Penetration tester. Web, mobile, API, thick-client, and network engagements.
I open-source the tools I end up writing during audits, mostly to cut down the setup time on the next one. Long-form writeups on Medium.
Static and live security analysis that runs entirely in the browser. No upload, no server, no installer.
| Tool | Purpose |
|---|---|
| IPA Auditor · ipaauditor.com | iOS .ipa static analysis. Mach-O internals, entitlements, ATS, provisioning, entropy-gated secret detection. |
| APK Auditor · apkauditor.com | Android .apk static analysis. DEX bytecode parse, binary AXML decode, signing certificate, tracker SDK detection, 80+ rules tagged with CWE / OWASP MASVS. |
| ADB Auditor · adbauditor.com | Live Android audit over WebUSB and the ADB protocol. App inventory, file browser with root, shell, screen capture, MASTG-aligned security tests. |
The dynamic-analysis siblings of the static suite. These install on the device and serve an HTTPS dashboard from the phone itself you drive it from any browser on the same network. Browse any installed app's private storage, query its databases, tail logs, drop to a root shell.
| Tool | Purpose |
|---|---|
| IOSspect · jailbroken iOS | On-device runtime audit. App bundle + data-container browser, SQLite SELECT, framework Mach-O probe, process / network tables, launchd log tail, root shell, .ipa repackage. |
| AndroidSpect · rooted Android | On-device runtime audit. /data/data browser, SQLite + SharedPreferences reader, manifest / component decode, native-lib scan, live logcat, process / socket tables, root shell. |
| Project | Description |
|---|---|
| GraphQL Grip | Burp Suite extension for auditing GraphQL endpoints (introspection, batching, depth/complexity, mutation safety). |
| BXEditor | VS Code extension that scaffolds, builds, and reloads Burp Suite extensions in-place. |
| frida-script-gen | Generator for Frida scripts covering common Android bypasses (root, SSL pinning, debugger). |
| Frida-Launcher | Android companion app that starts, stops, and monitors the on-device Frida server. |
| apk-components-inspector | Python CLI that enumerates exported components from an APK and emits ready-to-run am commands for each. |
| MobApp-Storage Inspector | Cross-platform GUI for inspecting iOS / Android app storage during a live engagement. |
| MobApp-DataExtractor | Extracts application data from iOS and Android devices for offline analysis. |
| Vuln-Down-Checker | PHP-based out-of-band interaction target for OOB / blind injection testing. |
| Cosmic Snapshot | C# thick-client walkthrough demonstrating SSL pinning bypass against a real API. |
More tooling, vulnerability demos, and research notes across the repositories above.
If any of this saves you time in an engagement, a star is appreciated.