Skip to content

Latest commit

 

History

History
14 lines (10 loc) · 1.18 KB

File metadata and controls

14 lines (10 loc) · 1.18 KB

21. Mobile API Security

4 modules.

Module Description
mobile-cert-pinning Tests for certificate pinning bypass indicators by sending requests with mobile User-Agent strings (okhttp/3.12.0, NSURLSession/1.0) and checking if the API responds differently. Provides guidance for further testing with Frida/Objection. Severity: Low (informational guidance).
mobile-jwt-leak Tests for JWT exposure in mobile API responses by checking response headers (Authorization, X-Auth-Token, X-Token, X-Access-Token) and response body for the eyJ JWT prefix pattern. Reports Medium when JWT tokens are found in responses.
mobile-version-enforcement Tests if the mobile API enforces a minimum app version by sending requests with X-App-Version and X-Client-Version headers set to very old (1.0.0) and very new (999.0.0) values. Reports Medium when the API accepts old client versions.
mobile-endpoint-discovery Discovers mobile-specific endpoints by probing common mobile API paths (/api/v1/, /api/v2/, /mobile/, /app/, /ios/, /android/, /m/api/, /m/, /mobile/api/). Reports Info for each accessible endpoint found.

Part of the NOX Module Reference guide.