APKShield-PT AI-Powered Android Penetration Testing Tool for...

src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

@@ -114,6 +114,28 @@ Notes
 - Auto-Frida can auto-install `frida`/`frida-tools` if missing and supports multi-device selection.
 - Generated scripts can be executed immediately or merged with your custom hooks after analysis.
 
+## Static-first targeted Frida generation (apktool + JADX + pattern maps)
+
+A useful workflow before attaching Frida is to **decompile first** (`apktool` for smali/resources and `jadx` for Java), then **scan both outputs for concrete protection artifacts** and generate hooks only for what is actually present. This reduces trial-and-error and avoids loading oversized universal bypass bundles.
+
+Typical detections worth mapping to hook groups:
+- **Root / anti-instrumentation**: `su` and BusyBox path checks, Magisk/SuperSU packages, `Build.TAGS`, `ro.secure`, `ro.debuggable`, RootBeer/RootTools, Frida/Xposed self-detection, emulator heuristics, APK signature/tamper checks, SafetyNet / Play Integrity calls.
+- **TLS pinning**: OkHttp `CertificatePinner`, custom `X509TrustManager`, custom `HostnameVerifier`, `network_security_config`, TrustKit, WebView SSL handlers, `HttpsURLConnection`, gRPC/Cronet/Conscrypt, Firebase/GMS TLS, public-key pinning, certificate-transparency checks.
+
+Practical use:
+```bash
+apktool d app.apk -o apktool_out
+jadx app.apk -d jadx_out
+frida -U -f com.target.app -l frida/master_bypass.js --no-pause
+```
+
+Why this is useful:
+- **Targeted hooks** are usually more stable than universal scripts because each overload can be chosen from the matched implementation.
+- The report from the static scan tells you **which bypass family failed** (file/package/build-prop/root-library/TrustManager/CertificatePinner/etc.) so you can extend only that part.
+- If the scan flags **native JNI root checks** or **native TLS pinning**, expect Java hooks to be incomplete and pivot early to native tracing/patching (`JNI_OnLoad`, exported JNI methods, BoringSSL callbacks).
+
+Example tooling following this model: **APKShield-PT** generates `master_bypass.js`, `root_bypass.js`, `ssl_bypass.js`, `safetynet_bypass.js`, and `frida_detection_bypass.js` from the protections found in the APK instead of guessing blindly.
+
 ## Step 3 — Bypass init-time detectors by attaching late
 
 Many detections only run during process spawn/onCreate(). Spawn‑time injection (-f) or gadgets get caught; attaching after UI loads can slip past.
@@ -477,6 +499,7 @@ Notes
 - [Magisk](https://github.com/topjohnwu/Magisk)
 - [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
 - [Auto-Frida (Android Frida automation toolkit)](https://github.com/ommirkute/Auto-Frida)
+- [APKShield-PT](https://github.com/Whitehat987/apkshield-pt)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 - [phantom-frida (stealth Frida server builder)](https://github.com/TheQmaks/phantom-frida)
 - [Frida OkHttp4 SSL pinning bypass script](https://github.com/Zero3141/Frida-OkHttp-Bypass)