APK Reverse Engineering

§ Where this technique fits

§ Dossiers chaining this technique

• BLE eavesdrop + replay → smart lock open

  Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.

  step 1 / 5

• WebView XSS → JS bridge → native code exec

  WebView loads partially-attacker-controlled content (e.g. injected referral param) and exposes addJavascriptInterface — XSS in the page calls the bridge to run app-level code.

  step 1 / 5

• Exported ContentProvider → private data leak

  App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens.

  step 1 / 6

• Root detection + SSL pinning bypass → MITM the API

  Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface.

  step 1 / 6

• iOS URL scheme hijack → OAuth code theft

  Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.

  step 1 / 6

• Deeplink abuse → in-app account takeover

  Exported activity registers a custom URL scheme that triggers an OAuth-style 'confirm reset' action without validating the source — phishing URL clicks reset another user's password.

  step 1 / 6

§ What commonly comes next

1. 01
   Android Deeplink / Intent Abuse

   MOB-DEEPLINK-ABUSE · Initial Access
   seen 1×
2. 02
   Android Root Detection Bypass

   MOB-ROOT-DETECT-BYPASS · Defense Evasion
   seen 1×
3. 03
   Android WebView XSS / JS Bridge

   MOB-WEBVIEW-XSS · Impact
   seen 1×
4. 04
   BLE Eavesdropping

   IOT-BLE-EAVESDROP · Credential Access
   seen 1×
5. 05
   Content Provider Data Leak

   MOB-CONTENT-PROVIDER · Collection
   seen 1×
6. 06
   iOS URL Scheme Hijack

   MOB-IOS-URL-SCHEME · Initial Access
   seen 1×