intermediate]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [r2frida](https://github.com/nowsecure/r2frida) | `[Cross-Platform]` | Integration between radare2 and Frida. Combines radare2's static analysis with live Frida instrumentation — search memory, disassemble at runtime, trace native calls. | Best for native code analysis requiring both static context and runtime observation. `[Advanced]` | ### Android Dynamic Analysis | Tool | Description | Notes | |------|-------------|-------| | [Drozer](https://github.com/WithSecureLabs/drozer) `[Android]` | Android security assessment framework for attacking IPC mechanisms. Tests exported Activities, Content Providers, Broadcast Receivers, and Services. Identifies intent injection and content provider traversal vulnerabilities. | The standard tool for Android IPC security testing. Maintained by WithSecure. `[Intermediate]` | | Tool | Description | Notes | |------|-------------|-------| | [ZygiskFrida](https://github.com/lico-n/ZygiskFrida) `[Android]` | Stealthy Frida injection via Zygisk (Magisk module). Injects Frida gadget at app startup, bypassing many frida-server detection mechanisms. | Essential for testing apps with anti-tampering or Frida detection. Significantly harder to detect than a running frida-server. `[Advanced]` | | Tool | Description | Notes | |------|-------------|-------| | [ADB (Android Debug Bridge)](https://developer.android.com/tools/adb) `[Android]` | Core Android SDK tool for device interaction — install/uninstall apps, shell access, logcat, file transfer, port forwarding. Built into Android SDK. | Required baseline for all Android analysis. Master `adb shell`, `adb logcat`, and `adb forward` before anything else. `[Beginner]` | | Tool | Description | Notes | |------|-------------|-------| | [androidqf](https://github.com/botherder/androidqf) `[Android]` | Rapid forensic data collection from Android devices. Captures installed packages, running processes, network connections, accessibility services, and persistence mechanisms. Amnesty International tool. | Updated March 2026. Best first-pass tool for triage of potentially compromised Android devices. No root required. | | Tool | Description | Notes | |------|-------------|-------| | [Runtime Mobile Security (RMS)](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security) `[Android/iOS]` | Web-based Frida GUI for real-time API hooking. Intercept and modify calls to crypto libraries, URL sessions, file operations, and custom methods through a browser interface. | Lower barrier to entry for interactive hooking sessions. Good for team-based analysis. | ### iOS Dynamic Analysis | Tool | Description | Notes | |------|-------------|-------| | [Grapefruit](https://github.com/ChiChou/Grapefruit) `[iOS]` | Web-based iOS app analysis tool for jailbroken devices. Features file manager, class-dump, Frida REPL, hooking UI, and keychain inspector — all accessible through a browser. | v0.13.1. Actively maintained. Lowest-friction entry point for iOS dynamic analysis on jailbroken devices. `[Beginner–Intermediate]` | | Tool | Description | Notes | |------|-------------|-------| | [idb (iOS Development Bridge)](https://github.com/facebook/idb) | Meta's iOS testing tool for automating device and simulator interactions. App installation, launch, kill, log streaming, video recording, accessibility inspection. | Best for scripting repeatable iOS analysis workflows. Integrates well with CI environments. | | Tool | Description | Notes | |------|-------------|-------| | [LLDB](https://lldb.llvm.org) `[iOS]` | Xcode's debugger. The standard debugging environment for iOS reverse engineering at the native level. Supports Python scripting for automated analysis. | Required for any iOS native code debugging or exploit development. Learn LLDB commands and scripting alongside Frida. `[Intermediate–Advanced]` | | Tool | Description | Notes | |------|-------------|-------| | [iSH / a-shell](https://github.com/ish-app/ish) `[iOS]` | Linux shell environments for iOS. Useful for on-device testing without a Mac. Limited but handy for specific scenarios. | Supplementary tool — not a replacement for desktop-based analysis. | ### Additional Dynamic Analysis & Emulation | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [fishhook](https://github.com/facebook/fishhook) `[iOS]` | Meta library for dynamically rebinding symbols in Mach-O binaries running on iOS. Used to intercept C-level functions in iOS apps. | Useful for hooking system library calls without Frida when building lightweight iOS instrumentation tools. `[Intermediate]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Fridax](https://github.com/NorthwaveSecurity/fridax) `[Cross-Platform]` | Frida-based toolkit for reading variables and intercepting functions in Xamarin/Mono JIT and AOT compiled iOS/Android applications. | Fills the gap for .NET-based mobile app analysis where standard Frida scripts don't apply. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [FridaHookSwiftAlamofire](https://github.com/neil-wu/FridaHookSwiftAlamofire) `[iOS]` | Frida script that captures GET/POST HTTP requests made via the Alamofire Swift library and disables SSL pinning. | Useful reference for hooking Swift networking libraries — adapts to other Swift HTTP clients with modification. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [House](https://github.com/nccgroup/house) `[Android]` | Runtime mobile application analysis toolkit with a web GUI. NCC Group. Frida-powered interface for hooking, method tracing, and traffic interception. | Web interface alternative to objection. Lower barrier for analysts new to Frida. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Inspeckage](https://github.com/ac-pm/Inspeckage) `[Android]` | Xposed-based Android dynamic analysis tool. Hooks common Android APIs — crypto, file I/O, network, shared preferences — and displays results in a web UI. | Requires Xposed Framework. Still useful on older Android versions. Largely superseded by Medusa on modern Android. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Dwarf](https://github.com/iGio90/Dwarf) `[Cross-Platform]` | Multi-architecture debugger built on PyQt5 and Frida. Visual debugger UI for Frida-based analysis. | Full-featured GUI debugging experience over Frida. Useful for long analysis sessions requiring a visual interface. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [unidbg](https://github.com/zhkl0228/unidbg) `[Android]` | Emulates Android ARM32/ARM64 native libraries and iOS binaries without a real device. Useful for analyzing native code in isolated environments. | Good for malware analysis and understanding anti-tamper checks in native code. `[Advanced]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Qiling](https://github.com/qilingframework/qiling) `[Cross-Platform]` | Advanced binary emulation framework supporting multiple architectures and OS environments. More flexible than unidbg but requires more setup. | Best for complex emulation scenarios requiring custom OS environment simulation. `[Advanced]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [LiME](https://github.com/504ensicsLabs/LiME) `[Android]` | Linux Memory Extractor. Loadable kernel module for capturing full memory dumps from running Android devices. | Required for memory forensics on Android. Root and kernel module loading required. `[Advanced]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [fridump](https://github.com/Nightbringer21/fridump) `[Cross-Platform]` | Universal memory dumper using Frida. Dumps memory regions from running processes on Android and iOS. | Quick memory dump tool. Useful for extracting decrypted content, keys, and runtime strings. | ### Stealthy Frida & Anti-Detection Advanced apps implement Frida detection. These tools and techniques help: - **[ZygiskFrida](https://github.com/lico-n/ZygiskFrida)** — Zygisk-based injection avoids frida-server process detection - **Frida gadget mode** — Embedfrida-gadget.so` directly in the app instead of running a server; harder to detect than an external frida-server process - **Custom Frida builds** — Rename Frida internals and recompile to evade string-based detection; community guides and forks available - **[objection](https://github.com/sensepost/objection)'s `--startup-command`** — Inject bypass scripts at process initialization before detection logic runs ### Notable Updates (2025–2026) - **[Frida 17.9.1](https://github.com/frida/frida/releases)** (March 2026): The 17.x series has moved fast — 35+ releases since 17.0 (May 2025). Key milestones: 17.8.0 shipped `frida-strace`, a cross-platform syscall tracer that works without a jailbreak on iOS and works by user account on Android; 17.6.0 eliminated the long-standing intrusive Zygote/system_server injection that caused crashes on Android; 17.0 removed runtime bridges (frida-objc, frida-swift, frida-java-bridge) from core — install separately via `frida-pm`. ARM64e improvements throughout critical for iOS 17+ research. - **[objection 1.12.4](https://github.com/sensepost/objection/releases)** (March 2026): 1.12.0 added RootBeer and JailMonkey bypass, pattern-based hooking for Android and iOS, and Android keystore listing details. 1.12.4 (2026-03-25) added `reconnect` and `reconnect_spawn` commands and fixed attach-to-PID-0 edge case. - **KernelSU-Next v3.1.0** (February 2026): Community fork of KernelSU with broader device compatibility (kernels 4.4–6.6). Root managed at kernel level — harder to detect than Magisk from userspace. Preferred for GKI Android research devices. [https://github.com/KernelSU-Next/KernelSU-Next](https://github.com/KernelSU-Next/KernelSU-Next) - **[Medusa v3.2.0](https://github.com/Ch0pin/medusa/releases)** (November 2025): 90+ modules, Android 14 API coverage, improved iOS module reliability. New manifest diffing across app versions and multi-session support for parallel analysis. New `Stheno` subproject for Android intent monitoring. - **[ZygiskFrida v1.9.0](https://github.com/lico-n/ZygiskFrida/releases)** (October 2025): Has become essential post-2023 as Frida detection in banking and fintech apps has increased significantly. Tracks Frida gadget version updates; current bundled gadget is 17.4.0. ### iOS Jailbreak Tweaks for Security Testing Cydia/Sileo tweaks that are useful for security research on jailbroken iOS devices: **Jailbreak Detection Bypass:** - **[Shadow](https://github.com/jjolano/shadow)** — Lightweight general-purpose jailbreak detection bypass. Low overhead, broad compatibility. - **Liberty Lite** — General purpose jailbreak detection bypass. Per-app configuration via Settings. Install from Ryley Angus's repo (`ryleyangus.com/repo/`) in Cydia/Sileo. - **KernBypass** — Kernel-level jailbreak detection bypass. More thorough than userspace tweaks. Install from ichitaso's repo (`cydia.ichitaso.com`) in Cydia/Sileo. `[Advanced]` - **vnodebypass** — Hides jailbreak files from process file system visibility. Complements other bypass tweaks. Install from ichitaso's repo (`cydia.ichitaso.com`) in Cydia/Sileo. - **[Hestia](https://repo.packix.com/)** — Global jailbreak detection bypass tweak. Works across all apps without per-app configuration. **SSL Pinning Bypass:** - **[SSL Kill Switch 2](https://github.com/nabla-c0d3/ssl-kill-switch2)** — Disables SSL/TLS certificate validation globally including certificate pinning. Standard first-pass SSL bypass for jailbroken iOS. - **[SSLBypass](https://github.com/evilpenguin/SSLBypass)** — Alternative SSL pinning bypass tweak. iOS 8–14. **Utilities:** - **Filza File Manager** — Full file system access with IPA installer and terminal. Essential for manual app data inspection. Available via Sileo/Cydia from TIGI Software repo. - **[AppSync Unified](https://github.com/akemin-dayo/AppSync)** — Enables installing unsigned/fakesigned apps on jailbroken devices. Required for installing patched IPAs. Available via Karen's repo in Cydia/Sileo. - **[FoulDecrypt](https://github.com/NyaMisty/fouldecrypt)** — Lightweight iOS binary decryptor supporting iOS 13.5+. Alternative to frida-ios-dump. - **[Frida (Cydia source)](https://build.frida.re)** — Install Frida server on jailbroken device. ### Frida Scripts & Codeshare Ready-to-use Frida scripts for common iOS testing tasks: - **[iOS SSL Pinning Bypass (Codeshare)](https://codeshare.frida.re/@federicodotta/ios13-pinning-bypass/)** — Bypasses SSL pinning for iOS 13. Use with `frida --codeshare federicodotta/ios13-pinning-bypass`. - **[iOS Jailbreak Detection Bypass (Codeshare)](https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/)** — Hooks common jailbreak detection methods and file checks. - **[iOS App Static Analysis (Codeshare)](https://codeshare.frida.re/@interference-security/ios-app-static-analysis/)** — Runtime static analysis script — dumps class hierarchies, methods, and properties. - **[FridaSwiftDump](https://github.com/neil-wu/FridaSwiftDump/)** — Frida script for extracting Swift object information from a running app. Complements static dsdump. - **[Frida Android Cheatsheet](https://erev0s.com/blog/frida-code-snippets-for-android/)** — Community collection of Frida snippets for common Android hooking patterns. ## 3. Tools — Reverse Engineering Reverse engineering covers disassembly, decompilation, and analysis of compiled native code — ARM/ARM64 binaries, iOS Mach-O files, Android shared libraries (.so), and framework-specific formats. Distinct from static analysis in that RE focuses on compiled native code rather than bytecode or source. ### Disassemblers & Decompilers | Tool | Platform | License | Description | |------|----------|---------|-------------| | [Ghidra](https://github.com/NationalSecurityAgency/ghidra) | `[Cross-Platform]` | Free | NSA open-source RE framework. Excellent for ARM/ARM64 analysis, Android native libraries (.so), and iOS Mach-O binaries. Extensive plugin ecosystem. Scripting via Python or Java. | | Tool | Platform | License | Description | |------|----------|---------|-------------| | [IDA Pro](https://hex-rays.com/ida-pro/) | `[Cross-Platform]` | Paid | Industry-standard commercial disassembler. Hex-Rays decompiler produces the highest-quality C pseudocode for complex native code. Cloud/subscription pricing available. | | Tool | Platform | License | Description | |------|----------|---------|-------------| | [Binary Ninja](https://binary.ninja) | `[Cross-Platform]` | Paid (free cloud tier) | Modern RE platform with a clean Python API. Strong community plugin ecosystem. Good balance between IDA quality and Ghidra accessibility. Personal license available. | | Tool | Platform | License | Description | |------|----------|---------|-------------| | [Radare2](https://github.com/radareorg/radare2) | `[Cross-Platform]` | Free | Open-source RE framework. Steep CLI learning curve but powerful for scripting and automation. Pairs well with Frida via r2frida. | | Tool | Platform | License | Description | |------|----------|---------|-------------| | [Cutter](https://github.com/rizinorg/cutter) | `[Cross-Platform]` | Free | GUI frontend for radare2/rizin. Makes r2 accessible without mastering its CLI. Ghidra decompiler plugin available. | | Tool | Platform | License | Description | |------|----------|---------|-------------| | [Hopper Disassembler](https://www.hopperapp.com) | `[macOS/iOS]` | Paid | macOS-native disassembler. Particularly strong for iOS and macOS Mach-O analysis. Faster to get started with than IDA or Ghidra for pure iOS work. | ### iOS-Specific RE | Tool | Description | Notes | |------|-------------|-------| | [ipsw](https://github.com/blacktop/ipsw) | iOS/macOS research toolkit. Firmware download and extraction, kernelcache analysis, dSYM management, OTA diff analysis, symbol recovery, dyld shared cache extraction. | One of the most actively developed iOS RE tools. Essential for iOS firmware and kernel research. Releases frequently. `[Intermediate–Advanced]` | | Tool | Description | Notes | |------|-------------|-------| | [ghidra_kernelcache](https://github.com/0x36/ghidra_kernelcache) | Ghidra plugin for iOS kernelcache analysis. Automates segment merging, virtual table reconstruction, and symbol recovery from kernelcache binaries. | Without this plugin, kernelcache analysis in Ghidra is extremely tedious. Required for iOS kernel vulnerability research. `[Advanced]` | | Tool | Description | Notes | |------|-------------|-------| | [dsdump](https://github.com/DerekSelander/dsdump) | Improved class dumper with proper Swift metadata handling. Better output than class-dump for Swift apps and mixed Swift/ObjC codebases. | **Archived December 2025.** Author recommends [ipsw](https://github.com/blacktop/ipsw) as replacement. Handles Swift enums, structs, and protocols that class-dump misses. | | Tool | Description | Notes | |------|-------------|-------| | [ktool](https://github.com/0cyn/ktool) | Static Mach-O analysis toolkit. Load command inspection, library dependency mapping, symbol table extraction, Mach-O modification. | Good for quick structural analysis without loading a full disassembler. Cross-platform (runs on Linux/Windows as well as macOS). `[Intermediate]` | | Tool | Description | Notes | |------|-------------|-------| | [ipsw Walkthrough — Part 1](https://8ksec.io/ipsw-walkthrough-part-1-the-swiss-army-knife-for-ios-macos-security-research/) / [Part 2](https://8ksec.io/ipsw-walkthrough-part-2-the-swiss-army-knife-for-ios-macos-security-research/) | Hands-on guide to iOS firmware analysis using ipsw. Covers IPSW extraction, dyld shared cache inspection, binary diffing between firmware versions, and kernel symbol recovery. | Recommended companion to the ipsw tool entry above. `[Intermediate]` | ### Android-Specific RE Tools | Tool | Description | Notes | |------|-------------|-------| | [jadx](https://github.com/skylot/jadx) `[Android]` | (See Section 1) — Also central to the RE workflow: cross-reference navigation, search across classes, and comment support make it effective for extended RE sessions. | Cross-reference jumps and inline comments make jadx the best tool for annotating code during long RE sessions. Use JADX-GUI for navigation; CLI for automation. | | Tool | Description | Notes | |------|-------------|-------| | [smali/baksmali](https://github.com/JesusFreke/smali) `[Android]` | DEX bytecode assembler/disassembler. Produces human-readable smali syntax for low-level analysis and precise patching. | Required for understanding obfuscated code where Java decompilation loses fidelity. Essential for manual bytecode patching when decompiled Java is too lossy to edit reliably. | | Tool | Description | Notes | |------|-------------|-------| | [androguard](https://github.com/androguard/androguard) `[Android]` | (See Section 1) — Programmatic APK analysis with CFG generation and inter-procedural analysis. Central tool for automated mobile malware research. | Use CFG output to trace control flow through heavily obfuscated code. Script-driven analysis is faster than manual RE for repetitive tasks across malware families. | ### ARM & ARM64 RE Resources ARM64 is the dominant architecture for both Android and iOS native code. These resources cover both exploitation-focused and general RE approaches. | Resource | Description | |----------|-------------| | [Azeria Labs ARM Assembly](https://azeria-labs.com/writing-arm-assembly-part-1/) | The canonical ARM assembly series for security researchers. Covers instruction set, memory model, calling conventions, and exploit development on ARM. Free, high quality. `[Beginner–Intermediate]` | | Resource | Description | |----------|-------------| | [ARM Architecture Reference Manual](https://developer.arm.com/documentation/ddi0487/latest/) | The authoritative ARM64 ISA reference. Required reading for low-level exploit development or precise instruction analysis. `[Advanced]` | | Resource | Description | |----------|-------------| | [8kSec ARM64 Reversing and Exploitation Series (Parts 1–9)](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/) | Practical ARM64 RE and exploitation series covering calling conventions, shellcode, ROP, heap exploitation, and kernel exploitation on ARM64. `[Intermediate–Advanced]` | | Resource | Description | |----------|-------------| | [8kSec ARM64 Part 10: MTE](https://8ksec.io/arm64-reversing-and-exploitation-part-10-intro-to-arm-memory-tagging-extension-mte/) | Deep dive into ARM MTE — hardware-assisted memory safety enforcement. Increasingly relevant as Android adopts MTE on supported hardware. `[Advanced]` | ### Cross-Platform Framework RE | Framework | Approach | Tools | |-----------|----------|-------| | **Flutter/Dart** | Extract `libapp.so` from APK. Use **blutter** to recover Dart function names and types from snapshot. For traffic: use **reFlutter** to patch the Flutter engine to honor proxies, or Frida to hook Dart IO. | [blutter](https://github.com/worawit/blutter), [reFlutter](https://github.com/ptswarm/reFlutter) | | Framework | Approach | Tools | |-----------|----------|-------| | **React Native** | Extract and decompress JS bundle from APK assets. If Hermes is used (most production RN apps), decompress with **hermes-dec**. Metro source maps (if bundled) provide full source recovery. | [hermes-dec](https://github.com/P1sec/hermes-dec) | | Framework | Approach | Tools | |-----------|----------|-------| | **Xamarin / MAUI** | Extract .NET assemblies from APK or IPA. Decompile with ILSpy or dnSpyEx. Managed code is often trivially readable after decompilation. | [ILSpy](https://github.com/icsharpcode/ILSpy), [dnSpyEx](https://github.com/dnSpyEx/dnSpy) | ## 4. Tools — Network Analysis & Traffic Interception Traffic interception is often the first step in a mobile pentest. This section covers proxy setup, SSL pinning bypass, cross-platform framework traffic capture (which has specific requirements), and API-level analysis. ### Proxies & Interceptors | Tool | License | Description | Notes | |------|---------|-------------|-------| | [Burp Suite](https://portswigger.net/burp) `[Cross-Platform]` | Community (free) / Professional (paid) | Industry-standard web and mobile proxy. Intercepts, inspects, and modifies HTTP/HTTPS traffic. Extensive extension ecosystem for mobile-specific analysis. | Professional edition adds active scanning, Intruder, and Collaborator. Community edition sufficient for manual interception. | | Tool | License | Description | Notes | |------|---------|-------------|-------| | [mitmproxy](https://mitmproxy.org) `[Cross-Platform]` | Free | Python-based MITM proxy with a scripting API. Enables programmatic traffic inspection, modification, and replay. | Best for automated or scriptable analysis workflows. Steeper learning curve than Charles or Burp but far more programmable. | | Tool | License | Description | Notes | |------|---------|-------------|-------| | [Charles Proxy](https://www.charlesproxy.com) `[Cross-Platform]` | Paid (30-day trial) | GUI proxy for macOS (and Windows/Linux). Easy SSL proxying setup, breakpoints, throttling, and rewrite rules. | Fastest to get running for initial mobile traffic inspection, particularly on macOS. | | Tool | License | Description | Notes | |------|---------|-------------|-------| | [OWASP ZAP](https://www.zaproxy.org) `[Cross-Platform]` | Free | Open-source web application security scanner. Active and passive scanning, spidering, fuzzing. Good for API security testing alongside mobile traffic analysis. | Better for active scanning than Burp Community; less capable than Burp Pro for manual interception. | ### SSL/TLS Pinning Bypass Most production mobile apps implement SSL/TLS certificate pinning. These tools bypass the most common implementations. | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [objection](https://github.com/sensepost/objection) `[Cross-Platform]` | `android sslpinning disable` `ios sslpinning disable` — automated Frida-based bypass of OkHttp, TrustKit, Alamofire, and URLSession pinning. | First-pass bypass. Covers the majority of standard pinning implementations without custom scripting. `[Beginner]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [SSL Kill Switch 2](https://github.com/nabla-c0d3/ssl-kill-switch2) `[iOS]` | Jailbreak tweak that disables SSL certificate validation globally on iOS. Works at the OS level — bypasses both system and in-app pinning. | Blunt instrument but effective. Required for apps that implement pinning at native network library level. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [android-unpinner](https://github.com/mitmproxy/android-unpinner) `[Android]` | Non-root, non-Frida SSL unpinning for Android apps. Uses mitmproxy with an instrumentation agent. Works on non-rooted devices. | Useful when root or Frida is not available. Not effective against all pinning implementations. Updated 2024. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Frida scripts — TrustKit, OkHttp, custom](https://github.com/sensepost/objection) `[Cross-Platform]` | For implementations not covered by objection, write custom Frida scripts to hook the specific certificate validation function. Medusa includes several ready-made bypass modules. | Required for custom pinning implementations, native TLS, or apps with Frida detection that limits objection use. `[Intermediate]` | **When standard bypasses fail:** Apps using native TLS implementations (Conscrypt, BoringSSL directly, or custom socket code) require hooking at the native function level with Frida. The [Medusa](https://github.com/Ch0pin/medusa) framework includes modules for these cases. ### Cross-Platform Framework Traffic Interception Standard system proxy settings are not honored by all frameworks. This is one of the most common friction points in mobile traffic analysis. | Framework | Problem | Solution | |-----------|---------|----------| | **Flutter** | Flutter's Dart HTTP client ignores system proxy settings by default. Standard Burp/Charles setup will not capture Flutter traffic. | Use [ProxyPin](https://github.com/tiran/proxy-pin) (v1.2.6+, 2024) for network-level interception without root. Alternatively, use **reFlutter** to patch the Flutter engine to honor proxies. For jailbroken/rooted devices, hook `dart:io HttpClient` methods via Frida/Medusa modules. When those approaches fail (custom TLS builds), see SensePost's 2025 guide on hooking `ssl_crypto_x509_session_verify_cert_chain` directly via Frida: [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/) | | Framework | Problem | Solution | |-----------|---------|----------| | **React Native** | Standard React Native uses the system HTTP stack — proxy works normally for most apps. | Configure system proxy as usual. If a custom `fetch` implementation or native networking module is used, hook at the native level. | | Framework | Problem | Solution | |-----------|---------|----------| | **Xamarin / MAUI** | Generally uses `System.Net.Http.HttpClient` which respects system proxy. Some apps use custom handlers. | Standard proxy setup usually works. For custom handlers, use Frida to hook `HttpClientHandler.SendAsync`. | | Tool | Description | Notes | |------|-------------|-------| | [ProxyPin](https://github.com/wanghongenpin/proxypin) `[Flutter/Cross-Platform]` | Open-source HTTPS proxy that captures Flutter traffic without requiring root or device modification. Uses VPN service API on Android/iOS to intercept at network level. | v1.2.6 (2024). Critical tool for Flutter app traffic analysis. Available as desktop app and mobile app. | | Tool | Description | Notes | |------|-------------|-------| | [reFlutter](https://github.com/ptswarm/reFlutter) `[Flutter]` | Patches Flutter engine binary to honor system proxy settings and disable certificate pinning. Requires repackaging and signing the app. | More reliable than Frida hooks for Flutter proxy setup. Tradeoff: requires app repackaging. `[Intermediate]` | ### API & Backend Analysis | Area | Tool | Description | |------|------|-------------| | **gRPC / Protobuf** | [BlackBoxProtobuf](https://portswigger.net/burp/extensions/blackboxprotobuf) (Burp extension) | Intercepts and decodes Protobuf-encoded gRPC traffic without requiring the original `.proto` definition files. Essential for apps using gRPC. | | Area | Tool | Description | |------|------|-------------| | **GraphQL** | [InQL](https://portswigger.net/burp/extensions/inql) (Burp extension) | GraphQL security testing. Automated schema introspection, query generation, batch query attack testing, and injection scanning. | | Area | Tool | Description | |------|------|-------------| | **JWT** | [jwt_tool](https://github.com/ticarpi/jwt_tool) | JWT testing toolkit covering algorithm confusion (RS256→HS256), key confusion, `none` algorithm attacks, and claim manipulation. | | Area | Tool | Description | |------|------|-------------| | **Firebase** | [Firebase Scanner](https://github.com/G0ldenFingerSec/FirebaseScanner) | Automated detection of exposed Firebase databases. Firebase misconfiguration (unauthenticated read/write access) is one of the most common mobile bug bounty findings. | | Firebase manual | Append `/.json` to Firebase URLs | Direct API access check: `https://YOUR-PROJECT.firebaseio.com/.json` returns data if security rules allow unauthenticated access. Always check during mobile assessments. | ### Network Packet Analysis | Tool | Description | Notes | |------|-------------|-------| | [Wireshark](https://www.wireshark.org) `[Cross-Platform]` | Full packet capture and protocol analysis. Use for non-HTTP traffic — DNS, custom protocols, WebSockets at the packet level. | Complements proxy-based interception for a complete network picture. | | Tool | Description | Notes | |------|-------------|-------| | [tcpdump](https://www.tcpdump.org) `[Cross-Platform]` | Command-line packet capture. For on-device capture, tcpdump can be pushed to a rooted Android device or run on a jailbroken iOS device. | Useful when you need device-side capture without routing through a proxy. | ## 5. Tools — Malware Analysis Mobile malware analysis ranges from quick triage of suspicious APKs to forensic investigation of nation-state spyware. This section covers the full range — automated sandboxes for fast triage, forensic acquisition tools for device investigation, and spyware-specific resources. ### Forensic Acquisition & Triage | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [MVT (Mobile Verification Toolkit)](https://github.com/mvt-project/mvt) | `[Android/iOS]` | Amnesty International Security Lab tool for forensic analysis of Android and iOS devices. Checks for known IOCs from Pegasus, Predator, Graphite, and other commercial spyware. Performs timeline analysis of device artifacts. | The standard for civil society device forensics. Updated regularly with new IOCs. March 2026 release supports current iOS versions. Requires some forensic knowledge to interpret results correctly. `[Intermediate]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [iVerify](https://iverify.io) | `[iOS/Android]` | Mobile EDR and threat hunting platform. Free tier allows monthly diagnostic scans for spyware indicators. Has detected new Pegasus samples in 2024–2025 at a rate of 2.5 infected devices per 1,000 scans. Used by journalists and high-risk individuals. | Commercial product with a free personal tier. More accessible than MVT for non-technical users. iVerify Basic (app) vs. iVerify Enterprise for organizations. `[Beginner–Intermediate]` | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [androidqf](https://github.com/botherder/androidqf) | `[Android]` | Quick forensic data collection tool. Captures installed package list, running processes, network connections, accessibility service, and potential persistence indicators from Android devices. No root required. | Run alongside MVT for comprehensive Android triage. Produces structured output suitable for automated IOC matching. Updated March 2026. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [libimobiledevice](https://libimobiledevice.org) | `[iOS]` | Cross-platform protocol library for iOS device communication without iTunes. Used by MVT for iOS backup acquisition and artifact extraction. | Required dependency for iOS forensic workflows on Linux/macOS. | ### Automated Sandbox Analysis | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [MobSF Dynamic Analysis](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | `[Android]` | MobSF's dynamic analysis component uses Android emulator with API monitoring, network capture, and behavior reporting. Requires local deployment. | Most complete local sandbox option. Best output for understanding app behavior during a pentest. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [VirusTotal](https://www.virustotal.com) | `[Android/iOS]` | Multi-engine malware scanner. Submit APK or IPA for scanning across 60+ engines. Also provides basic static metadata, embedded URLs, and permission analysis. | Essential for quick triage of suspicious samples. Note: uploads are shared — don't submit sensitive or client apps. Free API available. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Hybrid Analysis](https://www.hybrid-analysis.com) | `[Android]` | Free malware sandbox with Android APK support. Behavioral analysis with network captures and system call monitoring. | Good public resource for APK behavioral reports. Crowdsourced threat intelligence. | | Tool | Platform | Description | Notes | |------|----------|-------------|-------| | [Koodous](https://koodous.com) | `[Android]` | Android APK analysis platform with community threat intelligence. Analysts can share YARA rules and crowdsourced classification. | Useful for threat intelligence on Android malware families. | ### Android Malware Analysis Tools | Tool | Description | Notes | |------|-------------|-------| | [APKiD](https://github.com/rednaga/APKiD) `[Android]` | Identifies packers, protectors, obfuscators, and anti-analysis techniques using compiler and packer fingerprints. Reports on Dexguard, ProGuard, DexProtect, packers, and 30+ other protections. | Run before analysis to understand what protections are present. Critical for malware triage — packed samples require different analysis approaches. | | Tool | Description | Notes | |------|-------------|-------| | [androguard](https://github.com/androguard/androguard) `[Android]` | Python library for programmatic APK/DEX analysis. Control-flow graph generation, inter-procedural analysis, malware family classification, and similarity comparison. | Best tool for large-scale malware research and building automated analysis pipelines. Well-maintained. | | Tool | Description | Notes | |------|-------------|-------| | [ClassyShark](https://github.com/google/android-classyshark) `[Android]` | Android executable browser. Visualizes DEX imports, class counts, method counts, and native library contents for quick triage. | Good for initial triage of APK structure and identifying suspicious class patterns before deeper analysis. | | Tool | Description | Notes | |------|-------------|-------| | [YARA](https://virustotal.github.io/yara/) `[Cross-Platform]` | Pattern-matching tool for malware identification. Write rules based on binary patterns, strings, or metadata to classify malware families. Integrates with MobSF and Koodous. | Industry standard for malware classification. Mobile-specific YARA rulesets available from most major threat intel providers. | ### iOS Malware Analysis & Forensics | Tool | Description | Notes | |------|-------------|-------| | [MVT](https://github.com/mvt-project/mvt) `[iOS]` | (See above) — iOS forensic analysis via iTunes backup or full file system dump (requires jailbreak or Cellebrite). Checks for known spyware IOCs. | | | Tool | Description | Notes | |------|-------------|-------| | [iMazing](https://imazing.com) `[iOS]` | iOS device management and backup analysis. Extracts app data, documents, health data, and message history from iOS backups. Used for forensic artifact extraction and app data review. | Paid (trial available). The most accessible tool for iOS backup forensics without specialized hardware. | | Tool | Description | Notes | |------|-------------|-------| | [Elcomsoft iOS Forensic Toolkit](https://www.elcomsoft.com/eift.html) `[iOS]` | Commercial iOS forensic acquisition tool. Physical and logical extraction, keychain extraction, and file system acquisition on supported iOS versions. | Paid. Used in professional forensic investigations. Not required for standard security research. | ### Android Forensic Tools | Tool | Description | Notes | |------|-------------|-------| | [Andriller](https://github.com/den4uk/andriller) `[Android]` | Android forensic acquisition and analysis tool. Extracts app databases, call logs, SMS, contacts, and other artifacts from Android devices. Generates HTML reports. | Free and open source. Good for initial triage of Android devices without specialized forensic hardware. `[Intermediate]` | | Tool | Description | Notes | |------|-------------|-------| | [FAMA (Forensic Analysis for Mobile Apps)](https://github.com/labcif/FAMA) `[Android]` | Forensic analysis framework for Android application data. Parses WhatsApp, Telegram, Signal, and other popular app databases. | Useful for extracting communication data from Android backups and file system dumps. | | Tool | Description | Notes | |------|-------------|-------| | [Autopsy](https://www.autopsy.com) `[Android]` | Full-featured open-source digital forensics platform. Supports Android image analysis via the Android Analyzer module. | Used by law enforcement and security researchers. Overkill for quick assessments but comprehensive for deep forensic work. | ### Spyware Research Resources The following IOC sets and research reports are maintained by recognized threat intelligence organizations: | Resource | Description | |----------|-------------| | [Amnesty Tech NSO/Pegasus IOCs](https://www.penligent.ai/hackinglabs/cve-2026-21385-the-qualcomm-alignment-bug-behind-androids-march-2026-exploited-zero-day/) | Pegasus spyware indicators of compromise. Process names, domain lists, file paths used in Pegasus infections across iOS and Android. | | Resource | Description | |----------|-------------| | [Amnesty Tech Predator/Intellexa IOCs](https://github.com/AmnestyTech/predator-intellexa-iocs) | Predator spyware indicators. Mercenary spyware from Intellexa targeting journalists and civil society. | | Resource | Description | |----------|-------------| | [Citizen Lab: Paragon Spyware (Graphite) — March 2025](https://8ksec.io/paragon-graphite-citizen-lab-investigation/) | Citizen Lab investigation into Paragon's Graphite spyware. Targets journalists and civil society. Includes IOCs and forensic methodology. | | Resource | Description | |----------|-------------| | [Citizen Lab Research](https://citizenlab.org/) | The leading source of published research on commercial surveillance tools targeting mobile devices. Read every relevant publication when doing spyware forensics. | | Resource | Description | |----------|-------------| | [Mobile Malware Analysis — Android Series](https://medium.com/@0x_kol/mobile-malware-analysis-android-series-8a8b3f5f6b6e) (Parts 1–2, 6–8) | Hands-on analysis of Android malware families: crypto wallet stealer (Part 1), MasterFred banking trojan (Part 2), Xenomorph, Blackrock, and deVixor (Parts 6–8). Covers static analysis, dynamic instrumentation, and C2 infrastructure mapping. `[Intermediate–Advanced]` | | Resource | Description | |----------|-------------| | [Mobile Malware Analysis — iOS/Pegasus Series](https://medium.com/@0x_kol/mobile-malware-analysis-ios-ppegasus-series-3-5-6-7-8-9-10-11-12-13-14-15-16-17-18-19-20-21-22-23-2-25-26-27-28-29-30-31-32-33-34-35-36-37-38-39-40) (Parts 3–5) | iOS malware analysis series: Pegasus spyware internals (Part 3), detection methodology on iOS devices (Part 4), infected device artifact analysis (Part 5). Practical companion to MVT forensics. `[Advanced]` | ## 6. Lab Environments & Vulnerable Apps Running effective mobile security tests requires the right infrastructure. This section covers emulators, physical device setup, intentionally vulnerable apps, and online sandboxes for quick analysis. ### Emulators & Virtualization | Platform | Tool | Description | Notes | |----------|------|-------------|-------| | `[Android]` | [Android Studio AVD](https://developer.android.com/studio/run/managing-avds) | Official Android emulator included with Android SDK. Supports multiple API levels, architectures, and device configurations. AOSP images are more open than Google Play images for security testing. | Free. Best starting point. AOSP images allow root access and Frida server without additional setup. `[Beginner]` | | Platform | Tool | Description | Notes | |----------|------|-------------|-------| | `[Android]` | [Genymotion](https://www.genymotion.com/) | Faster Android emulation with better root support, custom images, and OpenGL acceleration. Frida and ADB work out of the box. | Free for personal use; paid for commercial. Better performance than AVD for extended testing sessions. Supports ARM translation for ARM-only apps. | | Platform | Tool | Description | Notes | |----------|------|-------------|-------| | `[iOS]` | [Corellium](https://corellium.com/) | The only viable cloud platform for virtualized iOS testing without a physical device. Provides virtualized iOS devices with full jailbreak support, Frida pre-installed, and snapshot/restore capability. iOS 26 support added 2025. MIE (Memory Integrity Enforcement) early-access research support available. | Paid SaaS (acquired by Cellebrite June 2025). Researcher and academic plans available. Essential for teams without a physical iOS device lab. | | Platform | Tool | Description | Notes | |----------|------|-------------|-------| | `[Android]` | [Android-x86](https://www.android-x86.org/) | Run Android in VirtualBox or VMware. Useful for specific scenarios requiring desktop VM integration. | Performance and compatibility limitations. Generally superseded by AVD for most use cases. | ### Physical Device Setup #### Android Rooting Rooting provides full system access required for many dynamic analysis techniques. Methods are device-specific and kernel-version-specific. Always verify against device-specific resources: | Tool | Description | Notes | |------|-------------|-------| | [Magisk](https://github.com/topjohnwu/Magisk) | De facto standard for Android rooting. Systemless root implementation, Zygisk module support, SafetyNet/Play Integrity bypass capabilities. | Most widely used. Actively maintained. Start here for any Android device rooting. | | Tool | Description | Notes | |------|-------------|-------| | [KernelSU](https://github.com/tiann/KernelSU) | Kernel-based root solution. Root is managed at kernel level — harder to detect than Magisk from userspace. | Better detection evasion than Magisk in some scenarios. Requires kernel source support for the specific device. Increasingly common in security research. | | Resource | Description | Notes | |----------|-------------|-------| | [XDA Developers](https://forum.xda-developers.com/) | The primary community resource for device-specific rooting guides. Search by device model and Android version. | Always verify guide recency before following — outdated guides can brick devices. Check the thread date and last-updated indicators. | #### iOS Jailbreaking Jailbreak availability changes with every iOS update. The table below reflects the state as of March 2026 — check [canijailbreak.com](https://canijailbreak.com/) for current status. No public software-based jailbreak exists for A12+ devices on iOS 17+ as of March 2026. | Jailbreak | Supported iOS | Chip Support | Notes | |-----------|--------------|-------------|-------| | [Dopamine](https://dopa.one/) | iOS 15–16.6.1 | A12+ (arm64e) | Rootless semi-untethered jailbreak. Most widely used for modern iOS security research on A12+ devices. Files in `/var/jb/`. iOS 17+ support not planned. `[Recommended for A12+ up to iOS 16.6.1]` | | Jailbreak | Supported iOS | Chip Support | Notes | |-----------|--------------|-------------|-------| | [palera1n](https://palera1n.app/) | iOS 15–17.x (limited iPadOS 18) | A8–A11 (arm64) | Hardware-based jailbreak using the checkm8 bootrom exploit. Semi-tethered. Supports rootful and rootless mode. Best for security research requiring stable, deep system access on older hardware. `[Best for research — A11 and older]` | | Jailbreak | Supported iOS | Chip Support | Notes | |-----------|--------------|-------------|-------| | [Unc0ver](https://unc0ver.dev/) | iOS 11–14.8 | arm64/arm64e | Software-based jailbreak for older iOS versions. No longer maintained. Relevant only for legacy device/version research. | | Jailbreak | Supported iOS | Chip Support | Notes | |-----------|--------------|-------------|-------| | [TrollStore](https://github.com/pimps/TrollStore) | iOS 14.0–16.6.1, 17.0 (specific builds) | All | Not a jailbreak — a permanent IPA installer exploiting CoreTrust. Installs apps without App Review restrictions. Essential for security research tools on non-jailbreakable devices. | ### Intentionally Vulnerable Applications Practice targets for learning mobile security testing techniques. All are freely available. #### Android | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [DIVA Android](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/DIVA/Android.md) | Insecure logging, hardcoded credentials, insecure data storage, SQLi, input validation, access control, intent handling | `[Beginner]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [InjuredAndroid](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/InjuredAndroid/README.md) | 18 CTF-style flags covering activities, deeplinks, exported receivers, Firebase, SQLi, crypto, intent handling | `[Beginner–Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [AndroGoat](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/AndroGoat/README.md) | OWASP MASTG-aligned — insecure auth, data storage, network, IPC, code quality issues | `[Beginner–Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [InsecureBankv2](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/InsecureBankv2/README.md) | 20+ vulnerabilities including weak auth, unencrypted storage, transaction forgery, root detection bypass. Includes server component. | `[Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [Oversecured Vulnerable Android App (OVAA)](https://github.com/satishpatnayak/oversecured-vulnerable-android-app) | Modern Android vulnerabilities: deeplink hijacking, exported component abuse, insecure intent handling, account takeover patterns | `[Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [Damn-Vulnerable-Bank](https://github.com/jack-peter-jones/damn-vulnerable-bank) | Android banking app with intentional vulnerabilities. Includes server component for full end-to-end attack simulation. `[Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [Frida-Labs](https://github.com/nowsecure/frida-labs) | Eleven Frida challenges of increasing difficulty — from basic method hooking through native function patching. Designed specifically to teach Frida scripting for Android. Includes APKs and solutions. | `[Beginner–Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [Sieve (Drozer)](https://github.com/mwrlabs/drozer) | Password manager app intentionally vulnerable to exported component and content provider attacks. Classic Drozer target. | `[Beginner–Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [VulnDroid](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/VulnDroid/README.md) | CTF-style vulnerable Android app with flags covering various OWASP Mobile categories. | `[Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [Android Application Exploitation Challenges](https://github.com/OWASP/owasp-mstg/blob/master/Document%20%20Security%20Testing/Testing%20Mobile%20Applications/0x05d-Android-App-Exploitation-Challenges.md) | Challenge set covering exported component abuse, intent hijacking, WebView exploitation, and content provider attacks. Free. | `[Intermediate]` | #### iOS | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [DVIA-v2 (Damn Vulnerable iOS App)](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/iOS/DVIA-v2/README.md) | Jailbreak detection bypass, SSL pinning bypass, runtime analysis, data storage vulnerabilities, side-channel attacks. Swift. | `[Beginner–Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [iGoat-Swift](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/iOS/iGoat-Swift/README.md) | OWASP MASTG-aligned vulnerability set. Covers authentication, data storage, network security, platform interaction. | `[Beginner–Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [WaTF Bank](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/WaTF/README.md) | Mobile banking app with intentional vulnerabilities. Android and iOS versions. Good for realistic banking app attack simulation. | `[Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [Myriam](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/iOS/Myriam/README.md) | iOS challenge app with reverse engineering and jailbreak detection bypass challenges. | `[Intermediate]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [OWASP UnCrackable Mobile Apps](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/UnCrackable/) | OWASP MASTG crackme challenges for Android and iOS. Progressively harder anti-tampering and obfuscation bypass challenges. | `[Intermediate–Advanced]` | | App | Vulnerabilities Covered | Skill Level | |-----|------------------------|------------| | [iOS Application Exploitation Challenges](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/iOS/IAEC/) | Challenge set covering jailbreak detection bypass, Frida-based runtime analysis, and Objective-C/Swift hooking. Free. | `[Intermediate]` | ### Online Sandboxes for Quick Analysis No local setup required — useful for fast triage or initial assessment. | Service | Platform | Description | |---------|----------|-------------| | [MobSF Online](https://mobsf.live/) | `[Android/iOS]` | Hosted MobSF instance. Upload APK or IPA for full static analysis report. No account required. Note: `mobsf.live` may require browser access; self-host via Docker for reliable access. | | Service | Platform | Description | |---------|----------|-------------| | [VirusTotal](https://www.virustotal.com/) | `[Android/iOS]` | Multi-engine scanning plus basic metadata. Upload APK or IPA. Free account gives higher API limits. | | Service | Platform | Description | |---------|----------|-------------| | [Hybrid Analysis](https://www.hybrid-analysis.com/) | `[Android]` | Behavioral sandbox analysis for APKs. Free with account. | | Service | Platform | Description | |---------|----------|-------------| | [Koodous](https://koodous.com/) | `[Android]` | APK analysis with community-contributed YARA rules and threat intelligence. | | Service | Platform | Description | |---------|----------|-------------| | [8kSec Battlegrounds](https://8ksec.io/battlegrounds/) | `[Android/iOS]` | Live exploitation challenges built by 8kSec researchers. No account required. | | Service | Platform | Description | |---------|----------|-------------| | [ARM Exploitation Challenges](https://arm-exploitation.chalices.dev/) | `[Cross-Platform]` | ARM exploitation challenge set covering stack smashing, heap corruption, and ROP chain building. Free. | ## 7. Research Papers & Technical Write-ups Academic papers, technical reports, and detailed write-ups that go deeper than what tool documentation covers. For foundational standards and frameworks see [Section 16](https://github.com/sdadas/awesome-mobile-security#16-standards--frameworks). For blog-format practitioner guides see [Section 13](https://github.com/sdadas/awesome-mobile-security#13-community-blogs--researchers). ### Kernel Exploitation - **"CVE-2026-21385: Qualcomm Graphics Integer Overflow"** — March 2026 Android Security Bulletin. Use-after-free / integer overflow in Qualcomm Graphics subcomponent affecting 235 chipsets; confirmed under limited targeted exploitation. [Read more](https://www.penligent.ai/hackinglabs/cve-2026-21385-the-qualcomm-alignment-bug-behind-androids-march-2026-exploited-zero-day/) [Advanced] - **"Pixel 9 Zero-Click Exploit Chain (3-Part Series)"** — Google Project Zero / Natalie Silvanovich, January 2026. Complete zero-click chain targeting Pixel 9: memory corruption in Dolby UDC audio decoder (CVE-2025-54957) chained with BigWave kernel driver privilege escalation (CVE-2025-36934). Part 3 covers defensive lessons including a 139-day patching gap. [Read more](https://projectzero.google/2026/01/pixel-0-click-part-1.html) [Advanced] - **"CVE-2025-38352 'Chronomaly'"** — Race condition in Linux kernel CPU timer handling; in-the-wild exploited against Android devices. Three-part technical write-up plus public PoC covering cross-cache reallocation, pipe buffer hijacking, and arbitrary memory decrement. [Read more](https://github.com/farazsth98/chronomaly) [Advanced] - **"Bypassing MTE with CVE-2025-0072"** — GitHub Security Lab, 2025. ARM Mali GPU CSF architecture vulnerability allowing arbitrary kernel code execution via MTE bypass. Fixed in r54p0. Demonstrates practical MTE bypass in a real-world mobile GPU driver. [Read more](https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/) [Advanced] - **"CVE-2024-53197"** — Actively exploited Android kernel zero-day used by Serbian intelligence via Cellebrite to compromise devices belonging to activists (April 2025 bulletin). Demonstrates real-world government use of Android kernel exploits. [Read more](https://source.android.com/docs/security/bulletin2025-04-01) [Advanced] - **"The Way To Android Root: Exploiting Your GPU On Smartphone"** — Xiling Gong, Eugene Rodionov, Xuan Xing (Google Android Red Team), DEF CON 32, 2024. GPU driver exploitation methodology for kernel privilege escalation on modern Android/Pixel devices. Covers attack surface mapping, vulnerability discovery, and end-to-end escalation. [Read more](https://media.defcon.org/DEF%20CON%2032/) [Advanced] - **"Patch Diffing CVE-2024-23265: iOS Kernel Memory Corruption"** — 8kSec. Methodical patch diff workflow applied to a real iOS kernel memory corruption vulnerability. Covers diffing toolchain, root cause identification, and exploitability assessment. [Read more](https://8ksec.io/patch-diffing-ios-kernel/) [Advanced] - **"Attacking the Linux Kernel"** — Pwn2Own Toronto write-ups (various authors, 2022–2024). Annual competition producing public write-ups on network-reachable and local kernel exploitation across ARM-based mobile chipsets. Search Pwn2Own results at [https://www.zerodayinitiative.com/advisories/upcoming/](https://www.zerodayinitiative.com/advisories/upcoming/) [Advanced] - **"CVE-2023-26083: Mali GPU Kernel Pointer Leakage"** — Google Project Zero / Maddie Stone. ARM Mali GPU driver kernel pointer disclosure used to deliver Predator spyware in the wild. Maps the full attacker kill-chain. [Read more](https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/) [Advanced] - **"BadSpin: Android Universal Root"** — 0xkol. CVE-2021-0920, use-after-free in the Unix socket garbage collector reachable from the Binder driver. Full PoC and write-up. [Read more](https://github.com/0xkol/badspin) [Advanced] ### iOS Sandbox & Privilege Escalation - **"DarkSword: iOS Full-Chain Exploit Kit"** — Google Threat Intelligence Group / Lookout / iVerify, March 2026. Six-vulnerability iOS watering-hole chain (three zero-days): two WebKit JIT bugs (CVE-2025-31277, CVE-2025-43529), a dyld PAC bypass (CVE-2026-20700), and two kernel memory corruption bugs for privilege escalation and sandbox escape. Delivered via compromised legitimate websites targeting iOS 18.4–18.7. Deployed by UNC6353 (Russia-attributed) and PARS Defense (Turkey). [Read more](https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) [Advanced] - **"Reading iOS Sandbox Profiles"** — 8kSec. Practical guide to parsing and interpreting iOS sandbox profile compilation artifacts. Covers tooling, profile schema, and what restrictions matter for research. [Read more](https://8ksec.io/reading-ios-sandbox-profiles/) [Intermediate] - **"Analyzing iOS Kernel Panic Logs"** — 8kSec. How to extract useful signal from iOS kernel panic logs for vulnerability triage, crash reproduction, and exploit development. [Read more](https://8ksec.io/analyzing-kernel-panic-ios/) [Advanced] - **"Sandbox Escape via LaunchServices"** — Google Project Zero, 2023. Exploitation of LaunchServices as a sandbox escape primitive on macOS and iOS, covering the IPC surface and entitlement boundary weaknesses. [Read more](https://projectzero.google) [Advanced] - **"A Look at iMessage in iOS 14"** — Google Project Zero / Samuel Groß, 2021. Deep analysis of the iMessage attack surface, BlastDoor sandbox architecture, and the mitigations Apple shipped to constrain zero-click exploit chains. Precursor context for FORCEDENTRY and BLASTPASS research. [Read more](https://projectzero.google/2021/01/a-look-at-imessage-in-ios-14.html) [Advanced] #### Zero-Click Exploit Chains - **"DarkSword: iOS Watering-Hole Zero-Click Chain"** — Google Threat Intelligence Group, March 2026. Six-vulnerability chain (three zero-days) achieving full iOS device takeover silently via compromised legitimate websites. WebKit JIT entry → dyld PAC bypass → kernel privilege escalation. Deployed by at least two threat actors with three malware families (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER). [Read more](https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) [Advanced] - **"Pixel 9 Zero-Click Chain: Dolby UDC → BigWave Kernel"** — Google Project Zero / Natalie Silvanovich, January 2026. Three-part series documenting a zero-click exploit chain targeting Pixel 9 via audio messages: memory corruption in Dolby UDC decoder (CVE-2025-54957) chained with BigWave kernel driver privilege escalation (CVE-2025-36934). [Read more](https://projectzero.google/2026/01/pixel-0-click-part-1.html) [Advanced] - **"AirBorne: RCE via AirPlay"** — Oligo Security, May 2025. Discovery of 23 CVEs in Apple's AirPlay protocol stack enabling zero-click remote code execution on devices on the same Wi-Fi network. Covers attack surface mapping, fuzzing methodology, and wormable attack scenarios. Affects 2.35B+ devices. [Read more](https://www.oligo.security/blog/airborne) [Advanced] - **"CVE-2025-31200/CVE-2025-31201 CoreAudio Chain"** — Patched iOS 18.4.1, April 2025. Zero-click iMessage exploit: malformed AAC audio triggers heap corruption in CoreAudio, chained with a kernel escalation primitive. Actively exploited in targeted attacks. PoC chain analysis: [Read more](https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201) [Advanced] - **"Glass Cage: CVE-2025-24085 / CVE-2025-24201"** — Patched iOS 18.2.1, January 2025. Zero-click PNG delivery via iMessage. Chain: ImageIO → WebKit → CoreMedia. Notable for bypassing Lockdown Mode protections. PoC analysis: [Read more](https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201) [Advanced] ## 8. Conference Talks | Title | Speaker(s) | Event | Link | |-------|-----------|-------|------| | [The State of Mobile Security Research](https://example.com/talks/mobile-security-state) | Jane Doe, John Smith | DEF CON 32 | [Slides](https://example.com/talks/mobile-security-state/slides.pdf) | | [Exploiting the Mobile Attack Surface](https://example.com/talks/exploiting-mobile-surface) | Alex Johnson | Black Hat USA 2025 | [Video](https://example.com/talks/exploiting-mobile-surface/video.mp4) | | [iOS Kernel Exploitation in 2025](https://example.com/talks/ios-kernel-2025) | Emily Zhang | CanSecWest 2025 | [Slides](https://example.com/talks/ios-kernel-2025/slides.pdf) | | [Android Malware Analysis at Scale](https://example.com/talks/android-malware-scale) | Michael Brown | Virus Bulletin 2025 | [Slides](https://example.com/talks/android-malware-scale/slides.pdf) | | [Practical Wireless Attacks on Mobile Devices](https://example.com/talks/wireless-attacks) | Sarah Lee | BSides London 2025 | [Video](https://example.com/talks/wireless-attacks/video.mp) | ## 9. Exploit Techniques & Attack Surface Reference | Technique | Description | Tools | |-----------|-------------|-------| | **SSL/TLS Pinning Bypass** | Bypass certificate validation in mobile apps to intercept HTTPS traffic. | objection, SSL Kill Switch 2, android-unpinner, custom Frida scripts | | **Jailbreak/Root Detection Bypass** | Evade detection mechanisms to enable dynamic analysis. | ZygiskFrida, Shadow, Liberty Lite, KernBypass, vnodebypass | | **Frida Detection Evasion** | Avoid detection when using Frida instrumentation. | ZygiskFrida, Frida gadget mode, custom builds, objection `--startup-command` | | **Code Replay / Re-signing** | Replay network requests or re-sign apps to bypass integrity checks. | frida-ios-dump, frida-gadget, objection, Burp Suite | | **ROP / JOP / AOP Chains** | Build ROP/JOP/AOP chains for code execution without shellcode. | ROPgadget, one_gadget, manual chaining | | **Memory Disclosure** | Leak kernel or ASLR slide to enable reliable exploitation. | Kernel panic logs, info leaks in userland, PCI config reads | | **Kernel Exploitation** | Exploit vulnerabilities in kernel drivers or core subsystems. | Exploit primitives from PoC research, custom shellcode | | **Sandbox Escape** | Break out of application sandbox to access other apps or system. | Exploit vulnerabilities in IPC, content providers, or launch services | | **Side-Channel Attacks** | Use timing, power consumption, or EM emissions to extract secrets. | Power analysis tools, EM probes, custom instrumentation | | **Firmware Analysis** | Extract and analyze firmware images for vulnerabilities. | Binwalk, firmware-mod-kit, uncompyle, Ghidra | ## 10. Advanced Platform Internals | Topic | Key Resources | |-------|---------------| | **Android Security Architecture** | [Android Security Overview](https://source.android.com/docs/security/overview), [Android Verified Boot](https://source.android.com/docs/security/verifiedboot), [Trusty TEE](https://source.android.com/docs/security/trusty) | | **iOS Security Architecture** | [iOS Security Guide](https://support.apple.com/guide/security/welcome/web), [Apple Platform Security](https://support.apple.com/guide/security/welcome/web), [KernelCache Analysis](https://github.com/acidanthera/OpenCorePkg) | | **Secure Element & SE APIs** | [SE JCA Provider](https://developer.android.com/training/articles/keystore#SecureElement), [NFC-A/B ISO-DEP](https://www.nxp.com/docs/en/application-note/AN12196.pdf) | | **Hardware-backed Keystore** | [Android Keystore](https://source.android.com/docs/security/keystore), [iOS Keychain](https://support.apple.com/guide/security/welcome/web) | | **Kernel Module Signing & Lockdown** | [Linux Kernel Lockdown](https://www.kernel.org/doc/html/latest/admin-guide/lockdown.html), [Android Kernel Module Signing](https://source.android.com/docs/security/module-signing) | ## 11. CTF Challenges & Writeups | CTF | Platform | Description | |-----|----------|-------------| | [Mobile Security CTF](https://ctf.mobile-security.io/) | `[Android/iOS]` | Multi-category mobile security challenges — reverse engineering, network, crypto, and exploitation. | | [Hack The Box — Mobile Machines](https://app.hackthebox.com/machines) | `[Android/iOS]` | Public and premium mobile penetration testing machines. | | [TryHackMe — Mobile Pentesting Room](https://tryhackme.com/room/mobilepentesting) | `[Android/iOS]` | Guided room covering Android and iOS app security testing. | | [PicoCTF — Mobile](https://picoctf.org/) | `[Android/iOS]` | Free CTF with mobile-focused challenges. | | [OverTheWire — Bandit](https://overthewire.org/wargames/bandit/) | `[CLI]` | Command-line basics useful for mobile tooling. | | [Root-Me — Mobile](https://www.root-me.org/en/Challenges/Category/mobile) | `[Android/iOS]` | Diverse mobile challenges. | ## 12. Books | Title | Author | Year | |-------|--------|------| | [The Mobile Application Hacker's Handbook](https://www.amazon.com/Mobile-Application-Hackers-Handbook/dp/1800206417) | David Thiel, Scott Helme, John Kindervag | 2020 | | [Android Security Cookbook](https://www.oreilly.com/library/view/android-security-cookbook/9781788835676/) | Keith Makan, Christoffer Niska | 2021 | | [iOS Application Security](https://www.amazon.com/iOS-Application-Security/dp/0134554303) | David Thiel | 2015 | | [The Art of Memory Forensics](https://www.wiley.com/en-us/The+Art+of+Memory+Forensics-p-9781119107530) | Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters | 2014 | | [Practical Reverse Engineering](https://www.wiley.com/pid/230667748/practical-reverse-engineering) | Bruce Dang, Alexandre Gazet, Elias Bachaalany | 2014 | | [The Web Application Hacker's Handbook](https://www.amazon.com/Web-Application-Hackers-Handbook/dp/1118028489) | Dafydd Stuttard, Marcus Pinto | 2011 | ## 13. Community, Blogs & Researchers | Blog / Channel | Focus | |----------------|-------| | [Google Threat Intelligence Group (GTIG) Blog](https://cloud.google.com/blog/topics/threat-intelligence) | In-depth research on zero-click exploit chains, APT campaigns, and mobile security. | | [Amnesty International Security Lab](https://securitylab.amnesty.org/) | Reports on Pegasus, Predator, and other spyware. | | [Lookout Threat Intelligence](https://www.lookout.com/labs/) | Mobile threat intelligence and analysis. | | [Kryptos Logic](https://kryptoslogic.com/) | ZygiskFrida, kernel exploits, and mobile security research. | | [Sudo Null](https://sudo-null.com/) | Practical mobile security guides and tool reviews. | | [Medium — Mobile Security Tags](https://medium.com/tag/mobile-security) | Community articles on mobile hacking and defense. | | [GitHub Topics: mobile-security](https://github.com/topics/mobile-security) | Curated list of mobile security projects and tools. | | [Twitter / X](https://x.com/) | Follow: @kryptoslogic, @0x_kol, @gtigs, @amnesty, @lookout, @srlabs, @citizenlab, @googleprojectzero | ## 14. Threat Intelligence | Source | Description | |--------|-------------| | [CVE Details — Mobile](https://www.cvedetails.com/vulnerability-list/vendor_id-148/Mobile/) | Vulnerability database for Android and iOS. | | [Exploit-DB — Mobile](https://www.exploit-db.com/search?q=android) | Public exploits for mobile platforms. | | [CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities) | Official list of exploited vulnerabilities — includes mobile-related CVEs. | | [OWASP Mobile Security Project](https://owasp.org/www-project-mobile/) | Mobile security testing guide, MASVS, and MSTG. | | [Android Security Bulletins](https://source.android.com/docs/security/bulletin) | Monthly Android security patches and CVE details. | | [Apple Security Updates](https://support.apple.com/en-us/HT211222) | iOS and macOS security updates. | ## 15. Courses & Certifications | Course | Provider | Level | |--------|----------|-------| | [Offensive Security Certified Professional (OSCP)](https://www.offensive-security.com/pwk-oscp/) | Offensive Security | Intermediate–Advanced || [Certified Mobile Security Engineer (CMSE)](https://www.eccouncil.org/certified-mobile-security-engineer/) | EC-Council | Intermediate | | [Android Security Engineer (ASE)](https://www.coursera.org/specializations/android-security) | Coursera / University of Maryland | Intermediate | | [iOS Security Fundamentals](https://www.udemy.com/course/ios-security/) | Udemy | Beginner–Intermediate | | [SANS SEC575: Mobile Device Security](https://www.sans.org/cyber-security-courses/mobile-device-security/) | SANS | Advanced | | [Google's Android Security Nanodegree](https://www.udacity.com/course/android-security-nanodegree--nd978) | Udacity | Intermediate | ## 16. Standards & Frameworks | Standard / Framework | Description | |----------------------|-------------| | [OWASP MASVS](https://github.com/OWASP/owasp-masvs) | Mobile Application Security Verification Standard — test cases for mobile app security. | | [OWASP MSTG](https://github.com/OWASP/owasp-mstg) | Mobile Security Testing Guide — comprehensive guide for mobile app security testing. | | [NIST SP 800-124](https://csrc.nist.gov/publications/detail/sp/800-124/rev-1/final) | Guidelines for Securing Mobile Devices in Enterprise Environments. | | [CIS Controls Mobile](https://www.cisecurity.org/controls/mobile/) | CIS Critical Security Controls for mobile environments. | | [ISO/IEC 27001](https://www.iso.org/standard/54534.html) | Information security management — includes mobile systems. | | [PCI DSS](https://www.pcisecuritystandards.org/) | Payment Card Industry Data Security Standard — relevant for mobile payment apps. | ## 17. Official Documentation | Platform | Documentation | |----------|---------------| | Android | [Android Developer Security](https://source.android.com/docs/security) | | iOS | [Apple Platform Security](https://support.apple.com/guide/security/welcome/web) | | OpenSSL | [OpenSSL Documentation](https://www.openssl.org/docs/) | | FIDO Alliance | [FIDO2 Specifications](https://fidoalliance.org/specs/fido-v2.1-rd-3/) | ## 18. Regulatory & Compliance | Regulation | Scope | |------------|-------| | GDPR | Personal data protection — includes mobile app data collection. | | CCPA | Consumer privacy rights — relevant for mobile apps handling California residents' data. | | HIPAA | Health data protection — applies to mobile health apps. | | PCI DSS | Payment card data security — applies to mobile payment applications. | | SOC 2 | Security controls for service organizations — relevant for mobile backend services. | ## 19. Bug Bounty Programs | Platform | Scope | Link | |----------|-------|------| | HackerOne | Mobile app security assessments | [hackerone.com](https://hackerone.com) | | Bugcrowd | Mobile security testing | [bugcrowd.com](https://bugcrowd.com) | | Synack | Mobile app penetration testing | [synack.com](https://synack.com) | | Cobalt | Mobile and web security | [cobalt.io](https://cobalt.io) | ## 20. Free Practical Challenges | Platform | Description | |----------|-------------| | [Mobile Security CTF](https://ctf.mobile-security.io/) | Hands-on mobile security challenges. | | [TryHackMe — Mobile Room](https://tryhackme.com/room/mobilepentesting) | Guided mobile penetration testing room. | | [Hack The Box — Mobile Machines](https://app.hackthebox.com/machines) | Mobile-focused penetration testing machines. | | [PicoCTF — Mobile](https://picoctf.org/) | Free CTF with mobile challenges. | - **“Operation Triangulation: The Last Hardware Secret”** — Kaspersky GReAT, 2023。史上最具技术复杂度的 iOS 漏洞链之一。四个 CVE 串联（CVE-2023-32434、CVE-2023-32435、CVE-2023-38606）并利用一个未记录的硬件 MMIO 寄存器实现 MMIO 映射的协处理器内存破坏。无需用户交互的零点击 iMessage 攻击，且不在文件系统留下持久化痕迹。[https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/](https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/) [高阶] - **“BLASTPASS：CVE-2023-41064 & CVE-2023-41061”** — Citizen Lab，2023 年 9 月。通过 PassKit/WebP 传递的零点击 iMessage 漏洞链，已被用于在完全打补丁的 iOS 16.6 上静默部署 Pegasus 间谍软件，无需用户交互。[https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/](https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/) [高阶] - **“FORCEDENTRY：NSO iMessage 漏洞链”** — Google Project Zero / Ian Beer & Samuel Groß，2021 年 12 月。CVE-2021-30860 的完整技术拆解：利用 CoreGraphics JBIG2 解码器的整数溢出实现零点击远程代码执行，以及基于 JBIG2 逻辑门的“计算机中的计算机”载荷。里程碑式的公开 iOS 漏洞研究。[https://projectzero.google/2021/12/a-deep-dive-into-nso-zero-click.html](https://projectzero.google/2021/12/a-deep-dive-into-nso-zero-click.html) [高阶] ### iOS 现代安全架构（SPTM、TXM、Exclaves、MIE） - **“Modern iOS Security Features: SPTM, TXM, and Exclaves”** — arXiv:2510.09272，2025 年 10 月。Apple 在 iOS 17/A15 引入的全新 hypervisor 层安全架构的首次全面学术分析：安全页表监控器（SPTM）、可信执行监控器（TXM）与 Exclaves（移出 XNU 管控域的服务）。适用于 A15 及以上设备上的 iOS 内核漏洞研究。[https://arxiv.org/abs/2510.09272](https://arxiv.org/abs/2510.09272) [高阶] - **“Apple Memory Integrity Enforcement (MIE)”** — Apple Security Research，2025 年 9 月。MIE 的正式描述——Apple 下一代内存安全 enforcement 层，部署于 A19/A19 Pro 芯片。超越 PAC/PPL，在硬件层面实施内存完整性保障。Corellium 提供早期访问的虚拟化研究支持。[https://security.apple.com/blog/memory-integrity-enforcement/](https://security.apple.com/blog/memory-integrity-enforcement/) [高阶] - **“Step-by-Step Guide to Writing an iOS Kernel Exploit”** — Alfie CG，2024 年 9 月。现代 iOS 内核漏洞开发方法论的实用 walkthrough，涵盖适用于 iOS 16 之后原语、约束与方法。[https://alfiecg.uk/2024/09/24/Kernel-exploit.html](https://alfiecg.uk/2024/09/24/Kernel-exploit.html) [高阶] ### 商业间谍软件研究 - **“2025 Zero-Days in Review”** — Google Threat Intelligence Group (GTIG)，2026 年 3 月。2025 年回顾：90 个被利用的零日（较 2024 年 78 个上升）；移动 OS 零日从 9 个增至 15 个。商业监控供应商首次超越国家行为体成为零日主要消费者（18 个归因零日）。了解间谍软件生态系统的必要背景。[https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review](https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review) [中级–高阶] - **“Predator Spyware on Angolan Journalist's iPhone”** — Amnesty International Security Lab / Citizen Lab，2026 年 2 月。首次在安哥拉被法证确认 Predator 感染；记录 WhatsApp/Signal 外泄、截图、通话录音、GPS 跟踪与凭证窃取。[https://cyberwarzone.com/2026/02/18/amnesty-finds-predator-spyware-on-angolan-journalists-iphone/](https://cyberwarzone.com/2026/02/18/amnesty-finds-predator-spyware-on-angolan-journalists-iphone/) [高阶] - **“Intellexa 'Aladdin' Silent Infection System”** — Amnesty International Security Lab，2025 年 12 月。分析 Predator 间谍软件的“Aladdin”投递机制——通过恶意数字广告静默安装间谍软件（无用户点击），依据 Intellexa 基础设施泄露。[https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/](https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/) [高阶] - **“Paragon Graphite — iMessage Zero-Click (CVE-2025-43200)”** — Citizen Lab，2025 年 4 月。首次法证确认 Paragon 的 Graphite iOS 间谍软件通过 iMessage 零点击投递并针对欧洲记者；包含 IOC、基础设施指纹与取证方法；已修补于 iOS 18.3.1。[https://citizenlab.ca/research/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/](https://citizenlab.ca/research/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/) [高阶] - **“Graphite / Paragon”** — Citizen Lab，2025 年 3 月。意大利商业间谍软件供应商 Paragon 的 Graphite 植入体，通过 WhatsApp 零日漏洞定向攻击记者与公民社会；涵盖 C2 基础设施指纹与取证恢复方法。[https://citizenlab.ca/research/a-first-look-at-paragons-proliferating-spyware-operations/](https://citizenlab.ca/research/a-first-look-at-paragons-proliferating-spyware-operations/) [高阶] - **“LightSpy v7.9.0 Cross-Platform Spyware”** — 多位研究者，2025 年 2 月。分析 LightSpy 跨平台能力扩展：100+ 命令模块 targeting iOS、Android、macOS、Windows、Linux 与路由器；新 Android 模块提取 Facebook/Instagram 数据库；归因于与中国关联的行动者。[https://gbhackers.com/lightspy-malware-expands-with-100-commands/](https://gbhackers.com/lightspy-malware-expands-with-100-commands/) [高阶] - **“BoneSpy and PlainGnome: Russia's First Mobile-Only Spyware”** — Lookout，2024 年 12 月。分析 Gamaredon 首个专注 Android 的移动间谍家族，针对俄语前苏联国家；包含详细行为分析与 IOC 文档。[中级] - **“Predator Files”** — EFF / Amnesty International Tech，2023 年 9 月。Intellexa Predator 间谍软件技术能力披露：涵盖 Android 与 iOS 感染向量、无点击与一键投递、以及产品周围的商业生态系统。Amnesty 技术深度阅读：[https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/) | Amnesty 报告：[https://www.amnesty.org/en/documents/act10/7245/2023/en/](https://www.amnesty.org/en/documents/act10/7245/2023/en/) [高阶] - **“QuaDream Reign”** — Citizen Lab，2023 年 4 月。分析 QuaDream 的 REIGN iOS 间谍软件通过零点击 iMessage 漏洞投递；取证指标、时间线与与 Pegasus 方法的对比。[https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/](https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/) [高阶] - **“Hermit: Enterprise-Grade Android and iOS Spyware”** — Lookout + Citizen Lab，2022 年。Hermit（RCS Lab）全功能商业植入体的技术拆解：APK 结构、iOS 配置滥用、C2 架构与权限提升；完整技术报告：[://www.lookout.com/threat-intelligence/article/hermit-spyware-discovery](https://www.lookout.com/threat-intelligence/article/hermit-spyware-discovery) [高阶] - **“Pegasus vs. Android: Technical Anatomy of NSO Group's Flagship Product”** — Citizen Lab / Amnesty International Tech，2021 年。Pegasus Android 植入体的组件级拆解：持久化机制、C2 协议、数据外泄与检测痕迹；与 iOS 分析配对以实现全平台对比。[https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/](https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) [高阶] - **“FinSpy iOS and Android Deep Dive”** — Kaspersky / Amnesty International，2020–2021。FinSpy/FinFisher 移动植入体的技术文档，涵盖混淆、反分析、持久化与 C2 基础设施；作为最早对两大移动平台商业植入体的公开拆解之一具有历史意义。[https://securelist.com/finspy-unseen-findings/104322/](https://securelist.com/finspy-unseen-findings/104322/) [中级] ### 基带与调制解调器安全 - **“New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos”** — taszk.io labs，Black Hat USA 2024。Samsung Exynos 基带固件中的新型 Layer 2 协议攻击面，实现远程代码执行；涵盖对闭源 Exynos Shannon DSP 的逆向工程方法。[https://labs.taszk.io/articles/post/there_will_be_bugs/](https://labs.taszk.io/articles/post/there_will_be_bugs/) [高阶] - **“BaseMirror: Automatic Reverse Engineering of Baseband Commands”** — arXiv:2409.00475，2024 年 9 月。从 Android RIL 自动提取基带命令接口，应用于 28 款 Samsung Exynos 型号；发现 873 条未公开命令与 8 个零日（DoS 与任意文件访问）。系统化基带攻击面发现方法。[https://arxiv.org/html/2409.00475v1](https://arxiv.org/html/2409.00475v1) [高阶] - **“18 Zero-Days in Samsung Exynos Modems”** — Google Project Zero，2023 年 3 月。18 个已发现 CVE 中有 4 个允许无需用户交互的互联网到基带远程代码执行；覆盖受影响 Pixel、Galaxy 与 Exynos 芯片设备。涵盖攻击面范围与负责任披露时间线。[https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/](https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/) [高阶] - **“Shannon Baseband Reverse Engineering”** — 多位研究者（Project Zero、Comsecuris 等）。针对 Samsung Shannon DSP 基带的系列研究，涵盖逆向工程方法、漏洞发现与利用。Project Zero 覆盖：[https://projectzero.google](https://projectzero.google)。Comsecuris 研究：[https://comsecuris.com/blog/posts/path_of_least_resistance/](https://comsecuris.com/blog/posts/path_of_least_resistance/) [高阶] - **“LTE Security: Breaking LTE on Layer Two”** — Rupprecht 等，IEEE S&P 2019。实用的 LTE 降级与流量拦截攻击，利用数据链路层弱点；桥接理论协议分析与真实硬件攻击。[https://www.montsecure.com/research/alter-attack/](https://www.montsecure.com/research/alter-attack/) [高阶] - **“Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks”** — Mulliner & Miller，USENIX WOOT 2011。蜂窝基带栈模糊测试与利用的基础性学术工作，即便目标演进仍具方法论参考价值。[高阶] ### 内存安全缓解与绕过 - **“MIE Deep Dive: Memory Integrity Enforcement on iOS (Parts 1–2)”** — 8kSec，2025 年。Apple 内存完整性 Enforcement 子系统分析：工作原理、保护范围与研究界已发现的边界情况。[https://8ksec.io/mie-deep-dive-kernel/](https://8ksec.io/mie-deep-dive-kernel/) [高阶] - **“TikTag: Breaking ARM's Memory Tagging Extension”** — KAIST，USENIX 2024。推测执行侧信道泄露 MTE 标签，允许攻击者重建内存标签并绕过硬件辅助的内存安全缓解。包含 PoC。[https://arxiv.org/abs/2406.08719](https://arxiv.org/abs/2406.08719) [高阶] - **“ARM64 Reversing and Exploitation Series (Parts 1–10)”** — 8kSec。九部分系列涵盖 ARM64 汇编、调用约定、堆利用、ROP 链构造与内核利用原语；第 10 部分深入探讨 ARM 内存标记扩展（MTE）。[https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/) [中级→高阶] - **“PACMAN: Attacking ARM Pointer Authentication with Speculative Execution”** — Ravichandran 等，MIT CSAIL，IEEE S&P 2022。利用推测执行泄露 PAC 值的侧信道攻击，实现无需触发认证失败的 PAC 绕过。对依赖 PAC 作为缓解的 iOS 漏洞链具有实际影响。[https://pacmanattack.com](https://pacmanattack.com) [高阶] - **“Bypassing iOS PAC”** — Siguza。iOS 指针认证码实现与绕过技术研究；涵盖加密属性、实现细节与已知攻击类别。[https://blog.siguza.net](https://blog.siguza.net) [高阶] ### TrustZone 与 TEE 漏洞利用 - **“Samsung TrustZone (Kinibi TEE) Exploitation”** — Quarkslab，2021–2023。Samsung Kinibi 基础 TEE 中的多个 CVE；涵盖 TEE 逆向方法、信任应用攻击面与从普通世界到 TEE 的权限提升。[https://blog.quarkslab.com](https://blog.quarkslab.com) [高阶] - **“Titan M2 Security Research”** — Google Project Zero。Pixel 设备使用的 Titan M2 安全芯片的攻击面分析与漏洞研究；涵盖其在 Pixel 安全架构中的角色与固件/应用边界。[https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) [高阶] - **“Apple Secure Enclave Research”** — 多项研究者（包括 Siguza 与 axi0mX）。Secure Enclave Processor 架构、启动链安全与协处理器攻击面的持续研究。Siguza 的 APRR/Secure Enclave 研究：[https://blog.siguza.net/APRR/](https://blog.siguza.net/APRR/) [高阶] ### WebKit 与浏览器漏洞利用（移动上下文） - **“CVE-2025-43529 + CVE-2025-14174 (WebKit/ANGLE Chain)”** — 2025 年 12 月。WebKit use-after-free（CVE-2025-43529）与 ANGLE 内存破坏（CVE-2025-14174）链式利用，针对 iOS 的定向攻击；均列入 CISA KEV。已在 iOS 18.7.3 修补。[https://support.apple.com/en-us/HT201222](https://support.apple.com/en-us/HT201222) [高阶] - **“CVE-2024-23222: WebKit Type Confusion”** — Apple 紧急补丁，2024 年 1 月。Web 内容中可利用的类型混淆漏洞，在 iOS 上被主动利用。修补前已遭攻击。[https://support.apple.com/en-us/HT213600](https://support.apple.com/en-us/HT213600) [高阶] - **“WebKit JIT Compiler Exploitation”** — 多位研究者。JIT 编译引入的类型混淆与 use-after-free 原语；Pwn2Own 与学术文献中记录的利用技术。参见 [https://webkit.org/blog/](https://webkit.org/blog/) 获取上游安全分析背景。[高阶] ### 供应链与 SDK 攻击 - **“Axios npm Supply Chain Compromise (TeamPCP Campaign)”** — Unit 42 / Microsoft Security，2026 年 3–4 月。攻击者（UNC1069）社会 Axios npm 维护者并发布中毒版本（100M+ 下载/周），投递 RAT；涉及 React Native 与移动 Web 应用。[https://unit42.paloaltonetworks.com/axios-supply-chain-attack/](https://unit42.paloaltonetworks.com/axios-supply-chain-attack/) [中级] - **“Malicious npm Packages Targeting React Native”** — Snyk / Socket.dev，持续性活动。植入恶意或拼写错误劫持的 npm 包 targeting React Native 开发者；实时追踪：[https://socket.dev/npm/](https://socket.dev/npm/) [中级] - **“CocoaPods Trunk Server Takeover”** — EVA Information Security，2024 年 7 月。CVE-2024-38368：未认证 RCE 于 CocoaPods trunk 服务器，可能影响超过 300 万个 iOS/macOS 应用；涵盖漏洞利用路径与追溯审计难度。[https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods](https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods) [中级] - **“SpinOk: Malicious SDK in 100+ Android Apps”** — Dr.Web，2023 年 5 月。嵌入 100+ Android 应用的间谍 SDK，累计下载超 4.21 亿；文档化 SDK 级供应链风险：隐藏方式、收集数据与规避 Play Protect 的技术。[https://news.drweb.com/show/?i=14705&lng=en](https://news.drweb.com/show/?i=14705&lng=en) [中级] ### 设备端 AI/ML 安全 - **“CoreML Model Extraction from iOS Applications”** — 实践研究。定位、提取与逆向工程 iOS 应用中的 CoreML `.mlmodelc` 包；涵盖编译模型格式、受保护模型解密与架构重建。[新兴] - **“TensorFlow Lite Model Security on Android”** — 研究。提取与分析 Android APK 中嵌入的 TFLite `.tflite` 模型；涵盖模型 IP 盗窃与对抗样本构造。[新兴] - **“Adversarial Examples on Mobile ML Models”** — NeurIPS / ICLR 论文。构造导致移动计算机视觉模型误分类的输入；适用于生物识别伪造、内容审核与 OCR 等场景。[新兴] ### Android 打包、混淆与反分析 - **“A Systematic Analysis of Commercial Android Packers”** — ACM CCS 2022。评估 12 款商业 Android 打包服务，分析其保护机制、绕过检测与反分析能力。[https://dl.acm.org/doi/abs/10.1145/3540250.3558969](https://dl.acm.org/doi/abs/10.1145/3540250.3558969) [高阶] - **“Happer: Unpacking Android Apps via a Hardware-Assisted Approach”** — IEEE S&P 2021。利用硬件性能计数器检测并击败 Android 运行时解包。[https://ieeexplore.ieee.org/document/9519458](https://ieeexplore.ieee.org/document/9519458) [高阶] - **“A Large-Scale Study on the Adoption of Anti-Debugging and Anti-Tampering Protections in Android Apps”** — JISA 2020。Berlato 等对生产环境中 Android 应用保护措施的实证分析。[https://stefano.berlato.it/publications/JISA2025.pdf](https://stefano.berlato.it/publications/JISA2025.pdf) [中级] - **“AndrODet: An Adaptive Android Obfuscation Detector”** — arXiv 2019。基于机器学习的 Android 混淆检测。[https://arxiv.org/pdf/1910.06192.pdf](https://arxiv.org/pdf/1910.06192.pdf) [中级] - **“Things You May Not Know About Android (Un)Packers”** — NDSS 2018。Duan 等对 APK 打包器行为与解包技术的全面评估，恶意分析基础方法。[https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_04A-4_Duan_paper.pdf](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_04A-4_Duan_paper.pdf) [高阶] ### Android 内核与操作系统安全 - **“An Investigation of the Android Kernel Patch Ecosystem”** — USENIX Security 2021。Zhang 等研究 Android 内核补丁在生态中的传播（OEM 延迟、缺失补丁）与实际安全缺口。[https://www.usenix.org/conference/usenixsecurity21/presentation/zhang](https://www.usenix.org/conference/usenixsecurity21/presentation/zhang) [中级–高阶] ### 蓝牙与无线通信 - **“WhisperPair: Google Fast Pair Accessory Hijacking”** — KU Leuven 研究人员，2026 年 1 月。Fast Pair 配对密钥校验逻辑错误（CVE-2025-36911）；配件在配对模式切换前即可接受新请求，攻击者可劫持音频流、注入音频、窃听麦克风或追踪。支持 Sony、Jabra、JBL、Marshall、小米、Nothing、OnePlus、Logitech、Google 等配件。$15K 悬赏。[https://whisperpair.eu/](https://whisperpair.eu/) [中级–高阶] - **“BLUFFS: Bluetooth Forward and Future Secrecy Attacks”** — Antonioli，ACM CCS 2023。六个全新攻击破坏蓝牙 4.2–5.4 版本会话机密性，利用会话密钥推导弱点；影响所有符合标准的蓝牙设备。[https://dl.acm.org/doi/10.1145/3576915.3623066](https://dl.acm.org/doi/10.1145/3576915.3623066) [高阶] - **“BrakTooth: ESP32 Bluetooth Stack Vulnerabilities”** — ASSET Research Group，SUTD，2021。Espressif、Intel、Qualcomm 等 SoC 的 16 个蓝牙经典栈漏洞；文档化模糊测试基础设施与芯片覆盖范围。[https://asset-group.github.io/disclosures/braktooth/](https://asset-group.github.io/disclosures/braktooth/) [高阶] - **“SweynTooth: Bluetooth LE in SoC Implementations”** — ASSET Research Group，SUTD，2020。多个 SoC 厂商（TI、NXP、Cypress 等）的 12 个蓝牙 LE 实现漏洞，包括死锁、崩溃与安全绕过；可通过无线链路层触发。[https://asset-group.github.io/disclosures/sweyntooth/](https://asset-group.github.io/disclosures/sweyntooth/) [高阶] --- ## 8. 会议演讲精选 聚焦移动安全研究主要发布场合的精选演讲。涵盖公开视频/幻灯片或已有可访问总结的场次。 ### Black Hat USA / Europe / Asia [Black Hat 演讲归档](https://www.blackhat.com/html/archives.html)。许多演讲亦在 [YouTube](https://www.youtube.com/@BlackHatOfficialYT) 可观看。 - **[2026] “Practical Attacks Against Smartphone Boot ROMs”** — 如何利用单一 Boot ROM 漏洞通过安全启动绕过与固件解密攻陷整个智能手机生态。Black Hat Asia 2026。 [高阶] - **[2025] “A Worm in the Apple: Wormable Zero-Click RCE in AirPlay”** — Gal Bazal、Uri Katz、Avi Lumelsky（Oligo Security）。可蠕虫化零点击 RCE 影响 AirPlay 设备（从 MacBook 到车载系统），利用 CVE-2025-24252 与 CVE-2025-24132（“AirBorne”）。Black Hat USA 2025。 [高阶] - **[2025] “Dead Pixel Detected — A Security Assessment of Apple's Graphics Subsystem”** — Yu Wang（CyberServal）。Apple 图形子系统的多个此前未知内核漏洞。Black Hat USA 2025。 [高阶] - **[2025] “Uncovering 'NASty' 5G Baseband Vulnerabilities through Dependency-Aware Fuzzing”** — Tianchang Yang 等。依赖感知模糊测试针对三星 5G Shannon 基带 NAS 层漏洞，OTA 证明概念崩溃来自自托管 5G 基站。Black Hat USA 2025。 [高阶] - **[2025] “Watch Your Phone: Novel USB-Based File Access Attacks Against Mobile Devices”** — Florian Draschbauer、Lukas Maar（格拉茨理工大学）。绕过锁屏与用户确认提示的 USB 基础文件访问攻击，适用于 Android 与 iOS。Black Hat Asia2025。 [高阶] - **[2025] “Unveiling the Mysteries of Qualcomm's QDSP6 JTAG”** — Alisa Esage（Zero Day Engineering）。通过专利分析、固件逆向与理论建模对高通 QDSP6 JTAG 的高级逆向工程。Black Hat Asia 2025。 [高阶] - **[2025] “One Entry Point to Thousands of Phones: China-Nexus APT Exploiting Ivanti”** — Arda Buyukkaya。Ivanti EPMM 服务器利用实现横向移动至移动设备群。Black Hat Europe 2025。 [高阶] - **[2024] “Compromising Android with Evil Customizations”** — OEM 与运营商定制包作为 Android 提权路径。Black Hat USA 2024。 [中级] - **[2024] “The Stealthy Side of iOS: Attacking iOS Background Modes”** — 滥用 iOS 后台执行 API（VoIP 推送、后台刷新、显著位置）实现持久化与隐蔽活动。Black Hat USA 2024。 [高级] - **[2024] “Abusing iOS WebKit: From Script Injection to Kernel Exploits”** — WebKit 到沙箱逃逸的链式构造方法。Black Hat Europe 2024。 [高级] - **[2024] “Android Malware Evasion: Defeating Google Play Protect”** — 绕过 Play Protect 动态分析的技术：定时、载荷投递与检测指纹。Black Hat Asia 2024。 [中级] - **[2024] “Finding Vulnerabilities in Qualcomm GPU Drivers”** — Qualcomm Adreno GPU 内核驱动的攻击面映射与漏洞发现。Black Hat USA 2024。 [高级] - **[2024] “Cracking the 5G Fortress: Peering Into 5G's Vulnerability Abyss”** — Kai Tu、Yilu Dong。5G 协议栈实现中的逻辑缺陷，允许网络认证绕过。Black Hat USA 2024。 [高级] - **[2024] “Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM”** — Zong Cao、Zheng Wang。WebAssembly 执行操纵触发 JIT 分配的 RWX 内存的浏览器内存损坏。Black Hat USA 2024。 [高级] - **[2024] “You Shall Not PASS — Analysing a NSO iOS Spyware Sample”** — BLASTPASS 间谍软件法医解剖：通过恶意 PassKit 文件经 iMessage 静默投递，绕过 BlastDoor 破坏完全打补丁的 iOS 设备。Black Hat Asia 2024。 [高级] - **[2024] “Privacy Detective: Sniffing Out Your Data Leaks for Android”** — Zhengyang Zhou、Yiman He。Android 应用未经授权数据外泄的自动化方法，涵盖广告遥测、跟踪 SDK 与过度宽松的清单。Black Hat Asia 2024。 [中级] - **[2024] “WiFi Calling: Revealing Downgrade Attacks and Not-so-private Keys”** — Adrian Dabrowski、Gabriel Gegenhuber。VoWiFi 协议安全分析：降级攻击与密钥暴露。Black Hat Europe 2024。 [高级] - **[2024] “Unmasking State-Sponsored Mobile Surveillance Malware from Russia, China, and North Korea”** — Kyle Schmitttlein、Alemdar Islamoglu。跨国家APT移动间谍软件的战术差异、混淆与C2基础设施对比分析。Black Hat Europe 2024。 [中级] - **[2023] “Binder Transactions in the Wild”** — Android IPC 安全分析：利用 Binder 事务语义与系统服务暴露的攻击面。Black Hat USA 2023。 [高级] - **[2023] “Subverting iOS and macOS”** — Patrick Wardle。Apple 平台持久化机制与安全绕过技术。Black Hat USA 2023。 [中级] - **[2023] “Side Channel Attacks on Mobile Biometrics”** — 针对移动 SoC 上指纹与面容 ID 实现的时序与功耗分析。Black Hat USA 2023。 [高级] - **[2023] “Hacking Samsung's Galaxy AI Features”** — Galaxy 设备端 AI 攻击面：模型提取、输入操纵与权限影响。Black Hat Europe 2023。 [新兴] - **[2022] “A Journey into Qualcomm Baseband”** — Qualcomm 蜂窝基带固件中的漏洞发现与利用，涵盖逆向工程方法。Black Hat USA 2022。 [高级] - **[2022] “20 Ways to Bypass iOS Privacy Access Prompts”** — iOS 位置、麦克风、相机与通讯录访问提示绕过技术的全景调查。Black Hat USA 2022。 [中级] - **[2022] “Galaxy's Meltdown”** — Samsung Exynos 基带上的内核利用链。Black Hat 2022。 [高级] - **[2021] “iMessage Zero-Click: The BlastDoor Sandbox”** — 多次演讲者讨论 iMessage 攻击面与 iOS 14 引入的 BlastDoor 沙箱缓解。Black Hat USA 2021。 [高级] - **[2021] “Subverting Trust in macOS/iOS”** — Apple 代码签名、公证与信任评估作为攻击面。Black Hat USA 2021。 [高级] ### DEF CON [DEF CON 媒体服务器](https://media.defcon.org) 与 [YouTube](https://www.youtube.com/@DEFCONConference) 提供会议录像。 - **[2025] “KernelGP: Racing Against the Android Kernel”** — Chariton Karamitas。Android Linux 内核上的高级竞争条件与 use-after-free 原语。DEF CON 33。 [高级] - **[2025] “Siri-ously Leaky: Exploring Overlooked Attack Surfaces Across Apple's Ecosystem”** — Richard "richeeta" Hyunho Im。被忽视的 Siri 与生态系统集成攻击面。DEF CON 33。 [中级] - **[2025] “AppleStorm: Unmasking the Privacy Risks of Apple Intelligence”** — Yoav Magid。iOS 18 引入的 Apple Intelligence 功能的隐私攻击面分析。DEF CON 33。 [新兴] - **[2025] “Rooting the Rootless: Kernel Tactics to Nullify RASP Protections”** — Subho Halder。移动 Runtime Application Self-Protection (RASP) 的内核级绕过技术。DEF CON 33 Mobile Hacking Community。 [高级] - **[2025] “Dead Made Alive Again: Bypassing Intent Destination Checks and Reintroducing LaunchAnywhere”** — Qidan "flanker_hqd" He。新的“BadResolve”技术绕过 Google 补丁，实现零权限 Android 应用提升至系统级权限。DEF CON 33。 [高级] - **[2025] “Silent Signals: Exploiting Side-Channels in End-to-End Encrypted Messengers”** — Gabriel Gegenhuber、Maximilian Gunther。利用 WhatsApp、Signal 等消息应用的投递回执被动追踪在线状态与屏幕活动。DEF CON 33。 [中级] - **[2025] “Recording PCAPs from Stingrays With a $20 Hotspot”** — Cooper Quintin、oopsbagel（EFF）。Rayhunter：通过廉价蜂窝热点利用 Qualcomm DIAG 协议检测 IMSI 捕获器并收集实时控制平面流量。DEF CON 33。 [高级] - **[2024] “The Way To Android Root: Exploiting Your GPU On Smartphone”** — Xiling Gong、Eugene Rodionov、Xuan Xing（Google Android Red Team）。完整链 GPU 驱动利用实现 Android 内核权限提升，适用于 Pixel/旗舰设备。DEF CON 32。 [高级] - **[2024] “ACE up the Sleeve: From Getting JTAG on iPhone 15 to Hacking Apple's USB-C Controller”** — stacksmashing (Thomas Roth)。利用 EM 故障注入攻击 Apple ACE3 USB-C 芯片的硬件级攻击。DEF CON 32。 [高级] - **[2024] “The not-so-silent type: Breaking Network Crypto in Almost Every Popular Chinese Keyboard App”** — 流行中文键盘应用中的隐私与加密弱点研究。DEF CON 32。中级] - **[2024] “Hacking Physical Access Control with Android”** — 基于 NFC 与 BLE 的攻击针对企业物理访问控制系统，包括凭证克隆与中继攻击。DEF CON 32。 [中级] - **[2024] “Reversing Encrypted Android Apps with Frida”** — 运行时解密加密的 Android 应用并拦截脱密字节码与本地库。DEF CON 32。 [中级] - **[2024] “iOS Privacy Violations: What Apps Know About You”** — 系统化分析 App Store 应用中的隐私 API 滥用：收集了哪些数据、如何收集以及权限模型未能阻止什么。DEF CON 32。 [初级] - **[2023] “Android Kernel Exploitation from First Principles”** — Android 内核漏洞开发的入门级内核利用原语、内存损坏与权限提升方法。DEF CON 31。 [中级] - **[2023] “Reverse Engineering Flutter Applications”** — 完整的 Flutter 逆向工程工作坊，涵盖快照格式、libapp.so 提取与 Dart 字节码分析。DEF CON 31。幻灯片/资料：[https://media.defcon.org](https://media.defcon.org) [中级] - **[2023] “Mobile Banking App Security: What's Really Inside”** — 银行业应用保护机制（证书绑定、根检测等）的安全研究及其实际有效性。DEF CON 31。 [中级] - **[2022] “Attacking Android Binder: Finding and Exploiting Kernel Vulnerabilities”** — 系统化 Binder 攻击面分析与内核漏洞利用。DEF CON 30。 [高级] - **[2022] “Breaking iOS Encryption Without Jailbreak”** — Keychain 与数据保护类分析：无需越狱即可从运行中的 iOS 设备恢复哪些信息。DEF CON 30。 [中级] ### MOSEC（移动安全会议，上海） MOSEC 是 iOS 与 Android 漏洞研究的高信号量会议；多数展示涉及零日级别工作，资料通常不公开。已知公开披露如下。 - **[2024] “PAC Bypass on iOS 17”** — iOS 17.x 内核指针认证码（Pointer Authentication Code）的新型绕过技术。MOSEC 2024。 [高级] - **[2024] “From WebKit to Kernel: A Full Chain on iOS 17.x”** — 完整漏洞链研究：WebKit 入口点、沙箱逃逸与内核提权。MOSEC 2024。 [高级] - **[2024] “Android GPU Driver Exploitation”** — 通过 Android GPU 驱动漏洞实现远程代码执行。MOSEC 2024。 [高级] - **[2024] “Fuzzing iOS Daemons with Frida”** — 基于 Frida 的 iOS 守护进程自定义模糊测试基础设施，覆盖 IPC 接口、XPC 服务与私有框架 API。MOSEC 2024。 [高级] - **[2023] “GPU Accelerated Android Rooting”** — Yong Wang。GPU DMA 利用实现 Android 13 内核绕过：GPU IOMMU 能力允许在无内核漏洞前提下进行盲内存修改。MOSEC 2023。 [高级] - **[2023] “A Silicon Bug in Apple's A7 SoC”** — Wei Wang。Apple A7 芯片的硬件 MMU 逻辑缺陷，打破应用处理器与安全隔区处理器之间的加密边界，实现密钥提取。MOSEC 2023。 [高级] - **[2023] “Securing Web3 Mobile Wallets with TEE”** — Yuan Zhuang。TEE 基础加密钱包实现中的失败：ARM TrustZone 可利用的受信任应用原语进行静默私钥提取。MOSEC 2023。 [高级] - **[2023] “TrustZone Exploitation on Samsung Exynos”** — 针对 Samsung Exynos TrustZone 的 TEE 漏洞研究，涵盖受信任应用逆向与普通世界逃逸。MOSEC 2023。 [高级] - **[2023] “Malicious MDM: Enterprise iOS Attacks”** — MDM 协议作为进攻原语：设备注册流程滥用、配置文件注入与企业级管理基础设施的持久访问。MOSEC 2023。 [中级] - **[2022] “One for All: Abusing iOS URL Schemes”** — 通用链接与自定义 URL 方案攻击，实现跨应用数据外泄、重定向与提权。MOSEC 2022。 [中级] - **[2022] “Reverse Engineering Encrypted iOS Apps”** — FairPlay 加密 iOS 二进制的动态解密与分析：工具链、陷阱与实用方法。MOSEC 2022。 [中级] ### TyphoonCon（首尔） TyphoonCon 为邀请制进攻导向会议；公开资料有限，以下为已确认演讲。 - **[2026] “The Age of Zygote Injection”** — Joao Pedro Tricta。Android Zygote 进程注入技术，用于攻击后持久化与代码执行。TyphoonCon 2026。 [高级] - **[2026] “Terminally Bad Credit: Rooting, Skimming, and Hijacking Mobile Card Machines”** — Connor Du Plooy。移动支付终端的 root、提权与交易劫持。TyphoonCon 2026。 [高级] - **[2024] “Exploiting iOS 17: Modern Mitigations and How to Bypass Them”** — PAC、PPL 与指针认证在 iOS 17 内核利用中的绕过分析。TyphoonCon 2024。 [高级] - **[2024] “Android OEM Attack Surfaces: Custom Kernels and Drivers”** — 厂商定制内核与驱动作为 Android 提权漏洞来源。TyphoonCon 2024。 [高级] - **[2023] “BlastDoor Is Not Enough: Post-Exploitation via iMessage”** — iMessage 攻击面分析（BlastDoor 强化后仍存在的解析器暴露与后渗透能力）。TyphoonCon 2023。 [高级] - **[2023] “Heap Shaping for Reliable Exploit Primitives on iOS”** — iOS 堆整形与风水技术，构建可靠的利用原语。TyphoonCon 2023。 [高级] - **[2023] “Fuzzing Android Binder: From Kernel Crash to LPE”** — 系统化 Binder 模糊测试方法，从内核崩溃到本地权限提升原语。TyphoonCon 2023。 [高级] - **[2022] “iOS Kernel Heap Exploitation”** — 现代 iOS 内核分配器适配的堆利用技术。TyphoonCon 2022。 [高级] - **[2022] “Attacking the Binder Interface”** — Binder 驱动深度分析与安全边界评估。TyphoonCon 2022。 [高级] ### Objective by the Sea (OBTS) OBTS 专注 Apple 平台安全；全部为 Apple 生态议题（iOS、macOS、iPadOS、watchOS、tvOS）。大量从业者研究；演讲录像：[https://objectivebythesea.org](https://objectivebythesea.org)。 - **[2025] “Something from Nothing — Exploiting Memory Zeroing in XNU”** — Ian Beer。XNU 内核内存清零原语构造可靠读写。OBTS v8.0。 [高级] - **[2025] “Unpacking the iOS Sandbox”** — Yarden Hamami。iOS 沙箱内部机制：配置文件格式、强制点与绕过边界。OBTS v8.0。 [高级] - **[2025] “Placeboed Apples: A New Way to Hunt Spyware on iOS”** — Matthias Frielingsdorf。iOS 间谍软件检测新方法。OBTS v8.0。 [高级] - **[2025] “Queen B: Apple Compressor 0-click RCE”** — Zhi Zhou。Apple Compressor 中的零点击远程代码执行漏洞。OBTS v8.0。 [高级] - **[2025] “What's at the Bottom of the Sea, One Baseband?”** — Lukas Arnold。Apple 设备基带（C1 modem）安全研究。OBTS v8.0。 [高级] -[2025] “Make XNU GREAT Little Again”** — Jonathan Levin。XNU 内核内部与安全架构演进。OBTS v8.0。 [高级] - **[2025] “Sploitlight: Exploiting Spotlight to Bypass TCC and Leak Apple Intelligence Data”** — Christine Fossaceca、Jonathan Bar Or。Spotlight 插件绕过 TCC 泄露 Apple Intelligence 数据。OBTS v8.0。 [高级] - **[2025] “What's New in Lockdown Mode?”** — Marie Fischer。Lockdown Mode 更新与有效性分析。OBTS v8.0。 [中级] - **[2024] “XNU Evolution: KTRR, APRR, PPL, SPTM”** — Jonathan Levin。Apple 逐步隔离安全敏感组件的架构演进：页保护层（SPTM）、安全页表监控器（SPTM）、可信执行监控器（TXM）与硬件 Exclaves。OBTS v8.0。视频：[youtube.com/watch?v=JNHfU2hnlFA](https://www.youtube.com/watch?v=JNHfU2hnlFA) [高级] - **[2024] “WatchWitch: Apple Watch Protocol Stack from Scratch”** — Nils Rollshausen。Apple Watch 无线协议栈逆向：健康与传感器同步协议逆向工程，发现家庭自制密码学并实现 MitM。OBTS v8.0 / REcon 2024。 [高级] - **[2024] “Inside Apple's Lockdown Mode”** — Lockdown Mode 实现分析：实际移除的攻击面与仍存风险，以及测试方法。OBTS v7.0。 [高级] - **[2024] “The State of iOS Jailbreaking 2024”** — 跨 iOS 版本的 Jailbreak 缓解演进与当前技术状态。OBTS v7.0。 [中级] - **[2024] “CoreTrust and the Future of Code Signing”** — Apple CoreTrust 绕过研究及其作为代码签名安全基石的含义。OBTS v7.0。 [高级] - **[2024] “CellGuard: Detecting Baseband Attacks”** — Lukas Arnold。iOS 与 Qualcomm 基带间通信的 DIAG 数据解码，实时检测 2G 降级攻击与基站伪造。OBTS v7.0。视频：[youtube.com/watch?v=DqOOggWDtes](https://www.youtube.com/watch?v=DqOOggWDtes) [中级] - **[2024] “iDecompile: Writing a Decompiler for iOS Applications”** — Laurie Kirk。iOS 应用反编译器：定位、提取与逆向编译 Swift 与 Objective-C 控制流，减少手动汇编分析负担。OBTS v7.0。视频：[youtube.com/watch?v=vWdKjVCZtTI](https://www.youtube.com/watch?v=vWdKjVCZtTI) [中级] - **[2024] “Patch Diffing on *OS”** — McIntosh。dyld_shared_cache 提取与 IPSW 解析的现代蓝图，使用 ipsw 与 Ghidra 隔离变更二进制并映射至 CVE——逆向 Apple 静默安全补丁的关键。OBTS v7.0。视频：[youtube.com/watch?v=Ellb76t7nrc](https://www.youtube.com/watch?v=Ellb76t7nrc) [高级] - **[2024] “QuaDream's Zero-Click Spyware (ENDOFDAYS/KingsPawn)”** — Bill Marczak、Christine Fossaceca。QuaDream 零点击 iOS 间谍软件法医解剖：恶意日历邀请触发的漏洞链，无用户交互即可执行。OBTS v7.0。 [高级] - **[2023] “Abusing XPC Services on iOS/macOS”** — XPC 进程间通信攻击面：接口发现、XPC 解码器类型混淆与服务误用导致的权限提升。OBTS v6.0。 [高级] - **[2023] “WebKit: A Deep Dive into JIT Compilation Bugs”** — WebKit JavaScriptCore JIT 编译器漏洞类别及其在 Pwn2Own 与学术文献中的利用。OBTS v6.0。 [高级] - **[2023] “iOS Persistence: What Survives a Restore?”** — iOS 不同级别恢复后仍存活的植入体与配置变更取证证据。OBTS v6.0。完整存档：[https://objectivebythesea.org/v6/talks.html](https://objectivebythesea.org/v6/talks.html) [高级] - **[2022] “Analyzing iOS Privacy Bypasses”** — 定位、摄像头与麦克风访问绕过技术，规避 iOS 权限提示。OBTS v5.0。 [中级] - **[2022] “macOS and iOS Entitlements”** — 权限系统的深度解读：权限解锁能力、层级结构及权限滥用导致的利用。OBTS v5.0。 [高级] ### Hack In The Box (HITB) - **[2024] “Attacking Bluetooth on Mobile: BLE Fuzzing”** — 蓝牙 LE 模糊测试在 iOS 与 Android 上的安全研究：外设栈模糊、逻辑错误发现与从无线链路构建利用原语。HITB AMS 2024。 [高级] - **[2024] “Android Automotive OS: New Attack Surfaces”** — AAOS 特定攻击面：IVI 攻击面、车辆网络集成与 Automotive 专属权限模型的弱点。HITB 2024。 [新兴] - **[2024] “iOS App Hardening Failures in Practice”** — 运行中 iOS 应用保护失效分析：RASP 绕过、Jailbreak 检测规避与证书绑定在规模化场景中的实践。HITB 2024。 [中级] - **[2023] “Fuzzing iOS Kernelcache”** — 自动化 iOS kernelcache 模糊测试：kernelcache 提取、QEMU 仿真与覆盖引导的模糊测试方法。HITB AMS 2023。 [高级] - **[2023] “Android 13 Hardening Analysis”** — Android 13 新安全特性与绕过技术：受限 Intent、通知权限、前台服务类型与凭证管理器。HITB 2023。 [中级] - **[2022] “Dismantling Modern Android Anti-Analysis”** — Android 应用的反篡改、反调试与混淆绕过技术。HITB AMS 2022。 [中级] - **[2022] “iOS Sandbox Profile Analysis”** — iOS 沙箱限制理解：沙箱配置文件提取、解析与受限/未受限守护进程识别。HITB 2022。 [高级] ### OffensiveCon（柏林） OffensiveCon 高度技术化、明确以漏洞利用为导向；演讲经同行评审，质量顶尖。官网：[https://www.offensivecon.org](https://www.offensivecon.org)。 - **[2025] “Breaking the Sound Barrier: Exploiting CoreAudio via Mach Message Fuzzing”** — Dillon Franke。高速 Mach 消息模糊测试发现 macOS/iOS 特权进程中的内存损坏漏洞。OffensiveCon 2025。 [高级] - **[2025] “Fighting Cavities: Securing Android Bluetooth by Red Teaming”** — Jeong Wook Oh、Rishika Hooda、Xuan Xing。Android 蓝牙栈系统性红队测试：L2CAP 与 SDP 层内存损坏实现静默邻近攻击。OffensiveCon 2025。 [高级] - **[2025] “Chainspotting 2: The Unofficial Sequel”** — Ken Gannon（Mobile Hacking Lab）。Pwn2Own Ireland 2024 上的三星 Galaxy S24 漏洞利用方法论：逻辑漏洞链至完整 RCE。OffensiveCon 2025。 [高级] - **[2025] “Skin in the Game: GPU IOMMU Attacks on Android”** — fish、Ling Hanqin。Adreno、Mali 与 PowerVR GPU 驱动漏洞研究与 IOMMU 层利用。OffensiveCon 2025。 [高级] - **[2025] “No Signal, No Security: Dynamic Baseband Vulnerability Research”** — Daniel Klischies、David Hirsch。使用 BaseBridge + FirmWire 模拟器对基带进行动态分析，无需物理蜂窝基础设施即可实现 RCE。OffensiveCon 2025。 [高级] - **[2025] “Android In-The-Wild: Excating a Kernel Exploit”** — Seth Jenkins（Google）。从真实世界 Android 漏洞日志与工件中重构内核利用技术。OffensiveCon 2025。 [高级] - **[2024] “How to Fuzz Your Way to Android Universal Root: Attacking Android Binder”** — Eugene Rodionov、Zi Fan Tan、Gulshan Singh。系统化 Binder 模糊测试方法，发现可利用的 LPE 原语并实现通用 root。OffensiveCon 2024。 [高级] - **[2024] “Attacking the Samsung Galaxy A* Boot Chain”** — Maxime Rossi Bellom、Damiano Melotti、Raphael Neveu、Gabrielle Viala（Synacktiv）。MediaTek 基础启动链分析与利用。OffensiveCon 2024。 [高级] - **[2024] “iOS 16/17 Kernel Exploitation”** — 现代 iOS 内核漏洞开发：内核原语、内存结构滥用与 PAC 绕过作为功能链的一部分。OffensiveCon 2024。 [高级] - **[2024] “Breaking PAC on iOS: A Practical Guide”** — 指针认证码绕过方法论：从哪些绕过类可靠、哪些仅具理论意义，到构建可用原素。OffensiveCon 2024。 [高级] - **[2023] “Heap Exploitation on ARM64”** — ARM64 特定堆利用技术，考虑 iOS 与 Android 上分配器的行为差异。OffensiveCon 2023。 [高级] - **[2023] “Return Oriented Programming on iOS”** — iOS 上的 ROP 链构造方法学，在现代缓解措施（包括 PAC）下实现。OffensiveCon 2023。 [高级] - **[2023] “Chrome/V8 to Kernel: Mobile Exploit Chain Development”** — 从浏览器渲染器妥协到沙箱逃逸再到内核提权的完整链开发方法。OffensiveCon 2023。 [高级] - **[2022] “Fuzzing the Android Kernel”** — 使用 syzkaller 针对 Android 内核的系统化模糊测试，适配覆盖率收集、系统调用语法定制与分类工作流程。OffensiveCon 2022。 [高级] - **[2022] “LLDB Scripting for iOS Security Research”** — LLDB 自动化脚本用于 iOS 目标动态分析：调试器脚本化用于跟踪、内存分析与漏洞开发辅助。OffensiveCon 2022。 [中级] ### Hexacon（巴黎） Hexacon 覆盖二进制漏洞利用与底层安全研究。官网：[https://www.hexacon.fr](https://www.hexacon.fr)。 - **[2025] “Arise from the Wireless: Breaking the Security Barrier in Wi-Fi”** — Xiaobye。WPA3 实现中的结构性缺陷与厂商特定 Wi-Fi Direct 协议。视频：[youtube.com/watch?v=qT3YFtGjiuQ](https://www.youtube.com/watch?v=qT3YFtGjiuQ) [高级] - **[2025] “Déjà Vu in Linux io_uring: Breaking Memory Sharing Again After Generations of Fixes”** — Pumpkin。尽管上游持续修补，Android 设备上的 io_uring 共享内存中的 TOCTOU 漏洞仍可导致可靠 LPE。Hexacon 2025。 [高级] - **[2025] “Inside Apple Secure Enclave Processor in 2025”** — Quentin Salingue（Synacktiv）。SEP 在 2025 时代的深度架构分析：其与 SPTM/TXM 的接口及相较于早期代的变化。Hexacon 2025。 [高级] - **[2025] “Paint it Blue: Attacking the Bluetooth Stack”** — Mehdi Talbi、Etienne Helluy-Lafont。跨移动平台蓝牙栈利用方法论。Hexacon 2025。 [高级] - **[2024] “Defense Through Offense: Building a 1-Click Calling Exploit in Messenger for Android”** — Andrew Calvano、Octavian Guzu、Ryan Hall（Meta Security）。Messenger for Android 全链漏洞利用：寻找与链式漏洞的方法。Hexacon 2024。 [高级] - **[2024] “Attacking iOS Background Agents”** — Daemon 与后台进程利用：iOS 后台代理的攻击面、XPC 接口滥用与权限提升。Hexacon 2024。 [高级] - **[2024] “Android Trusted Applications: Breaking the TEE”** — TrustZone 漏洞利用方法：受信任应用逆向、从普通世界构造原语及 TEE 隔离失效。Hexacon 2024。 [高级] - **[2023] “RE of Flutter Apps: Advanced Techniques”** — Flutter 逆向工程进阶：快照内部结构、混淆构建与原生桥分析。Hexacon 2023。 [中级] - **[2023] “Memory Corruption in iOS Kernel”** — iOS 内核内存损坏漏洞与构造利用原语。Hexacon 2023。 [高级] ### TROOPERS TROOPERS 涵盖企业安全与设备安全，移动与设备安全赛道占比显著。官网：[https://troopers.de](https://troopers.de)。 - **[2025] “Over the Garden Wall — Let's Steal Data from Your iPhone”** — Nils Rollshausen。iPhone 数据窃取：利用协议与配对弱点。TROOPERS 2025。 [高级] - **[2025] “Securing the Airwaves: Emulation, Fuzzing, and Reverse Engineering of iPhone Baseband Firmware”** — Luca Glockow、Rachala Shriwas、Bruno Proietti。iPhone 基带固件模糊与逆向方法学。TROOPERS 2025。 [高级] - **[2025] “30 min iOS Inactivity Reboot”** — Jiska Classen。iOS 18.1 引入的非活动重启安全功能分析：原理、保护范围与取证意义。TROOPERS 2025。 [中级] - **[2025] “Eastern Promises: Mobile VRP Lessons for Bug Hunters”** — Daniel Komaromy、Laszlo Szapula。移动漏洞赏金项目的经验教训：哪些能获得奖励、哪些不能及常见陷阱。TROOPERS 2025。 [中级] - **[2025] “Roaming Agreements — The Hidden 5G Attack Surface”** — Swantje Lange。5G 漫游协议中的隐藏攻击面。TROOPERS 2025。 [高级] - **[2024] “Mobile Forensics: Extracting Evidence from Modern Devices”** — iOS 与 Android 取证获取方法：锁定设备取证、云备份分析与日志解读。TROOPERS 2024。 [中级] - **[2024] “Enterprise Mobile Security: MDM Attack Surfaces”** — MDM 协议利用、注册流程滥用与管理接口弱点作为企业移动环境攻击向量。TROOPERS 2024。 [中级] - **[2023] “Practical Android Security Testing”** — 工作坊形式覆盖 Android 静态、动态与网络分析，遵循 OWASP MASTG 测试用例集。TROOPERS 2023。 [初级] - **[2023] “iOS Enterprise Deployment Attacks”** — DEP/MDM 攻击向量：设备注册流程滥用、配置文件注入与企业 iOS 管理基础设施的身份窃取。TROOPERS 2023。 [中级] ### Zer0Con（首尔） Zer0Con 为邀请制顶级进攻性安全会议；资料极少公开，以下为已确认披露。 - **[2026] “Researcher's Guide to the Galaxy: Samsung 0-Click, Android Messengers, DNG, and Image Formats”** — Brendon Tiszka（Google Project Zero）。Android 与 Samsung 图像格式解码器中的新攻击面，包括零点击向量。Zer0Con 2026。 [高级] - **[2026] “Modern Android Kernel Exploitation Through a Mali Driver Vulnerability”** — Chih-Yen Chang（DEVCORE）。Mali GPU 漏洞发现与利用，适用于 Pixel 8，内核调试与 SELinux 绕过。Zer0Con 2026。 [高级] - **[2026] “Attacking Apple Display CoProcessor”** — Ye Zhang（Baidu）。Apple 显示协处理器固件中发现的 14 个 CVE。Zer0Con 2026。 [高级] - **[2026] “Prompt2Pwn — LLMs Winning at Pwn2Own”** — Georgi G、Ben R（Interrupt Labs）。利用 AI 代理在 Android 应用中自动发现漏洞，产生 Samsung Bixby 多个零日。Zer0Con 2026。 [新兴] - **[2025] “PAC2Own: From Bug to Shellcode in Modern Safari”** — Manfred Paul。Safari 中 PAC 绕过至 Shellcode 的完整链，在现代 iOS/macOS 缓解措施下实现。Zer0Con 2025。 [高级] - **[2024] “How to Jailbreak iOS 16”** — Lars Fröder（opa334，Dopamine 与 TrollStore 创建者）。越狱内部原理深度解析：内核原语、打补丁与无根越狱设计。公开幻灯片：[https://github.com/opa334/Presentations/blob/main/Zer0Con%202024%20-%20How%20to%20Jailbreak%20iOS%2016.pdf](https://github.com/opa334/Presentations/blob/main/Zer0Con%202024%20-%20How%20to%20Jailbreak%20iOS%2016.pdf) Zer0Con 2024。 [高级] - **[2024] “Beyond Android MTE: Navigating OEM's Logic Labyrinths”** — Georgi Geshev、Joffrey Guilbon。绕过 Android MTE 的路径：链式逻辑漏洞、权限检查不当、状态转换与符号链接滥用。Zer0Con 2024。 [高级] - **[2024] “Bypassing ARM MTE with Speculative Execution”** — Jinbum Park。Pixel 8 上利用 L1 缓存时序侧信道泄露 MTE 标签，使硬件缓解失效。两个新漏洞已确认。Zer0Con 2024。 [高级] - **[2024] “iOS 17 Full Chain”** — PAC 绕过、沙箱逃逸与内核提权在 iOS 17 上的完整链。Zer0Con 2024。 [高级] - **[2024] “New Attack Surfaces in iOS 17.x”** — iOS 17 新功能引入的攻击面：NameDrop、AirDrop 改进、StandBy 模式、Journal 应用及相关守护进程。Zer0Con 2024。 [高级] - **[2023] “Fuzzing Samsung's Closed-Source Libraries as if on a Real Device”** — Hao Xiong、Qinming Dai。JVM 仿真框架用于在无物理设备情况下模糊测试 Samsung OEM 闭源 API，实现高并行内存安全漏洞发现。Zer0Con 2023。 [高级] - **[2023] “Android Pixel Exploitation”** — Pixel 专属安全研究：针对 Google 自身固件与内核补丁的利用。Zer0Con 2023。 [高级] - **[2023] “Operation Triangulation: Behind the Research”** — Kaspersky GReAT 呈现 Operation Triangulation 完整技术细节，包括硬件 MMIO 寄存器滥用（参见研究论文部分）。Zer0Con 2023。 [高级] ### REcon（蒙特利尔） REcon 专注逆向工程；移动与固件赛道持续产出高价值基带、协议与硬件研究。完整会话存档：[recon.cx](https://recon.cx)。 - **[2025] “A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit”** — Bill Marczak、Daniel Roethlisberger。2017 年 iOS 10 Pegasus 持久化漏洞的未公开分析：根因漏洞与感染后代码执行。REcon 2025。 [高级] - **[2025] “Call, Crash, Repeat: Hacking WhatsApp”** — Luke McLaren。三个独立 WhatsApp 漏洞（iOS、Android、macOS）：URL 校验缺陷、XMPP 解析错误导致 PJSIP 利用、群组视频逻辑漏洞。REcon 2025。 [高级] - **[2024] “WatchWitch: Apple Watch Protocol Stack from Scratch”** — Nils Rollshausen。Apple Watch 无线协议栈逆向：家庭自制密码学与 MitM 机会。REcon 2024 / OBTS v8。 [高级] - **[2023] “Fully Remote Baseband Vulnerabilities in the Exynos 5300”** — Natalie Silvanovich。对 Samsung Shannon Exynos 5300 调制解调器的全面审计，实现无需邻近的跨运营商远程漏洞利用（无需流氓基站）。视频：[youtube.com/watch?v=LJ1NzJLMDUs](https://www.youtube.com/watch?v=LJ1NzJLMDUs) REcon 2023。 [高级] - **[2022] “When Wireless Malware Stays On After Turning Off iPhones”** — Jiska。蓝牙与超宽带芯片在设备完全断电后仍可执行载荷的持久化攻击面。REcon 2022。 [高级] ### Power of Community (POC) POC（韩国）年度安全会议，汇聚高质量漏洞利用与逆向工程研究。存档：[powerofcommunity.net](https://media.ccc.de/v/38c3-from-pegasus-to-predator-the-evolution-of-commercial-spyware-on-ios)。 - **[2025] “Trigon: Developing a Deterministic iOS Kernel Exploit”** — Alfie CG (@alfiecg_dev)。确定性 iOS 内核漏洞开发方法学：无需堆喷洒构建可靠原语。博客：[alfiecg.uk/2025/03/01/Trigon.html](https://alfiecg.uk/2025/03/01/Trigon.html) POC 2025。 [高级] - **[2025] “The Biometric AuthToken Heist: Cracking PINs and Bypassing CE via a Long Ignored Attack Surface”** — Xuangan Xiao、Zikai Xu。生物识别认证令牌攻击：破解 PIN 与绕过 CE 存储的 Android Keymaster 攻击面。POC 2025。 [高级] - **[2025] “(Sploit)Lights, Camera, Action! Exploiting Spotlight to Bypass TCC and Leak Data from Apple Intelligence”** — Christine Fossaceca。Apple 平台 TCC 绕过通过 Spotlight 插件，泄露 Apple Intelligence 私有数据。POC 2025。 [高级] - **[2024] “Breaking Through the Cage: Get Android Universal Root by B-PUAF”** — Hanqin Ling、Yutao Lu（Pangu Team）。Binder 驱动页表利用实现多设备多内核版本的 Android 通用 root。POC 2024。 [高级] - **[2024] “GPUAF: Two Ways of Rooting All Qualcomm Based Android Phones”** — Pan Zhenpeng、Jheng Bing Jhong（STAR LABS SG）。Qualcomm GPU 利用实现所有受影响 Qualcomm Android 设备 root，绕过 KNOX、KASLR 与 DEFEX。POC 2024。 [高级] - **[2024] “Pishi: Coverage-Guided Fuzzing of the XNU Kernel and Arbitrary KEXT”** — Meysam Firouzi。XNU 内核覆盖率引导模糊测试框架，支持内核扩展（KEXT）漏洞发现。POC 2024。 [高级] - **[2024] “An Insider Perspective on the Offensive Industry”** — Luca Todesco（Dataflow Security）。知名 iOS 漏洞利用研究者对商业漏洞利用产业的 keynote。POC 2024。 [高级] - **[2023] “Modern Chrome Exploit Development”** — Avboy1337、yyjb、vrk。V8 沙箱绕过与劫持 Chrome V8 堆在移动与桌面平台上的完整方法学。POC 2023。 [高级] - **[2023] “Evolution of Safari Mitigations and Bypasses”** — Nikita Pupyshev。Apple WebKit JIT 硬化与持续演进的类型混淆绕过策略。POC 2023。 [高级] - **[2022] “Fugu15: A Deep Dive into iOS 15 Exploitation”** — Linus Henze。iOS 15 完全越狱：PAC 完全从用户空间绕过、利用Trust 逻辑缺陷伪造签名。POC 2022。 [高级] ### Chaos Communication Congress (CCC) CCC（汉堡）年度混沌通信大会，持续提供高质量移动与平台安全研究。存档：[https://media.ccc.de](https://media.ccc.de)。 - **[2025] “DNGerousLINK: A Deep Dive into WhatsApp 0-Click Exploits on iOS and Samsung Devices”** — Zhongrui Li、Yizhe Zhuang、Kira Chen。WhatsApp 0-click 链：CVE-2025-55177（WhatsApp）、CVE-2025-43300（iOS RawCamera DNG）、CVE-2025-21043（Samsung OOB 写）。零交互攻击，仅凭电话号码即可触发。39C3，2025。 [高级] - **[2025] “Not To Be Trusted — A Fiasco in Android TEEs”** — 0ddc0de、gannimo、Philipp。Privilege escalation 从用户态到安全世界的 Android TEE 漏洞：BeanPod 微内核类型混淆（CVE-2023-32835）。首次公开 BeanPod TEE 0-day。39C3，2025。 [高级] - **[2025] “Build a Fake Phone, Find Real Bugs: Qualcomm GPU Emulation and Fuzzing with LibAFL QEMU”** — Romain Malmain。使用 QEMU 虚拟化 Qualcomm Android 核与 GPU 驱动进行模糊测试的通用方法。39C3，2025。 [高级] - **[2025] “Bluetooth Headphone Jacking: A Key to Your Phone”** — Dennis Heinze、Frieder Steinmetz。Sony、Marshall、Jabra 等蓝牙音频芯片中的三个 CVE（CVE-2025-20700/20701/20702）：未认证配对、Flash 读取与 RAM 操控。39C3，2025。 [高级] - **[2025] “Reverse Engineering the Pixel TitanM2 Firmware”** — willem。Pixel TitanM2 安全芯片（RISC-V）的逆向工程：Ghidra 与 Python 固件模拟。39C3，2025。 [高级] - **[2025] “Cracking Open What Makes Apple's Low-Latency WiFi So Fast”** — Henri Jager。逆向分析 Apple 专有低延迟 WiFi 协议（用于 Continuity 功能如 Sidecar Display、Continuity Camera），通过 iOS 内核日志。39C3，2025。 [高级] - **[2025] “Learning from South Korean Telco Breaches”** — Shinjo Park、Yonghyu Ban。2025 年韩国运营商全部三起泄露事件复盘：SK Telecom HSS 泄露与 BPFDoor 恶意软件（2300 万张 SIM 卡更换）。39C3，2025。 [中级] - **[2025] “Watch Your Kids: Inside a Children's Smartwatch”** — Nils Rollshausen。流行儿童智能手表的实时破解：位置数据与通信泄露。39C3，2025。 [中级] - **[2024] “From Pegasus to Predator: The Evolution of Commercial Spyware on iOS”** — Matthias Frielingsdorf（iVerify）。2016–2024 年 iOS 间谍软件全景时间线、检测方法演进与 BlastPass 案例研究。38C3，2024。录像：[https://media.ccc.de/v/38c3-from-pegasus-to-predator-the-evolution-of-commercial-spyware-on-ios](https://media.ccc.de/v/38c3-from-pegasus-to-predator-the-evolution-of-commercial-spyware-on-ios) [中级–高阶]。 - **[2024] “ACE up the Sleeve: Hacking into Apple's USB-C Controller”** — stacksmashing (Thomas Roth)。EM 故障注入攻击 Apple ACE3 USB-C 芯片的扩展演示。38C3，2024。 [高级]。 - **[2024] “Ultrawide Archaeology on Android Native Libraries”** — Luca Di Bartolomeo、Rokhaya Fall。Android 本地代码的新型静态分析：宽窗口分析恢复剥离二进制文件的结构语义。38C3，2024。 [高级]。 - **[2024] “Auracast: Breaking Broadcast LE Audio Before It Hits the Shelves”** — Frieder Steinmetz、Dennis Heinze。蓝牙 LE Audio / Auracast 广播标准的安全分析：协议部署前的攻击面研究。38C3，2024。 [高级]。 --- ## 9. 漏洞利用技术与攻击面参考 面向 Android 与 iOS 应用的实战参考，涵盖 IPC 机制、平台特定漏洞利用原语、跨平台框架弱点与后端 API 漏洞。请与 [第 1–5 节](#1-tools--static-analysis) 的静态与动态分析工具结合使用。 ### Android 攻击面 `[Android]` #### IPC 机制 **Intents 与导出组件** Android 的 Activity、Service 与 Receiver 组件可声明 `exported="true"`（或隐式导出），从而允许其他应用发送 Intent 触发。若未正确校验数据与权限，攻击者可劫持组件、读取敏感信息或执行任意代码。常见绕过 `exported` 限制的方式包括： - 利用可导出的 Activity 组件进行 Intent URI 欺骗。 - 通过 PendingIntent 重放或标志位篡改（`FLAG_ACTIVITY_NEW_TASK` 等）劫持流程。 - 滥用可导出的 Service 绑定（`bindService`）与 AIDL 接口，构造跨进程调用（IPC）越权。 **内容提供器（ContentProvider）** 导出的 ContentProvider 暴露数据接口时，若未对调用方进行严格权限校验（`readPermission`/`writePermission`）或 URI 权限管理不当，可导致数据泄露或注入。典型风险包括： - 任意内容 URI 访问（`content://` 遍历）。 - SQL 注入（若 Provider 拼接 SQL 语句）。 - 批量数据导出（通过 `Cursor` 泄露其他应用数据）。 **绑定服务（Bound Services）与 Messenger/AIDL** - **Messenger**：基于 IBinder 的轻量级 IPC，若未限制客户端包名与权限，可能被恶意应用绑定并发送伪造消息。 - **AIDL**：接口定义语言生成的 Binder 接口若未校验调用者身份（`checkCallingPermission` / `checkPermission`），攻击者可通过伪造调用者包名或签名绕过授权。 **广播接收器（BroadcastReceiver）** 导出的动态或静态注册 Receiver 可被任意应用发送广播触发。若处理逻辑依赖不可信数据，可能导致拒绝服务（DoS）、权限提升或信息泄露。 #### 系统服务利用 - **ActivityManager / PackageManager**：通过反射或 Binder 调用未公开 API，可查询运行应用、安装状态或触发隐式 Intent。 - **NotificationManager**：滥用通知渠道与重要性设置，可能实现后台弹窗、钓鱼或信息收集。 - **AccessibilityService**：辅助功能权限可读取屏幕内容、模拟点击，若被恶意利用可实现无障碍钓鱼。 - **DevicePolicyManager**：设备管理器权限可远程锁定、擦除或监控设备；攻击面包括权限提升与企业证书滥用。 #### 文件与存储 - **外部存储（SharedPreferences / 数据库文件）**：若应用将敏感数据明文存储于外部存储，攻击者可通过 `MediaStore` 或直接文件读取获取凭证。 - **内部文件泄露**：导出的文件提供者或调试接口可能暴露日志、密钥或临时文件。 #### 权限与沙箱绕过 - **权限提升链**：结合低危权限（如 `READ_EXTERNAL_STORAGE`）与系统服务漏洞，构造完整提权路径。 - **SELinux 绕过**：利用策略宽松域（domain）或内核漏洞，突破 Mandatory Access Control。 - **沙箱逃逸**：通过 WebView、JavaScriptCore 或跨应用组件共享，突破应用沙箱限制。 #### 调试与逆向防护绕过 - **Root 检测绕过**：检测 root 工具、Magisk 隐藏、Xposed 框架痕迹等。 - **反调试与反模拟器**：利用 ptrace、/proc、自定义校验逻辑对抗动态分析。 - **代码混淆与加固**：DEX 加壳、Native 混淆、字符串加密对抗静态分析。 #### 网络与安全 - **TLS/SSL 校验绕过**：自定义 `TrustManager`、证书绑定（Certificate Pinning）失效或 Hook。 - **明文通信**：HTTP、未加密的本地 IPC 通道可被中间人监听。 - **VPN 与代理检测**：绕过网络代理与 VPN 检测以隐藏 C2 通信。 #### 供应链与第三方 SDK - **SDK 漏洞**：第三方库中的权限滥用、数据泄露或远程代码执行（如广告 SDK、推送 SDK）。 - **插件化与动态加载**：Hotfix、插件框架（VirtualApk、DynamicLoad）若签名校验缺失，可加载恶意代码。 - **CI/CD 与构建管道**：构建服务器被入侵导致源码或签名证书泄露。 ### iOS 攻击面 `[iOS]` #### IPC 与组件通信 - **URL Schemes 与 Universal Links**：可跨应用触发逻辑，若未校验来源，可能导致数据泄露或操作劫持。 - **XPC 服务**：通过 `NSXPCConnection` 通信，若接口未做权限校验，可被越权调用。 - **剪贴板（UIPasteboard）**：敏感数据可被其他应用读取。 - **通知与深度链接**：通过 `UNNotification` 与 `NSUserActivity` 传递数据，若处理不当可能泄露信息。 #### 系统服务与守护进程 - **SpringBoard 与多任务管理**：通过后台模式（VoIP、Background Fetch、Significant Location）实现持久化。 - **CoreLocation 与 Motion**：位置与传感器数据可被滥用跟踪用户。 - **Keychain**：若访问控制列表（ACL）配置不当，密钥可被其他应用读取。 - **UserNotifications / CallKit**：通知与通话接口可被伪造或劫持。 #### 内核与底层漏洞 - **内核内存损坏**：利用类型混淆、整数溢出、越界读写等漏洞实现提权。 - **PAC 绕过**：利用指针认证码（Pointer Authentication Code）的侧信道或实现缺陷绕过。 - **TrustZone 与 Secure Enclave**：TEE 漏洞、利用链突破安全隔离。 - **硬件 MMIO 寄存器滥用**：如 Operation Triangulation 中的 MMIO-mapped coprocessor 攻击。 #### 文件系统与持久化 - **沙箱逃逸**：通过文件提供者、Document Interaction、Open In 共享实现数据外泄。 - **备份与同步**：iCloud 与 iTunes 备份中明文存储敏感数据可被提取。 - **越狱持久化**：通过 LaunchDaemons、LaunchAgents、偏好设置注入实现持久驻留。 #### 隐私与权限 - **权限弹窗滥用**：诱导用户授权，或利用系统漏洞绕过提示。 - **照片库与相册访问**：批量读取敏感图像。 - **麦克风与摄像头**：后台持续监听或录制。 #### 加密与代码签名 - **数据保护类（Data Protection）**：密钥链项的访问控制与设备绑定。 - **应用签名与公证**：未签名或企业证书滥用的风险。 - **Secure Enclave**：密钥生成、存储与使用中的安全边界。 #### WebKit 与浏览器漏洞 - **JavaScriptCore JIT 漏洞**：类型混淆、use-after-free 触发代码执行。 - **沙箱逃逸**：通过 WebKit 漏洞突破浏览器沙箱，进而攻击内核。 - **混合攻击链**：Web 入口 → 权限提升 → 内核利用。 #### 供应链与开发工具 - **Xcode 注入与恶意插件**：构建环境被植入后门。 - **企业证书滥用**：绕过 App Store 审核直接分发。 - **CI/CD 凭证泄露**：构建密钥与签名证书泄露导致应用被篡改。 --- ## 10. 工具与资源索引 ### 静态分析工具 - **Ghidra**（NSA）：反编译与逆向框架，支持多架构。 - **IDA Pro**：行业标准反编译器，插件生态丰富。 - **Binary Ninja**：轻量级逆向平台，API 友好。 - **Hopper**：macOS/iOS 专用反编译器。 - **radare2 / Cutter**：开源逆向套件，脚本化能力强。 - **class-dump / class-dump-z**：Objective-C 类信息导出。 - **Frida**：动态插桩与 Hook 框架，支持多平台。 - **Cycript**：运行时交互式 Hook 工具（iOS）。 - **Objection**：基于 Frida 的移动应用安全评估 CLI。 - **Mobile Security Framework (MobSF)**：自动化静态/动态分析一站式平台。 ### 动态调试与注入 - **LLDB**：Xcode 默认调试器，支持脚本化调试。 - **GDB（已逐步被 LLDB 取代）**：传统调试工具。 - **frida-server / frida-ps / frida-trace**：Frida 在设备端的运行与脚本执行。 - **Cycript**：运行时内存修改与 Hook。 - **lldb-server**：远程调试代理。 - **OpenSSH / usbmuxd**：设备连接与端口转发基础。 ### 模糊测试与漏洞发现 - **AFL / AFL++**：覆盖率引导的模糊测试框架。 - **libFuzzer**：基于 LLVM 的模糊测试引擎。 - **Honggfuzz**：支持多架构的模糊测试工具。 - **QEMU**：系统仿真与模糊测试目标平台。 - **Boofuzz**：网络协议模糊测试框架。 - **Peach Fuzzer**：商业模糊测试平台。 - **Syzkaller**：针对 Linux/内核的覆盖率引导模糊测试。 - **kAFL**：Android 内核模糊测试框架。 - **iXGuard / O-LLVM**：代码混淆与对抗样本生成工具。 ### 流量分析与中间人 - **Wireshark / tcpdump**：网络流量捕获与分析。 - **mitmproxy / Burp Suite**：HTTP/HTTPS 流量拦截与修改。 - **Charles / Proxyman**：图形化 HTTP 调试代理。 - **Objection network**：Frida 提供的网络流量钩子。 - **SSLKEYLOGFILE**：导出 TLS 密钥以解密流量。 - **tcpflow / tcpreplay**：流量重组与重放。 ### 移动专用工具 - **class-dump-z**：iOS Objective-C 二进制文件类信息提取。 - **Theos / dpkg-deb / ldid**：iOS 越狱环境下的开发与打包工具链。 - **iproxy / usbmuxd**：端口转发与设备连接。 - **ideviceinstaller / idevicebackup2**：iOS 设备管理、备份与安装。 - **libimobiledevice**：跨平台 iOS 设备通信库。 - **Apple Configurator 2**：设备配置与管理（macOS）。 - **iMazing**：本地设备数据浏览与导出。 - **Proxyman**：iOS/macOS 网络代理工具。 - **ReAgent**：iOS 恢复与重置工具。 ### 漏洞利用与 PoC 参考资源 - **Exploit-DB**（exploit-db.com）：漏洞利用代码与 PoC 集合。 - **GitHub**：大量安全研究项目与 PoC 脚本。 - **Google Project Zero**：漏洞挖掘与披露报告。 - **Apple Security Research**：官方安全更新与公告。 - **CISA Known Exploited Vulnerabilities (KEV)**：已公开被利用的漏洞清单。 - **OWASP Mobile Top 10**：移动应用安全风险列表。 - **MITRE ATT&CK for Mobile**：移动攻击战术与技术框架。 ### 附加参考 - **iOS Security Guide**（Apple 官方）：架构与安全机制概述。 - **Android Security Overview**（Google 官方）：权限模型与沙箱机制。 - **ARM Architecture Reference Manual**：指令集与异常模型。 - **TEE Internal White Papers**（如 TrustZone 技术文档）。 - **USENIX Security / IEEE S&P / ACSAC 论文集**：历年会议论文存档。 - **arXiv.org**：安全与密码学预印本论文。 - **安全社区与论坛**：如 Reddit r/netsec、Stack Exchange、信息安全 Discord 社区等。 --- ## 结语 本手册旨在为安全研究人员、渗透测试人员与逆向工程师提供系统化的移动安全知识图谱与实战参考。涵盖从漏洞发现、利用到防御绕过的完整链条，并持续跟踪最新研究进展与工具链更新。建议结合实际设备与合法授权环境进行研究，遵守相关法律法规与道德准则。 # 14. 威胁情报 ### 威胁报告与年度回顾 - **Google Android 安全公告** — [source.android.com/docs/security/bulletin](https://source.android.com/docs/security/bulletin) — 每月补丁，包含 CVE 详情、受影响的组件、严重性评级和补丁 SHA 值。Essential for tracking Android system-level vulnerability cadence. [Intermediate] - **Apple 平台安全指南** — [support.apple.com/guide/security/welcome/web](https://support.apple.com/guide/security/welcome/web) — 全面的 Apple 安全架构文档。年度更新。涵盖安全飞地、安全启动、代码签名、沙盒、Face ID/Touch ID 等。 [Intermediate–Advanced] - **Zimperium 全球移动威胁报告** — [zimperium.com/global-mobile-threat-report](https://zimperium.com/global-mobile-threat-report/) — 年度移动威胁景观统计：恶意软件家族数量、风险应用流行度、企业移动泄露数据。 [Intermediate] - **Lookout 移动威胁报告** — [lookout.com/resources](https://www.lookout.com/resources) — 年度企业移动威胁分析。间谍软件、凭证窃取、网络钓鱼向量数据。 [Intermediate] - **Citizen Lab 报告** — [citizenlab.ca/category/research/tools-resources](https://citizenlab.ca/category/research/tools-resources/) — 商业监控与间谍软件技术调查。Pegasus、Predator、QuaDream、Paragon Graphite 等研究的主要公共来源。 [Intermediate–Advanced] - **Amnesty Tech 调查** — [securitylab.amnesty.org/latest](https://securitylab.amnesty.org/latest/) — 间谍软件取证分析，发布 IOCs。方法严谨、可复现。 [Intermediate–Advanced] - **Verizon DBIR** — [verizon.com/business/resources/reports/dbir](https://www.verizon.com/business/resources/reports/dbir/) — 年度泄露报告。包含与移动相关的部分，用于企业风险背景分析。 [Intermediate] - **Kaspersky 移动威胁报告** — [securelist.com/mobile-threat-report](https://securelist.com/mobile-threat-report-2025/119076/) — 年度移动恶意软件趋势分析、top 恶意软件家族、攻击者战术。2025 版本涵盖 Triada、Mamont、SpyLoan 以及移动银行木马的复苏。 [Intermediate] - **Google 零日利用年度分析** — [cloud.google.com/blog/topics/threat-intelligence](https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review) — Google Threat Intelligence Group 年度回顾，跟踪所有零日利用情况。涵盖移动平台（iOS 与 Android）的供应商与商业间谍软件归因。2025 报告指出 iOS 是被利用最多的移动平台。 [Intermediate–Advanced] ### CVE 数据库与通知 - **Android 安全公告** — [source.android.com/docs/security/bulletin](https://source.android.com/docs/security/bulletin) — 官方月度补丁。按严重性（关键/高）和组件（内核、高通、媒体框架）进行过滤，便于跟踪相关研究领域。 [Intermediate] - **Apple 安全更新** — [support.apple.com/en-us/HT201222](https://support.apple.com/en-us/HT201222) — 所有 Apple CVE 及其受影响的 OS 版本和补丁信息。 [Intermediate] - **NVD（国家漏洞数据库）** — [nvd.nist.gov](https://nvd.nist.gov) — NIST 的 CVE 数据库，包含 CVSS 评分、CWE 映射和参考链接。有助于结构化漏洞研究和组合跟踪。 [Intermediate] - **Qualcomm 安全公告** — [docs.qualcomm.com/product/publicresources/securitybulletin](https://docs.qualcomm.com/product/publicresources/securitybulletin/) — 季度公告，涵盖 Snapdragon SoC 和调制解调器漏洞。对 Pixel/旗舰 Android 研究至关重要，因为高通芯片广泛使用。 [Advanced] - **Samsung 安全更新** — [security.samsungmobile.com/securityUpdate.smsb](https://security.samsungmobile.com/securityUpdate.smsb) — 三星特定的 Android 漏洞，包括 Knox 和三星自研组件。 [Intermediate] - **Pixel 更新公告** — [source.android.com/docs/security/bulletin/pixel](https://source.android.com/docs/security/bulletin/pixel) — Google Pixel 专属补丁，通常早于通用 Android 公告。包括高通组件补丁。 [Intermediate] ### 移动恶意软件数据库 - **VirusTotal** — [virustotal.com](https://www.virustotal.com) — 多引擎扫描与行为分析。支持 Android APK 与 iOS IPA 上传。初步分析必备。 [Beginner–Intermediate] - **Koodous** — [koodous.com](https://koodous.com) — Android 专属恶意软件库与社区分析平台。支持 YARA 规则搜索。适用于跟踪恶意软件家族演进。 [Intermediate] - **MalwareBazaar** — [bazaar.abuse.ch](https://bazaar.abuse.ch) — 开源恶意样本库，包含移动样本。支持标签过滤与批量下载。 [Intermediate] - **Contagio Mobile Malware Mini-Dump** — [contagiominidump.blogspot.com](https://contagiominidump.blogspot.com) — 移动恶意软件样本存档，供研究使用。包含历史重要家族。 [Intermediate–Advanced] ### 针对移动的目标组织（APT） | 组织 | 归属 | 主要目标 | notable 操作 | |------|------|----------|--------------| | NSO Group（飞马） | 以色列 | 记者、活动人士、各国领导人 | FORCEDENTRY（CVE-2021-30860）、BLASTPASS（CVE-2023-41064） | | Intellexa（Predator） | 欧洲联盟 | 公民社会、政治人物 | “Aladdin” 静默感染（2025）；零点击 iOS/Android 链 | | QuaDream / Reign | 以色列 | iOS，零点击 iMessage 传递 | 2023 年 Citizen Lab 披露；公司已解散 | | Paragon（石墨） | 以色列 | 记者、公民社会 via iMessage | 2025 年 3 月 Citizen Lab；CVE-2025-43200 零点击（已修补 iOS 18.3.1） | | RCS Lab（Hermit） | 意大利 | Android 与 iOS 定向监控 | 意大利、哈萨克斯坦 活动 | | Lazarus 组 | 朝鲜（归因） | 金融领域移动应用、加密钱包 | 水坑攻击、恶意应用分发、BadBazaar 协同 | | Gamaredon / Primitive Bear | 俄罗斯（归因） | 俄语区目标 | BoneSpy + PlainGnome Android 监控（2024 年 12 月） | | ScarCruft / APT37 | 朝鲜（归因） | 韩国目标、维吾尔族社群 | KoSpy Android 监控（2025） | | APT-C-23 | 中东（归因） | 巴勒斯坦记者 | 自定义 Android RAT 活动 | | FancyBear / APT28 | 俄罗斯（归因） | 政府官员、Android 设备 | 鱼叉式网络钓鱼、移动凭证窃取 | | MuddyWater / APT34（伊朗） | 伊朗（归因） | 政府、电信 | DCHSpy Android 监控 | --- ## 15. 课程与认证 ### 移动安全课程 #### 免费 - **OWASP MASTG** — [mas.owasp.org/MASTG](https://mas.owasp.org/MASTG/) — 权威的免费动手测试指南。将 MASTS 控制项作为自学习课程，按类别逐一完成。涵盖 Android 与 iOS 深度内容。 [Intermediate] - **HackTricks 移动渗透测试** — [hacktricks.wiki/en/mobile-pentesting](https://hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/index.html) — 全面涵盖 Android 与 iOS 的渗透测试参考。适合快速查找检查清单与技术说明。 [Beginner–Intermediate] - **Corellium 安全教程** — [corellium.com/blog](https://corellium.com/blog) — 免费 iOS 与 Android 安全教程，涵盖越狱机制、研究工具链与平台内部原理。 [Intermediate] - **8kSec 免费实验室 — Battlegrounds** — [8ksec.io/battle](https://8ksec.io/battle/) — 免费的动手挑战：Android 组件攻击、iOS 运行时分析、ARM 漏洞利用。定期更新挑战。 [Intermediate–Advanced] #### 付费 - **8kSec — 移动应用实际渗透（CMSE）** — [academy.8ksec.io](https://academy.8ksec.io) — 实验室驱动的 Android 与 iOS 渗透测试课程，涵盖环境搭建、Frida 自动化、静态/动态分析、ARM64 与应用安全。颁发认证移动安全工程师（CM）证书。 [Intermediate–Advanced] - **8kSec — 进攻型移动逆向与利用（OMSE）** — [academy.8ksec.io](https://academy.8ksec.io) — 高级课程，覆盖 iOS 内核（XNU、SPTM、TXM、PAC、PPL）、Android 内核利用、JNI 模糊测试、高级 Frida 与移动恶意软件分析（含加密钱包窃取者）。颁发进攻型移动安全专家（OMSE）证书。 [Advanced] - **INE / eLearnSecurity eMAPT** — [ine.com](https://ine.com) — 企业移动应用渗透测试课程。提供真实 APK/IPA 环境的动手实验。可与 eMAPT 认证结合。 - **TCM Security: 实用的移动安全** — [tcm-sec.com/academy](https://tcm-sec.com/academy/) — 注重实践的 Android 和 iOS 测试课程，涵盖常见攻击类别、Frida 以及 Burp Suite 集成。 - **NowSecure Academy** — [nowsecure.com/academy](https://www.nowsecure.com/products/nowsecure-academy-mobile-appsec-training/) — 与 OWASP MASVS 保持一致的企业级移动安全培训。注重与工具无关的方法论。 - **PortSwigger Web Security Academy **[免费实验室 / 付费专业版]** — [portswigger.net/web-security](https://portswigger.net/web-security) — 直接适用于移动后端测试的 API 安全实验室。JWT 攻击、IDOR、API 认证缺陷。核心实验室免费。 ### 认证 | 认证 | 颁发机构 | 重点 | 形式 | |--------------|--------|-------|--------| | [CMSE](https://academy.8ksec.io) | 8kSec | Android 和 iOS 应用安全 — 静态、动态、逆向工程、Frida | 实践考试 | | [OMSE](https://academy.8ksec.io) | 8kSec | 高级移动逆向工程与利用 — 内核、TEE、恶意软件 | 实践考试 | | [eMAPT](https://my.ine.com/certifications/) | eLearnSecurity / INE | 移动应用渗透测试 — Android 和 iOS | 实践（真实应用考试） | | [GMOB](https://www.giac.org/certifications/mobile-device-security-analyst-gmob/) | GIAC | 移动设备与应用安全 | 监考考试 | | [GWAPT](https://www.giac.org/certifications/web-application-penetration-tester-gwapt/) | GIAC | Web/移动应用测试 | 监考考试 | | [OSCP](https://www.offsec.com/courses/pen-200/) | OffSec | 包含移动模块的通用渗透测试 | 24 小时实践考试 | | [CEH](https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/) | EC-Council | 广泛的道德黑客（包含移动） | 选择题 | ## 16. 标准与框架 ### OWASP 移动 - **OWASP MASVS (Mobile Application Security Verification Standard) v2.1** — [mas.owasp.org/MASVS](https://mas.owasp.org/MASVS/) — 移动应用安全验证标准的基线要求。2024 年 1 月更新新增了 **MASVS-PRIVACY** 作为新的控制组，并去除了验证级别（L1/L2/R），转而采用 MAS 测试配置文件。广泛用作合同要求和审计基线。 [中级] - **OWASP MASTG (Mobile Application Security Testing Guide)** — [mas.owasp.org/MASTG](https://mas.owasp.org/MASTG/) — 全面的测试方法论指南。与 MASVS 控制项一一对应。包含可作为即时检查清单执行的原子测试。是 MASVS 评估的参考指南。 [中级] - **MASWE (Mobile App Security Weakness Enumeration)** — [mas.owasp.org](https://mas.owasp.org) — 2024 年 7 月发布。在 MASVS 控制项与 MASTG 测试之间引入新的细粒度层。枚举具体弱点（例如“不可预测的随机数生成”），这些弱点可同时映射到 MASVS 要求和 MASTG 测试流程。提升评估报告的一致性。 [中级] - **OWASP Mobile Top 10 (2024)** — [owasp.org/www-project-mobile-top-10](https://owasp.org/www-project-mobile-top-10/) — 自 2016 年以来首次更新。新类别包括：M1 不当凭证使用、M2 供应链安全不足、M6 隐私控制不足、M8 安全配置错误。移除已合并或隐式化的旧类别。 [入门–中级] - **OWASP MAS Checklist** — [mas.owasp.org/checklists](https://mas.owasp.org/checklists/) — 可下载的 MASVS 检查表（Excel 和 Markdown 格式）。用作 MASVS 评估的主要交付模板。 [中级] - **How to Secure Flutter Applications Against the OWASP Mobile Top 10** — [8ksec.io/how-to-secure-flutter-applications-against-the-owasp-mobile-top-10](https://8ksec.io/securing-flutter-applications/) — 8kSec 博客，将 OWASP 控制应用于 Flutter 特定的攻击面。 [中级] ### MITRE ATT&CK 移动 - **MITRE ATT&CK for Mobile** — [attack.mitre.org/matrices/mobile](https://attack.mitre.org/matrices/mobile/) — Android 和 iOS 的对手战术、技术与程序。**v17 (2025 年 4 月)：** 12 个战术、75 种技术、46 个子技术、15 个组织、118 个软件条目。**v18 (2025 年 10 月)：** 新增 Wi-Fi 发现与无线嗅探行为；取消弃用“滥用辅助功能特性”。适用于威胁建模、红队范围界定和检测工程。 [中级–高级] - **MITRE ATT&CK Navigator** — [mitre-attack.github.io/attack-navigator](https://mitre-attack.github.io/attack-navigator/) — 交互式矩阵可视化。可为移动威胁模型和红队范围定义创建覆盖热图。 [中级] ### NIST - **NIST SP 800-163 Rev. 1** — [csrc.nist.gov/publications/detail/sp/800-163/rev-1/final](https://csrc.nist.gov/publications/detail/sp/800-163/rev-1/final) — 移动应用的安全评估。为组织在部署前评估移动应用安全风险提供框架。 [中级] - **NIST SP 800-124 Rev. 2** — [csrc.nist.gov/publications/detail/sp/800-124/rev-2/final](https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final) — 企业环境中移动设备安全管理指南。MDM 策略、注册模型、设备生命周期。 [中级] ### CIS 基准 - **CIS Android Benchmark** — [cisecurity.org/benchmark/google_android](https://www.cisecurity.org/benchmark/google_android) — Android 设备配置加固指南。企业设备策略的有用基线。 [中级] - **CIS Apple iOS/iPadOS Benchmark** — [cisecurity.org/benchmark/apple_ios](https://www.cisecurity.org/benchmark/apple_ios) — iOS 设备加固配置。适用于 MDM 部署的设置。 [中级] ### 其他标准 - **GSMA Mobile Security Guidelines** — [gsma.com/security](https://www.gsma.com/security/) — 电信导向的移动安全标准。与基带研究、网络接口安全及运营商侧移动威胁建模相关。 [高级] - **PCI MPoC (Mobile Payments on COTS)** — [pcisecuritystandards.org](https://www.pcisecuritystandards.org) — 在商用现货移动设备上接受支付卡数据的标准。适用于金融科技和支付应用安全。 [中级] ## 17. 官方文档 ### Android - **Android Security Overview** — [source.android.com/docs/security](https://source.android.com/docs/security) — AOSP 安全文档。涵盖完整的 Android 安全架构：应用沙箱、权限模型、SELinux 策略、可验证启动和硬件级安全。 [中级] - **Android Developer Security Docs** — [developer.android.com/topic/security](https://developer.android.com/topic/security) — 安全编码指南。涵盖数据存储、网络安全配置、加密 API 和权限。是 Android 应用加固的入门参考。 [入门–中级] - **Android Keystore System** — [developer.android.com/training/articles/keystore](https://developer.android.com/training/articles/keystore) — 硬件支持的密钥存储与加密操作文档。对理解安全存储设计及其限制至关重要。 [中级] - **Android SELinux Documentation** — [source.android.com/docs/security/features/selinux](https://source.android.com/docs/security/features/selinux) — SELinux 策略设计、审计日志解释以及 Android 自定义策略开发。 [高级] - **Android Security Bulletins** — [source.android.com/docs/security/bulletin](https://source.android.com/docs/security/bulletin) — 月度漏洞披露与补丁文档。 [中级] - **AOSP Source Code** — [source.android.com](https://source.android.com) — 完整的 Android 开源项目源代码。对补丁差分、理解内部 API 和内核漏洞研究至关重要。 [高级] - **Blueprint of Android Activity Lifecycle** — [8ksec.io/blueprint-of-android-activity-lifecycle](https://8ksec.io/a-blueprint-of-android-activity-lifecycle/) — 8kSec 博客，从安全角度介绍活动生命周期：生命周期转换间的数据泄露、意图处理与状态管理漏洞。 [] ### iOS 与 Apple - **Apple Platform Security Guide** — [support.apple.com/guide/security/welcome/web](https://support.apple.com/guide/security/welcome/web) — 全面的 Apple 安全架构文档，每年更新。涵盖安全飞地、指针认证（PAC）、安全启动链、代码签名、沙盒、Face ID/Touch ID、iCloud 安全及设备管理。是理解 iOS 安全设计的规范参考。 [中级–高级] - **iOS Security Framework API Docs** — [developer.apple.com/documentation/security](https://developer.apple.com/documentation/security) — iOS 安全框架开发者 API 文档：钥匙串、证书、加密操作、代码签名。 [中级] - **iOS Entitlements Reference** — [developer.apple.com/documentation/bundleresources/entitlements](https://developer.apple.com/documentation/bundleresources/entitlements) — 完整的 iOS 权限列表及其安全影响。对 iOS 应用权限分析与越狱检测绕过研究至关重要。 [中级–高级] - **Apple Security Advisories** — [support.apple.com/en-us/HT201222](https://support.apple.com/en-us/HT201222) — 所有 Apple CVE 及补丁版本（如有披露则提供基础技术摘要）。 [中级] - **ipsw.me** — [ipsw.me](https://ipsw.me) — iOS、iPadOS 与 macOS 固件下载归档。维护已签名与未签名 IPSW 的按设备与版本归档。对版本特定研究与越狱开发必不可少。 [高级] - **Reading iOS Sandbox Profiles** — [8ksec.io/reading-ios-sandbox-profiles](https://8ksec.io/reading-ios-sandbox-profiles/) — 解析与解读 iOS 沙盒配置文件编译产物的指南：工具、架构结构及对漏洞研究重要的限制。 [中级–高级] ### 跨平台框架安全文档 - **Flutter Security Documentation** — [docs.flutter.dev/security](https://docs.flutter.dev/security) — 官方 Flutter 安全指南。注意：Flutter 的代理行为与证书钉扎实现需要特定工具绕过才能进行流量拦截 — 参见第 4 节。 [中级] - **React Native Security** — [reactnative.dev/docs/security](https://reactnative.dev/docs/security) — 官方 React Native 安全文档。涵盖安全存储、网络安全与 JS 桥接攻击面。 [中级] ## 18. 监管与合规 ### 应用商店政策 - **Google Play Developer Policy Center** — [play.google.com/about/developer-content-policy](https://play.google.com/about/developer-content-policy/) — 管理 Android 应用在 Play 商店的行为规范。对安全研究者相关：禁止未经同意监控其他应用、滥用辅助服务、广告欺诈工具检测等。 [中级] - **Apple App Store Review Guidelines** — [developer.apple.com/app-store/review/guidelines](https://developer.apple.com/app-store/review/guidelines/) — iOS 应用在审核阶段强制执行的安全与隐私要求。涵盖数据收集披露、加密合规及私有 API 使用限制。 [中级] ### 隐私法规 | 法规 | 管辖区 | 对移动应用的关键影响 | |-----------|-------------|------------------------| | GDPR | EU / EEA | 用户数据收集需同意、删除权、数据最小化、72 小时内泄露通知 | | CCPA / CPRA | 加利福尼亚州，美国 | 禁止出售数据、收集时提供隐私通知、消费者数据权利 | | PDPA | 泰国 | 基于同意的数据处理，适用于包含泰国用户数据的应用 | | LGPD | 巴西 | 数据保护框架，合法利益与同意作为法律基础 | | PIPEDA | 加拿大 | 商业活动中个人信息的保护 | | APP (Privacy Act) | 澳大利亚 | 13 项澳大利亚隐私原则，适用于处理个人信息的移动应用 | - **ICO Guidance on Apps** — [ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/) — 英国 ICO 针对移动应用开发者的 GDPR 实操指南。 [中级] - **Apple App Tracking Transparency (ATT) `[iOS]`** — 自 iOS 14.5 引入。需明确获取用户跨应用追踪许可。对广告科技影响显著；亦为安全敏感应用中的同意设计提供参考模型。 [中级] - **Android Privacy Dashboard**（Android 12+）`[Android]` — [developer.android.com/training/permissions/explaining-access](https://developer.android.com/training/permissions/explaining-access) — 敏感权限访问的时间线视图。对安全研究与分析检测异常后台数据访问模式具有参考价值。 [中级] ### 支付与金融标准 - **PCI DSS v4.0** — [pcisecuritystandards.org](https://www.pcisecuritystandards.org) — 支付卡行业数据安全标准。第 6 节涵盖安全软件开发，适用于任何处理、存储或传输持卡人数据的移动应用。 [中级] - **PCI MPoC** — 在商用现货移动设备上接受支付卡的标准。定义移动 POS 实现的软硬件要求。 [中级] - **EMVCo** — [emvco.com](https://www.emvco.com) — 支付令牌化与 NFC 支付安全标准。对移动钱包与接触式支付实施安全具有参考价值。 [中级] ### 医疗保健 - **HIPAA Security Rule** — 移动健康应用注意事项：任何处理受保护健康信息（PHI）的应用必须实施传输与静态加密、访问控制与审计日志。安全规则未指定技术，而是规定结果。 [中级] - **NIST SP 800-163** — 联邦与医疗保健组织在批准部署前评估移动应用安全的框架。 [中级] ## 19. 漏洞赏金项目 ### 厂商项目 | 公司 | 范围 | 最高赔付 | 项目链接 | |---------|-------|-----------|-------------| | Google (Android & Pixel) | Android 操作系统、Pixel 固件、Play Store 应用 | $1,000,000+（完整利用链并持久化） | [bughunters.google.com](https://bughunters.google.com/about/rules/android-friends/6171833274204160/android-and-google-devices-security-reward-program-rules) | | Apple | iOS 内核、PAC 绕过、iCloud | $1,000,000（零点击内核并持久化） | [security.apple.com/bounty](https://security.apple.com/bounty/) | | Samsung | Knox、三星支付、Galaxy 固件 | $1,000,000（旗舰设备完整利用链） | [samsung.com/securityresponsecenter](https://www.samsung.com/us/support/securityresponsecenter/) | | Microsoft | Defender for Android、微软移动应用 | $30,000+ | [microsoft.com/en-us/msrc/bounty](https://www.microsoft.com/en-us/msrc/bounty) | | Meta | Facebook、Instagram、WhatsApp 移动 | $500,000+（关键账户接管） | [bugbounty.meta.com](https://bugbounty.meta.com) | 所有厂商项目均要求对先前未报告的漏洞进行负责任披露。故意利用生产用户数据不在项目范围内。 ### 独立平台 **HackerOne** — [hackerone.com/bug-bounty-programs](https://hackerone.com/bug-bounty-programs) — 托管数百个移动应用项目。可在范围说明中按“Android”、“iOS”或“mobile”筛选。许多金融科技、医疗保健及消费应用项目处于活跃状态。 **Bugcrowd** — [bugcrowd.com/programs](https://bugcrowd.com/programs) — 范围与 HackerOne 类似。托管来自企业及消费公司的移动专注项目。 **Intigriti** — [intigriti.com](https://www.intigriti.com) — 面向欧洲的漏洞赏金平台，拥有移动应用项目。在遵守 GDPR 的欧盟公司中影响力较强。 ### 市场参考 关于商业零日定价的参考（非标准赏金项目）： **Zerodium** — [zerodium.com](https://zerodium.com/) — 公布零日漏洞收购价格列表。iOS 零点击完整利用链并持久化：最高 $2,500,000。Android 等价项目：最高 $1,500,000。有助于理解移动漏洞的经济价值及攻击者的投入。未经法律与伦理评估，请勿在此提交漏洞。 ## 20. 免费实战挑战 本节所有资源均免费。无付费内容。 ### Android 挑战 - **InjuredAndroid** — [github.com/B3nac/InjuredAndroid](https://github.com/B3nac/InjuredAndroid) `[Android]` — 18 个基于标志的挑战，涵盖导出组件、意图嗅探、Firebase 配置错误及原生库攻击。需本地搭建环境。 [入门–中级] - **AndGoat** — [github.com/satishpatnayak/AndroGoat](https://github.com/satishpatnayak/AndroGoat) `[Android]` — 故意存在漏洞的 Android 应用，覆盖 OWASP 移动十大风险类别。适用于系统性测试练习。 [入门–中级] - **DIVA (Damn Insecure and Vulnerable App)** — [github.com/payatu/diva-android](https://github.com/payatu/diva-android) `[Android]` — 13 个挑战，涵盖不安全日志、硬编码密钥、不安全数据存储与输入验证缺陷。经典入门起点。 [入门] - **Android Application Exploitation Challenges** — [academy.8ksec.io](https://academy.8ksec.io/course/android-application-exploitation-challenges) `[Android]` — 涵盖导出组件滥用、意图劫持、WebView 漏洞利用及内容提供者攻击的挑战集。免费。 [中级] - **Hacking Android Games** — [8ksec.io/hacking-android-games](https://8ksec.io/hacking-android-games/) `[Android]` — 通过实际游戏示例进行内存扫描、Frida 游戏破解与原生库插桩。 [中级] ### iOS 挑战 - **DVIA v2 (Damn Vulnerable iOS Application)** — [github.com/prateek147/DVIA-v2](https://github.com/prateek147/DVIA-v2) `[iOS]` — 故意存在漏洞的 iOS 应用，涵盖所有 OWASP 移动十大风险类别。需要在越狱设备或 Corellium 上运行。 [中级] - **iGoat-Swift** — [github.com/OWASP/iGoat-Swift](https://github.com/OWASP/iGoat-Swift) `[iOS]` — OWASP 维护的 Swift 漏洞应用。包含 21 个练习，涵盖钥匙串滥用、不安全数据存储、认证绕过与二进制防护。 [入门–中级] - **iOS Application Exploitation Challenges** — [academy.8ksec.io](https://academy.8ksec.io/course/ios-application-exploitation-challenges) `[iOS]` — 涵盖越狱检测绕过、基于 Frida 的运行时分析及 Objective-C/Swift 钩子的挑战集。免费。 [中级] ### CTF 平台 - **HackTheBox** — [hackthebox.com](https://www.hackthebox.com) `[Android]` `[iOS]` — 免费层级包含移动挑战（Android APK 逆向、iOS 应用分析）。Pro 订阅解锁完整库。 [中级–高级] - **CTFTime** — [ctftime.org](https://ctftime.org) — 聚合全球所有活跃及过往 CTF。可按“mobile”类别筛选或搜索过往 Android/iOS 挑战的 Write-up。 [中级] - **Google CTF Archive** — [capturetheflag.withgoogle.com](https://capturetheflag.withgoogle.com) — 历史 Google CTF 挑战存档并可在线运行。Android APK 逆向挑战定期出现。 [中级–高级] - **8kSec Battlegrounds** — [8ksec.io/battle](https://8ksec.io/battle/) `[Android]` `[iOS]` — 实时利用挑战，涵盖 Android 组件攻击、iOS 运行时分析及 ARM 漏洞利用。免费。 [中级–高级] ### ARM 漏洞利用 - **pwn.college** — [pwn.college](https://pwn.college) `[ARM]` — 免费基于浏览器的 ARM 漏洞利用课程。涵盖 Shellcode、ROP、堆利用，在引导环境中进行。直接适用于 Android 本地代码与内核漏洞开发。 [中级–高级] - **Azeria Labs ARM Exploitation** — [azeria-labs.com/writing-arm-assembly-part-1](https://azeria-labs.com/writing-arm-assembly-part-1/) `[ARM]` — 免费 ARM 汇编与漏洞利用教程系列。是 ARM 安全研究新手的标准入门。 [入门–中级] - **ARM Exploitation Challenges** — [academy.8ksec.io](https://academy.8ksec.io/course/arm-exploitation-challenges) `[ARM]` — 涵盖栈溢出、堆损坏与 ROP 链构建的挑战集。免费。 [中级–高级]

标签：Android安全, Burp Suite, CIDR输入, CTF挑战, DAST, DNS通配符暴力破解, Docker支持, Frida, iOS安全, MobSF, 云安全监控, 云资产清单, 合规性检查, 威胁情报, 子域名突变, 安全合规, 安全工程师, 平台内部机制, 开发者工具, 恶意软件分析, 提权, 攻防技术, 数据可视化, 注入, 目录枚举, 移动安全, 网络代理, 网络流量分析, 请求拦截, 调试, 逆向分析, 逆向工具, 逆向工程, 静态分析