Mobile Pentest Agent

Part of Mobile DevTools — open-source tools for mobile engineering teams.

AI-powered mobile penetration testing. Claude Code autonomously performs static analysis, exploits vulnerabilities on live cloud devices, captures screenshot evidence, and generates a full security report — all from a single prompt.

"Run a full pentest on this app" — that's it.

Demo

Android — InsecureShop (16 findings)

Claude decompiled the APK, scanned for vulnerabilities, found hardcoded credentials in source code, then logged into the live app on a cloud device to prove the exploit works:

Static: Hardcoded creds in source	Dynamic: Entered on device	Dynamic: Login success
map.put("shopuser", "!ns3csh0p")

Full report: examples/android-insecureshop/report.md

iOS — VaultPay (13 findings)

Claude reviewed the Swift source, identified a fake authentication system, then launched a cloud iOS simulator and confirmed any credentials are accepted:

Login screen	Fake creds entered	Bypass confirmed

Full report: examples/ios-vaultpay/report.md

How It Works

Claude Code (Opus)
  ├── pentest CLI        → Static analysis (decompile, scan, binary analysis)
  └── revyl CLI          → Dynamic analysis (cloud device: tap, type, screenshot)

1. Static Analysis — Decompile the app, extract manifest/Info.plist, scan for vulnerabilities with semgrep + grep, analyze the binary with androguard
2. Dynamic Exploitation — Upload the app to Revyl cloud, start an emulator/simulator, navigate the UI with natural language targeting, exploit vulnerabilities found in Phase 1, capture screenshot evidence
3. Report — Generate a markdown pentest report with all findings, severity ratings, evidence, and reproduction steps

The magic is in the dynamic phase — Revyl's --target flag uses AI to resolve natural language descriptions (like "Sign In button" or "Password field") to screen coordinates, so Claude can interact with any app without knowing the UI hierarchy.

Prerequisites

1. Python 3.11+ and uv

curl -LsSf https://astral.sh/uv/install.sh | sh

2. Revyl CLI

curl -fsSL https://get.revyl.ai | sh
revyl auth login
revyl doctor

Or set REVYL_API_KEY in your .env file.

3. jadx (Android APK decompilation)

brew install jadx  # macOS
jadx --version     # verify

4. Xcode (iOS .app builds — optional)

Only needed if building iOS apps from source for simulator testing. Revyl cloud simulators require .app bundles (not .ipa).

Setup

cd agents/mobile-pentest-agent
uv sync

Usage

With Claude Code (recommended)

Open this directory in Claude Code. The CLAUDE.md file gives Claude the full pentest workflow. Just tell it what to test:

Android:

"Run a full pentest on workspace/InsecureShop.apk"

iOS (from source):

"Clone VaultPay-iOS-Lab, build the .app, and run a full pentest on it"

iOS (pre-built):

"Run a full pentest on workspace/MyApp.app — it's an iOS simulator build"

Claude handles everything: decompilation, scanning, device provisioning, exploitation, and report generation.

Manual CLI Usage

# === Static Analysis ===
pentest decompile <apk_path>                # Decompile APK with jadx
pentest manifest <apk_path>                 # Parse AndroidManifest.xml
pentest ios-info <ipa_or_app_path>          # Parse Info.plist from IPA or .app
pentest scan <source_dir>                   # Semgrep + grep vulnerability scan
pentest binary <apk_path>                   # Androguard binary analysis (Android)
pentest search <pattern> <source_dir>       # Regex search source code

# === Findings ===
pentest finding add -t "title" -s high -c "category" -d "description"
pentest finding list
pentest finding clear

# === Report ===
pentest report --app-name "MyApp" --platform android

# === Dynamic Analysis (via Revyl CLI) ===
# 1. Upload app
revyl app create --name "MyApp" --platform android --json
revyl build upload --skip-build --platform android --app <app-id> --yes

# 2. Start device
revyl device start --platform android --app-id <app-id> --json

# 3. Interact (natural language targeting)
revyl device screenshot --out screenshot.png --json
revyl device tap --target "Login button" --json
revyl device type --target "username field" --text "admin" --json
revyl device swipe --direction up --json
revyl device navigate --url "myapp://deeplink" --json

# 4. Cleanup
revyl device stop --json

Example: Full Android Pentest

# Static
pentest decompile workspace/InsecureShop.apk
pentest manifest workspace/InsecureShop.apk
pentest scan workspace/InsecureShop_decompiled/sources
pentest binary workspace/InsecureShop.apk

# Upload to Revyl
revyl app create --name "InsecureShop" --platform android --json
revyl build upload --skip-build --platform android --app <app-id> --yes

# Dynamic
revyl device start --platform android --app-id <app-id> --json
revyl device screenshot --out reports/screenshots/01_initial.png --json
revyl device type --target "Email field" --text "shopuser" --json
revyl device type --target "Password field" --text '!ns3csh0p' --json
revyl device tap --target "Log in button" --json
revyl device screenshot --out reports/screenshots/02_logged_in.png --json
revyl device stop --json

# Report
pentest report --app-name "InsecureShop" --platform android

Example: Full iOS Pentest

# Build .app from source (requires Xcode)
git clone <repo> workspace/VaultPay
cd workspace/VaultPay
xcodebuild -scheme app -sdk iphonesimulator -configuration Debug \
  -derivedDataPath build ONLY_ACTIVE_ARCH=NO
# .app is in build/Build/Products/Debug-iphonesimulator/

# Static (review source directly — no decompilation needed for source builds)
pentest scan workspace/VaultPay/app
pentest ios-info workspace/VaultPay/app/Info.plist

# Upload to Revyl
cd .. # back to mobile-pentest-agent
zip -r workspace/VaultPay.zip workspace/VaultPay/build/Build/Products/Debug-iphonesimulator/app.app
revyl app create --name "VaultPay" --platform ios --json
revyl build upload --skip-build --platform ios --app <app-id> --yes

# Dynamic
revyl device start --platform ios --app-id <app-id> --json
revyl device screenshot --out reports/screenshots/01_initial.png --json
revyl device tap --target "Sign In button" --json
# ... exploit, capture evidence ...
revyl device stop --json

# Report
pentest report --app-name "VaultPay" --platform ios

Output

reports/
├── report.md           # Pentest report with findings and evidence
├── findings.json       # Machine-readable findings
└── screenshots/        # Screenshot evidence from dynamic testing
    ├── 01_initial.png
    ├── 02_creds_entered.png
    └── ...

Architecture

CLAUDE.md                   # Pentest workflow instructions for Claude Code
pentest/
├── cli.py                  # Typer CLI entry point
├── static.py               # Static analysis (decompile, scan, manifest, binary)
├── findings.py             # Findings tracker (JSON)
└── report.py               # Markdown report generator
rules/
└── semgrep/
    └── android_security.yaml   # Custom OWASP MASTG semgrep rules
examples/
├── android-insecureshop/   # Sample Android pentest report with screenshots
└── ios-vaultpay/           # Sample iOS pentest report with screenshots

Supported Platforms

Capability	Android	iOS
Static: Decompile	jadx	Source review
Static: Manifest/Plist	AndroidManifest.xml	Info.plist
Static: Vuln scan	semgrep + grep (Java/Kotlin/Swift)	semgrep + grep (Swift/ObjC)
Static: Binary analysis	androguard	—
Dynamic: Cloud device	Revyl emulator	Revyl simulator
Dynamic: AI targeting	Natural language	Natural language
Dynamic: Screenshots	Yes	Yes

Built With

• Revyl CLI — Cloud device provisioning and AI-grounded interaction
• Claude Code — Autonomous agent orchestration
• jadx — Android APK decompilation
• semgrep — AST-aware vulnerability scanning
• androguard — Android binary analysis

License

MIT