Mobile Platform Security — Android, iOS, macOS.

Android — attack surface review

• APK unpacking. apktool d app.apk for resources + smali; jadx-gui app.apk for decompiled Java. Read AndroidManifest.xml first — exported activities, services, providers, receivers are entry points.
• Permission model. Dangerous permissions (CAMERA, LOCATION, READ_SMS) need runtime grant on API 23+. Look for checkSelfPermission + early-return logic; missing checks = bypass.
• Exported components. android:exported="true" without intent-filter permission = callable from any installed app. drozer console connect, run app.activity.start --component pkg cls.
• Insecure deep links. Custom scheme + WebView loadUrl on intent extras = local file read or arbitrary URL load. Check for file:// handling.
• Network security config. res/xml/network_security_config.xml — cleartextTrafficPermitted, custom trust anchors, certificate pinning. Defender's first hardening.
• SSL pinning bypass. Frida script frida -U -l ssl-pinning-bypass.js -f pkg or objection -g pkg explore → android sslpinning disable.
• Root detection bypass. Same Frida toolchain — hook RootBeer, SafetyNet, or per-app heuristics.

Android — defense in apps

• R8/ProGuard with custom rules. Default rules don't shrink — symbolic info still leaks. Custom -keep + -renamesourcefileattribute.
• Integrity checks. Multi-source verification: signature check + native-code anchor + remote attestation (Play Integrity API).
• Secrets in code. Don't. EncryptedSharedPreferences + KeyStore-backed key for anything that must persist on device.
• WebView hardening. setJavaScriptEnabled(false) unless required; setAllowFileAccess(false); setAllowUniversalAccessFromFileURLs(false).

Android — forensic acquisition modes

• Logical pull (ADB backup). adb backup -all -shared -system. Limited to what backups expose; many apps mark themselves unbackup.
• File-system pull (rooted). adb shell su -c 'tar -czf /sdcard/full.tgz /data/data /data/system'. Comprehensive but invasive — root may not survive next boot.
• Physical (EDL/JTAG). Chipset-specific. Qualcomm Emergency Download Mode → firehose loader → full eMMC dump.
• Chip-off. Desolder eMMC, read in standalone reader. Destructive; device cannot be reassembled into evidence chain easily.

iOS

• Entitlement model. codesign -d --entitlements - /path/to/app dumps entitlements. Anything beyond the standard set is a question to ask.
• Sandbox. Apps confined to container; access to other-app data requires entitlement, App Groups, or shared keychain group.
• Runtime instrumentation. frida -U -n AppName on a jailbroken device. Without JB: re-sign IPA with Frida gadget embedded, install via TrollStore/AltStore.
• Static analysis. otool -L for linked frameworks; class-dump for Obj-C runtime classes; Hopper for Swift/Obj-C disassembly.
• App-clip / URL scheme abuse. Universal Links with weak Apple-App-Site-Association can be hijacked.

macOS

• TCC. Transparency, Consent, Control. Access to Camera, Microphone, Documents, Desktop requires user-prompted grant. TCC.db at ~/Library/Application Support/com.apple.TCC/TCC.db. Bypass via tccd hijack on un-SIP'd systems.
• Codesign mechanics. codesign --verify --verbose /path; spctl -a -v /path for Gatekeeper assessment. Notarization required for distribution outside MAS since 10.15.
• Persistence locations. LaunchAgents (~/Library/LaunchAgents, /Library/LaunchAgents), LaunchDaemons (/Library/LaunchDaemons), Login Items, cron, periodic.
• EndpointSecurity framework. Modern macOS EDR hooks here for process exec, file open, fork events. Successor to deprecated kauth/kext.