intjector.

Android + iOS · OWASP MASTG v1.7 aligned

See what your mobile app is leaking.

intjector is a one-click security scanner for Android APKs and iOS IPAs. Static analysis plus an embedded Frida runtime — deep-link fuzzing, shared-preferences & keychain dumps, SSL pinning bypass, WebView bridge taps — all driven from a browser UI.

See what it does Preview the UI

Works with rooted and non-rooted Android devices, and with jailbroken or signed iOS builds.

intjector dashboard preview

What's inside

Two engines — static and dynamic — covering both platforms, mapped directly to MASTG categories.

AndroidAPK surface

  • DEX + native library scan, obfuscation & packer detection, embedded secrets.
  • Manifest review — exported activities / services / receivers, permission audit, android:debuggable, networkSecurityConfig.
  • Deep-link & intent filters — scheme collision, parseUri / intent-redirect, App Links (assetlinks.json) verification.
  • WebView hardening — setJavaScriptEnabled, @JavascriptInterface bridges, file-access flags, mixed content.
  • Content providers & FileProvider — exported paths, grantUriPermissions, path-traversal sinks.
  • Crypto & storage — weak cipher / IV reuse, hard-coded keys, SharedPreferences & SQLite without encryption.

iOSIPA surface

  • Mach-O inspection — PIE / ARC / stack canary, Swift reflection, embedded .mobileprovision & certs.
  • Info.plist & entitlements — ATS exceptions, keychain-access-group wildcards, associated-domains, URL schemes.
  • Universal Links — live AASA fetch, path wildcards, subdomain takeover checks.
  • WKWebView / deep link handlers — JS bridges, navigation delegate, continueUserActivity:, OAuth redirect hijack.
  • App Extensions (.appex) — privileged extension points, TRUEPREDICATE activation, full-access keyboards.
  • Keychain & storage — accessibility class audit, SQLCipher / Realm encryption, pasteboard exposure.

Runtime instrumentation

Live Frida session

A persistent Python agent stays attached to the target process over the entire engagement. Install hooks, drain events, re-query — state survives between UI actions instead of re-spawning a fresh session per call.

Secret stores

Android — walk SharedPreferences, EncryptedSharedPreferences, SQLite databases, and Keystore aliases.

iOS — dump every keychain item the process can see (GenericPassword, InternetPassword, Certificate, Key, Identity) with the full attribute dictionary.

Sandbox filesystem browser

Navigate the app sandbox from the browser. Inline preview for any file under 4 MB with UTF-8 auto-decode.

Android/data/data/<pkg>/, files, databases, caches, shared_prefs.

iOS — bundle, Documents, Library, Caches, Preferences, tmp.

Cookies & preferences

Android — dump every SharedPreferences XML under the data directory plus WebView cookie store.

iOS — enumerate NSHTTPCookieStorage (name, value, domain, path, flags) and NSUserDefaults.dictionaryRepresentation.

Class / method probe

List every ObjC or Java class, filter by name, and click through to see its methods. Useful for finding auth wrappers, crypto helpers, and jailbreak checks in obfuscated code — without opening a terminal.

URL launcher & scheme fuzzer

Send any myapp:// URL or Android intent to the running app from the UI. The scheme fuzzer tries nine built-in payloads — empty URL, open redirect, javascript:, path traversal, null-byte — to find deep-link handlers that don't validate input.

Bypasses & hooks

Android TLS bypass

Disables OkHttp CertificatePinner, Conscrypt, X509TrustManager, WebViewClient.onReceivedSslError, and Network Security Config pin sets in one step. Works even when an app uses several TLS libraries at once.

iOS SSL pinning bypass

One click installs hooks on SSL_set_verify (BoringSSL), SecTrustEvaluate / SecTrustEvaluateWithError, AFSecurityPolicy (AFNetworking), and TSKPinningValidator (TrustKit). Lets you intercept HTTPS traffic without modifying the app binary.

Root / jailbreak detection bypass

Hides root and jailbreak indicators from the app.

Android — hides Magisk, superuser apps, su binaries, and test-keys.

iOS — hooks NSFileManager.fileExistsAtPath:, UIApplication.canOpenURL:, and libc stat / lstat / access / fopen.

Deep-link logger

Logs every URL the app opens or receives.

Android — taps Intent.getData() on every exported activity and Activity.onNewIntent.

iOS — hooks UIApplication.openURL:options:, every application:openURL:options:, legacy sourceApplication:annotation:, and continueUserActivity:.

WebView bridge tap

Captures every message passed from JavaScript to native.

Android — hooks @JavascriptInterface methods and evaluateJavascript callbacks.

iOS — captures userContentController:didReceiveScriptMessage: with handler name, body, frameInfo.request.URL, and isMainFrame.

Deserialization tap

Catches unsafe class-graph reads as they fire.

Android — hooks Parcel, Intent.getParcelableExtra, ObjectInputStream.

iOS — instruments NSKeyedUnarchiver legacy + secure decode, NSCoder, NSXMLParser, PropertyListSerialization.

WebView heap walker

Finds every live WebView in memory and reports its current URL plus hardening flags.

Android — walks WebView instances, shows setJavaScriptEnabled, allowFileAccess, mixed-content mode.

iOS — uses ObjC.choose on WKWebView for javaScriptEnabled, hasOnlySecureContent, script-handler count.

Deployment & reporting

Device & app picker

Lists every USB / network Frida device (Android & iOS) and enumerates installed apps with package / bundle-id, name, and PID. Filter, click, attach — the UI handles process spawning, script loading, and teardown.

APK repackaging

Works against any debuggable build out of the box; for release APKs, re-signs with a debug cert or injects Frida Gadget into lib/<abi>/ and aligns / signs the output so it installs on a non-rooted device.

IPA patcher (no jailbreak)

Unzips an IPA, copies FridaGadget.dylib into Frameworks/, injects an LC_LOAD_DYLIB command via insert_dylib --strip-codesig, removes _CodeSignature/ and embedded.mobileprovision, and repacks. Re-sign with your cert and install — no jailbreak required.

Risk Signals dashboard

Every finding tagged CRITICAL / HIGH / MEDIUM / LOW, filterable by severity + search, mapped to MASTG test IDs. A "detected vs documented" toggle shows which MASTG checks actually fired on this build versus which are just part of the catalog.

MASTG alignment

Each signal links to a specific MASTG test case (MSTG-STORAGE-*, MSTG-CRYPTO-*, MSTG-NETWORK-*, MSTG-PLATFORM-*, MSTG-CODE-*, MSTG-RESILIENCE-*). The output can be used directly in a pentest report.

Exportable reports

Export findings as JSON for automation, Markdown for GitHub / Notion, or Excel (.xlsx) for client delivery. The Excel export includes a dedicated MASTG and MASVS checklist sheet with pass / fail / not-applicable status per requirement.

Browser-first UX

Everything runs in a single web UI: upload, scan, attach, patch, report. No terminal, no Frida CLI setup, no Python environment to configure. Share the URL with your team — sessions persist across users.

Who uses it

Useful for anyone working with mobile app security.

Preview

A look at the tool in action — same workflow for Android and iOS.

intjector live demo
Live demo — scan, attach, bypass, and report from one browser tab.
Overview dashboard
Overview — scan summary at a glance.
Risk signals
Risk Signals — severity filter, MASTG mapping.
MASTG test coverage
MASTG — detected vs documented test coverage.
MASVS mapping
MASVS — requirements mapped to findings.

Coming soon.

intjector is in private beta. A public build is on the way.