What starting position does this attack require?

The first step is Map the authenticated API (W-RECON-API-DISCO) — a reconnaissance primitive. Assumed environment: tester has the APK + a rooted Android device (or emulator) with frida-server running.

What is the final impact of this kill-chain?

The final step lands on Bypass SSL pinning (MOB-SSL-PINNING-BYPASS), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Root detection + SSL pinning bypass → MITM the API

Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Reconnaissance

Map the authenticated API

W-RECON-API-DISCO · API Endpoint Discovery

Privilege Escalation

Exploit web-class vulns on the mobile API

W-BOLA · Broken Object Level Authorization (API BOLA)

Reconnaissance

Pull APK + reverse with jadx

MOB-APK-REVERSE · APK Reverse Engineering

Credential Access

Route traffic via Burp

T1557 · Adversary-in-the-Middle

Defense Evasion

Bypass root detection

MOB-ROOT-DETECT-BYPASS · Android Root Detection Bypass

frida -U -f <pkg> -l fridantiroot.js

Defense Evasion

Bypass SSL pinning

MOB-SSL-PINNING-BYPASS · SSL / Certificate Pinning Bypass

objection --gadget <pkg> explore → android sslpinning disable

§ Context

Assumed environment: tester has the APK + a rooted Android device (or emulator) with frida-server running. The app implements root detection and certificate pinning that block out-of-the-box MITM.

§ Steps

01
Map the authenticated APIReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
02
Exploit web-class vulns on the mobile APIPrivilege Escalation
W-BOLA— Broken Object Level Authorization (API BOLA)
03
Pull APK + reverse with jadxReconnaissance
MOB-APK-REVERSE— APK Reverse Engineering
04
Route traffic via BurpCredential Access
T1557— Adversary-in-the-Middle
05
Bypass root detectionDefense Evasion
MOB-ROOT-DETECT-BYPASS— Android Root Detection Bypass
frida -U -f <pkg> -l fridantiroot.js
06
Bypass SSL pinningDefense Evasion
MOB-SSL-PINNING-BYPASS— SSL / Certificate Pinning Bypass
objection --gadget <pkg> explore → android sslpinning disable

§ References

T1557Adversary-in-the-Middle

§ Frequently asked

What is the "Root detection + SSL pinning bypass → MITM the API" attack path?: Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Map the authenticated API (W-RECON-API-DISCO) — a reconnaissance primitive. Assumed environment: tester has the APK + a rooted Android device (or emulator) with frida-server running.
What is the final impact of this kill-chain?: The final step lands on Bypass SSL pinning (MOB-SSL-PINNING-BYPASS), which falls under Defense Evasion. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
GraphQL introspection → BOLA → mass enum
GraphQL endpoint exposes its full schema. Discover an unauth'd or under-authorized resolver, enumerate every user's data by iterating IDs.

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

GraphQL introspection → BOLA → mass enum