apk-redteam-pipeline

## When to use this skill Trigger when: - Recon surfaces 1+ mobile apps under the target's developer name (Play Store dev page) - A web app hosts `*.apk` files directly (e.g. `Recruitz.apk` found on a subdomain during one engagement) - APK package IDs leaked via stealer logs (e.g. `com.<brand>.app`, `com.<brand>.<sub-brand>` patterns in stealer dump format) - Customer-facing app, dealer/partner portal, or employee mobile companion app is in scope - Bug bounty program lists Android in scope DO NOT use for: - iOS-only targets (different pipeline — IPA reverse, MobSF, frida-ios-dump) - React Native / Flutter web apps already covered by JS bundle analysis - Server-side only assessments --- ## Stage 0 — Inventory all org-owned apps ### Play Store developer-page scrape ```bash # Find developer page from the target's brand name curl -sk -A "Mozilla/5.0" "https://play.google.com/store/apps/developer?id=<Brand+Name>" -o /tmp/dev.html # Extract package IDs grep -oE 'id=[a-zA-Z0-9._]+' /tmp/dev.html | sort -u ``` Example output (anonymized — 7 packages typical for a multi-brand conglomerate): ``` com.events.<brand>build com.<corp>.<sub-brand-1> com.<corp>.<sub-brand-2> com.<corp>.<flagship> com.<corp>.<product-line-1> com.<corp>.<product-line-2> com.<corp>.<sub-brand-3> ``` ### Cross-reference with stealer logs Stealer-log format includes package names like `*@com.<corp>.<app>` — extract these from `creds_userpass.txt` if you have a leaked dump. ### Brand permutation guesses (m...