bounty-mobilelisted

# Mobile bug bounty methodology ## 1. Get the artifact Android APK: ```bash # From device adb shell pm path com.target.app adb pull /data/app/.../base.apk # From APKMirror / APKPure (be sure of version match) ``` iOS IPA: requires jailbroken device or developer build (`frida-ios-dump`, `flexdecrypt`). ## 2. Static analysis (Android) ```bash # Decompile to source jadx-gui base.apk # GUI jadx -d ./out base.apk # CLI # Disassemble to smali apktool d base.apk -o ./out # Manifest aapt2 dump badging base.apk aapt2 dump xmltree base.apk AndroidManifest.xml | head -100 # Quick wins grep -rE "https?://" ./out/sources/ | sort -u # endpoints grep -rE "(api[_-]?key|secret|token|password)" ./out/sources/ # hardcoded creds trufflehog filesystem ./out/ ``` Specifically check `AndroidManifest.xml` for: - `android:exported="true"` activities/services/receivers (callable from other apps) - `android:debuggable="true"` (massive vuln if shipped) - Custom URL schemes (`<data android:scheme="...">`) — deep link attack surface - Permissions declared (over-privilege?) - `android:allowBackup="true"` (backup leakage) - `networkSecurityConfig` (cleartext allowed?) Look at `assets/` and `res/raw/` for embedded files (often contain SDK keys, dev URLs). ## 3. Static analysis (iOS) ```bash # IPA is just a ZIP unzip app.ipa -d app # Class-dump from binary (if not encrypted) class-dump-z Payload/MyApp.app/MyApp # If encrypted (FairPlay) — need decrypted dump fr