Android + iOS · OWASP MASTG v1.7 aligned
intjector is a one-click security scanner for Android APKs and iOS IPAs. Static analysis plus an embedded Frida runtime — deep-link fuzzing, shared-preferences & keychain dumps, SSL pinning bypass, WebView bridge taps — all driven from a browser UI.
Two engines — static and dynamic — covering both platforms, mapped directly to MASTG categories.
android:debuggable, networkSecurityConfig.parseUri / intent-redirect, App Links (assetlinks.json) verification.setJavaScriptEnabled, @JavascriptInterface bridges, file-access flags, mixed content.grantUriPermissions, path-traversal sinks..mobileprovision & certs.continueUserActivity:, OAuth redirect hijack..appex) — privileged extension points, TRUEPREDICATE activation, full-access keyboards.A persistent Python agent stays attached over the entire engagement. Install hooks, drain events, re-query — state survives between UI actions instead of re-spawning a fresh session per call. Active jobs panel lists every live hook / override / monitor / bypass in one place; one click to kill any of them.
Android — walk SharedPreferences, EncryptedSharedPreferences, SQLite databases, and Keystore aliases.
iOS — dump every keychain item the process can see (GenericPassword, InternetPassword, Certificate, Key, Identity) with the full attribute dictionary.
Navigate the app sandbox from the browser. Inline preview for any file under 4 MB with UTF-8 auto-decode.
Android — /data/data/<pkg>/, files, databases, caches, shared_prefs.
iOS — bundle, Documents, Library, Caches, Preferences, tmp.
Android — dump every SharedPreferences XML under the data directory plus WebView cookie store.
iOS — enumerate NSHTTPCookieStorage (name, value, domain, path, flags) and NSUserDefaults.dictionaryRepresentation.
List every ObjC or Java class, filter by name, click through to see its methods. Inline set return value editor on every method — force true / false / 0 / 1 / null / any literal without writing a Frida script. Type-aware coercion handles boolean, int, long, String. Neutralise isJailbroken / isRooted / isDebuggerConnected in one click.
Wildcard hook against thousands of methods at once. Type *Login*!*auth* (Android) or *[*Login* *isLoggedIn] (iOS) and a tracing hook installs on every match. Args + return values stream into the live event timeline; one install becomes one job, kill restores all hooks atomically.
Grab live instances of any class with Java.choose / ObjC.chooseSync. Walk fields, call zero-arg methods on the exact object in memory. Find the live LoginManager and dump its userToken; spot every WKWebView with javaScriptEnabled = true; read decoded NSURLCredentials from the heap.
Send any myapp:// URL or Android intent to the running app from the UI. The scheme fuzzer tries nine built-in payloads — empty URL, open redirect, javascript:, path traversal, null-byte — to find deep-link handlers that don't validate input.
Disables OkHttp CertificatePinner, Conscrypt, X509TrustManager, WebViewClient.onReceivedSslError, and Network Security Config pin sets in one step. Works even when an app uses several TLS libraries at once.
One click installs hooks on SSL_set_verify (BoringSSL), SecTrustEvaluate / SecTrustEvaluateWithError, AFSecurityPolicy (AFNetworking), and TSKPinningValidator (TrustKit). Lets you intercept HTTPS traffic without modifying the app binary.
Hides root and jailbreak indicators, and forces biometric checks to succeed.
Android — hides Magisk, superuser apps, su binaries, and test-keys; strips FLAG_SECURE from windows so screenshots work for evidence; observes KeyStore.load / getKey / aliases usage.
iOS — hooks NSFileManager.fileExistsAtPath:, UIApplication.canOpenURL:, libc stat / lstat / access / fopen; replaces the reply block on LAContext.evaluatePolicy:reply: to force Touch ID / Face ID success.
Reads your static-scan findings + SBOM and generates a Frida script that hooks only what this app actually uses — custom TrustManager and HostnameVerifier classes the scanner caught, app-specific su / magisk paths from bytecode strings, RootBeer if bundled, AFNetworking / TrustKit / OkHttp blocks conditional on imports. Smaller, faster, fewer false hooks. Saves to the codeshare library so the next scan of the same target opens with the right bypass.
Logs every URL or IPC the app fires or receives.
Android — hooks Activity.startActivity*, Context.startActivity / startService / sendBroadcast, and BroadcastReceiver.onReceive; decomposes each Intent into action / data / extras / flags / categories / component.
iOS — hooks UIApplication.openURL:, openURL:options:completionHandler:, canOpenURL:, every application:openURL:options:, legacy sourceApplication:annotation:, and continueUserActivity:.
Captures every symmetric crypto / KDF / RNG call the app makes — keys, IVs, plaintext, PBKDF rounds — with hex previews streaming into the live event timeline.
Android — hooks Cipher.init / Cipher.doFinal, Mac.doFinal, MessageDigest.digest, KeyGenerator.generateKey.
iOS — hooks CCCrypt, CCCryptorCreate, CCKeyDerivationPBKDF, SecRandomCopyBytes with full argument decoding.
Captures every message passed from JavaScript to native.
Android — hooks @JavascriptInterface methods and evaluateJavascript callbacks.
iOS — captures userContentController:didReceiveScriptMessage: with handler name, body, frameInfo.request.URL, and isMainFrame.
Catches unsafe class-graph reads as they fire.
Android — hooks Parcel, Intent.getParcelableExtra, ObjectInputStream.
iOS — instruments NSKeyedUnarchiver legacy + secure decode, NSCoder, NSXMLParser, PropertyListSerialization.
Lists every USB / network Frida device (Android & iOS) and enumerates installed apps with package / bundle-id, name, and PID. Filter, click, attach — the UI handles process spawning, script loading, and teardown.
Works against any debuggable build out of the box; for release APKs, re-signs with a debug cert or injects Frida Gadget into lib/<abi>/ and aligns / signs the output so it installs on a non-rooted device.
Unzips an IPA, copies FridaGadget.dylib into Frameworks/, injects an LC_LOAD_DYLIB command via insert_dylib --strip-codesig, removes _CodeSignature/ and embedded.mobileprovision, and repacks. Re-sign with your cert and install — no jailbreak required.
Every finding tagged CRITICAL / HIGH / MEDIUM / LOW, filterable by severity + search, mapped to MASTG test IDs. A "detected vs documented" toggle shows which MASTG checks actually fired on this build versus which are just part of the catalog.
Each signal links to a specific MASTG test case (MSTG-STORAGE-*, MSTG-CRYPTO-*, MSTG-NETWORK-*, MSTG-PLATFORM-*, MSTG-CODE-*, MSTG-RESILIENCE-*). The output can be used directly in a pentest report.
Export findings as JSON for automation, Markdown for GitHub / Notion, or Excel (.xlsx) for client delivery. The Excel export includes a dedicated MASTG and MASVS checklist sheet with pass / fail / not-applicable status per requirement.
Everything runs in a single web UI: upload, scan, attach, patch, report. No terminal, no Frida CLI setup, no Python environment to configure. Share the URL with your team — sessions persist across users.
Useful for anyone working with mobile app security.
A look at the tool in action — same workflow for Android and iOS.
Designer-grade output
Every scan produces a single PDF — pentest-ready, 13 sections, MASVS-mapped. Same evidence, structured for both an executive read and a technical fix-list. No separate exec summary, no template wrangling, no manual screenshotting.
Letter grade plus a 0–100 score across seven weighted deductions, calibrated against industry baselines so the client knows exactly where the bar is.
Each finding renders with F-id → severity chip → CVSS vector → MASTG / MASVS / CWE tags → affected file:line → code snippet → reproduction steps → remediation. Copy-paste into Jira, no editing needed.
Detected-vs-documented control matrix per category. Shows your client which checks fired on this build, not just which exist in the catalog.
Same data exports as JSON, Markdown, or XLSX — pick the shape your client wants.
intjector is in private beta. A public build is on the way.