Mobile backends security

Mobile backends expose HTTP interfaces to clients that run in untrusted environments. The primary threat model centers on identity spoofing, data leakage, and privilege escalation across unauthenticated and authenticated paths. Public endpoints often enumerate identifiers through sequential patterns, while authenticated routes risk broken access control when tokens or keys are mishandled. Because mobile apps frequently share API surface with web and third party consumers, misconfigured security headers, exposed debug endpoints, and unsafe data exposure compound these risks.

Authentication issues are common when tokens or credentials are accepted but not validated with strict checks. The scanner inspects JWT configurations such as alg=none, weak HS256 keys, expired timestamps, missing claims, and sensitive data placed inside payloads. It also validates security headers and WWW-Authenticate compliance to ensure consistent challenge handling. Broken object level authorization (BOLA/idor) is detected through sequential ID enumeration and active adjacent ID probing, while broken function level authorization (BFLA) is surfaced via admin endpoint probing and role or permission field leakage.

Over-exposed endpoints often leak internal fields or mass assignment surfaces, enabling attackers to infer schema and tamper with payloads. Sensitive data patterns such as emails, Luhn-validated card numbers, context aware SSNs, and common API key formats (AWS, Stripe, GitHub, Slack) are flagged when observed in responses or error messages. Input validation checks include CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints. The scanner also analyzes OpenAPI 3.0, 3.1, and Swagger 2.0 definitions, cross referencing spec security schemes against runtime behavior to highlight undefined security schemes, deprecated operations, and missing pagination controls.

Encryption misconfigurations such as missing HTTPS redirects, absent HSTS, and improper cookie flags are identified, alongside SSRF indicators like URL accepting parameters and body fields that reach internal IPs. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers to avoid unintended probing. The scanner limits itself to read only methods (GET and HEAD) plus text only POST for LLM probes, and it does not execute destructive payloads. Business logic flaws and blind SSRF requiring out of band infrastructure fall outside black box scope, and remediation is advisory rather than automatic.

The scanner includes an LLM security profile with adversarial probes across quick, standard, and deep tiers. These probes target system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, base64 and ROT13 encoding bypasses, translation embedded injection, few shot poisoning, markdown injection, multi turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. Each probe is designed to surface model handling weaknesses without executing harmful actions.

Results map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023) to help you align security controls and support audit evidence collection. The tool does not claim certification or compliance, and it does not guarantee meeting any regulatory requirements. It provides findings and remediation guidance so your team can make informed decisions and integrate scans into CI/CD gates via the CLI, GitHub Action, MCP Server, or API client.