← Resume

RedOps Mobile

Mobile Penetration Testing Platform

A complete security toolkit that runs on your phone. Reconnaissance, interception, instrumentation, exploitation.

Built by Wyatt Becker
OSCP · 7 years offensive security
scroll
// the pitch

The phone is the pentest platform.

Mobile pentesters context-switch between a phone and a laptop full of disconnected tools — Burp, Frida CLI, jadx, a dozen terminal tabs. The intelligence lives everywhere except the device under test.

RedOps Mobile inverts that. A native Kotlin/Compose UI on the device welds to a Kali NetHunter chroot underneath — Frida, pq, JADX, radare2, and a Claude-powered agent all running locally, all driven from the same app. Decompile, scan, capture traffic, instrument with hooks, and write up findings without tethering anywhere.

91.5klines of Kotlin
17integrated tools
0laptops required
// architecture — two worlds, one app
         ANDROID HOST (phone)                    NETHUNTER CHROOT (Kali ARM64)
                                                 /data/local/nhsystem/kali-arm64
  RedOps APK (Kotlin/Compose)
  ├─ PqCommandExecutor ──── su/chroot/entry ──> /root/pentest/scripts/pq
  ├─ ClaudeBridge ─────── su/chroot/entry ──> claude CLI (stream-json)
  ├─ ClaudeMdManager ──── deploys assets ──> /root/pentest/*
  │
  │  /data/local/tmp/
  │  └─ pq_wrapper.sh ──── setsid+chroot ──> android-entry → pq
  │
  │  /data/local/.cache/
  │  └─ media_session_d ← Frida server        /usr/local/bin/
     (stealth-named)                           └─ android-entry
// proof

What it does in the wild.

Three case studies driven end-to-end with RedOps Mobile — two critical engagement findings and an offensive capability demonstration on a public mobile game.

01 / 03
Critical · Full RCE 301K users + $45K in funds compromised
Production enterprise backend · 301K users · $45K in available funds

One unauthenticated GET → 301K-user database → webshell → full host compromise.

  1. Credentials pulled from the APK via RedOps' SharedPreferences module
  2. Reused on an unauthenticated Spring Boot Admin console
  3. GET /actuator/heapdump → 260 MB of cleartext heap
  4. MySQL, Redis, and Nacos passwords inside the heap — 301K user records and $45K in available funds fully exposed
  5. Redis CONFIG SET dir /www/wwwroot + dbfilename shell.php + SAVE
  6. PHP webshell written into the BT Panel webroot → full host RCE

Credential extraction, chain reproduction, and writeup all driven from the phone. No laptop on engagement.

Discovered during an authorized pentest engagement · anonymized per NDA
Agent writeup of the full RCE chain
02 / 03
CVSS 9.8 · Zero-click 34M+ MAU Flutter game takeover
Mass-market Flutter game · 34M+ MAU

Zero-click, persistent account takeover across a 34M-MAU Flutter game.

  1. Traffic hooked with the RedOps CDP bridge (pq attach --mitm)
  2. VPS reverse-proxied legitimate game assets while injecting malicious JS inline
  3. Plugin-bridge Frida hooks intercepted every auth flow in real time
  4. Exfiltrated Facebook OAuth tokens, Google auth codes, session JWTs, device IDs on every launch
  5. Stolen Facebook token queried the Graph API directly from the in-app V8 context
  6. Chained as the delivery vector for a second, persistent code-injection path

Flutter nav discovery, V8 hooking, and live traffic interception orchestrated from the phone. App behavior stayed normal to the victim.

Discovered during an authorized pentest engagement · anonymized per NDA
Agent writeup of the zero-click Flutter exploit chain
03 / 03
Research · Client bypass Full bypass on a live Unity mobile game
Idle Planet Miner · Unity / IL2CPP · public release

Every monetization mechanic on a live Unity mobile game bypassed with one runtime Frida hook.

  1. APK pulled via ADB and decompiled through the RedOps IL2CPP Dumper integration
  2. Game-economy methods identified across planet unlocks, rover rewards, credit factory, and manager quality
  3. Single Frida hook authored to patch each target method at runtime
  4. In-game overlay UI injected to expose the full cheat menu (Free Planets, Instant Probes, 100% Rover Win, 5☆ Managers, Free Station, Prestige surge DB)
  5. Loaded via pq attach — no APK repackaging, no Play Protect triggers
  6. Every bypass toggled live during gameplay with zero client-side detection

End-to-end offensive workflow — static analysis, method identification, hook authoring, live overlay injection — driven entirely from the phone.

Independent research on a publicly-released Unity mobile game · offensive capability demonstration
In-game cheat menu overlay on Idle Planet Miner
// 01

Pick Your Target

Every installed app on the device, listed with real icons and package names. Search, filter system apps, then tap to begin analysis. Everything starts here.

Target app selection
291 apps · search · system toggle
// 02

Target Intelligence

Automated application reconnaissance. Framework detection, multi-engine decompilation, RCE vector scanning across the full decompiled source, component enumeration, and data extraction — in one tap.

Decompiler selection
JADX, Hermes, Blutter, IL2CPP decompilers
VPS decompilation
Remote VPS decompilation for heavy APKs
RCE scan results
253 findings · 4 critical · 9 vuln categories
Component stats
Component statistics · data extraction
App info and framework detection
Framework detection · native library analysis
// 03

Security Analysis

Manifest inspection, exported component enumeration, and vulnerability classification. Findings are filterable by severity and actionable — send directly to the AI agent.

Manifest security flags
Security flags · 56 permissions analyzed
Exported components
35 exported components with launch actions
Component test dialog
Tap any component to build and fire test intents
Findings summary
Severity filters · send to agent for analysis
Task hijacking test dialog
One-click POC APK generation per finding
// 04

RedOps Agent

Every target overview is auto-loaded into a pentest-tuned Claude session. Custom discovery and reporting skills, plus an MCP server that exposes Frida, traffic capture, and pq as callable tools — with a Chrome DevTools Protocol bridge on top for web app pentesting. Chains vulnerabilities, writes exploits, documents attack paths autonomously. Both writeups in Proof above came out of sessions just like this one.

Agent session start
Pre-analysis file auto-loaded into the session
// 05

The Toolkit

Five integrated instruments for mobile security assessment. IPC monitoring, data extraction, Frida management, traffic interception, and HTTP replay.

Tools menu
// 06

Traffic Interception

Frida-based MITM capture with SSL bypass. Intercept every HTTP/HTTPS request, inspect headers, parameters, and response bodies in real time.

Request list
Live request stream with status · timing
Request body
Request body with session · device telemetry
// 07

HTTP Repeater

Edit captured requests and replay them. Modify parameters, headers, request body. Inspect responses with full JSON formatting.

Edit request
Edit body parameters before replay
Response body
200 OK · 717ms · 21KB JSON response
// 08

Dynamic Instrumentation

Stealth Frida server management, hook orchestration, and one-tap script deployment. Organize your arsenal of Frida hooks and shell scripts as favorites.

PQ Manager
Frida server status · saved hook favorites
In-game cheat menu overlay
Live overlay injected by a one-tap Frida hook
// 09

Data Extraction

Scan SharedPreferences across every installed app. Read, modify, and export preference entries. Automatic security analysis flags sensitive keys and plaintext credentials.

Package scanner
333 packages scanned · favorites · search
Prefs editor
Key editor · security risk banner · type badges
// 10

Flutter Instrumentation

Blutter decompilation auto-generates flutter_blutter.js — a combined script that merges extracted class data with flutter_ctrl.js, a universal Flutter instrumentation framework. It appears as a launchable card in the target overview. The framework provides route discovery with a live overlay, platform channel interception and sniffing, Dart heap reading, multi-engine support, native offset hooking, forced navigation to hidden screens, and a full interactive API via pq gate send. Works on any Flutter app with zero app-specific code.

Blutter script in overview
Auto-generated script · launchable from overview
Flutter nav routes
Routes overlaid on the live app
// sample output

From Scan to Report

A redacted penetration testing report from a real engagement. 10 findings across 5 critical, 2 high, 1 medium — unauthenticated Spring Boot Admin access, Redis RCE via CONFIG SET, 301k user database enumeration, live Stripe keys with $44k accessible balance, and full infrastructure compromise. Discovered and documented end-to-end using RedOps Mobile.

Report cover page
Cover · engagement metadata
Executive summary
Executive summary · severity breakdown
Risk assessment
Risk assessment by category
Finding detail with evidence
Evidence · credential extraction · infra topology
Remediation checklist
Impact analysis · remediation checklist
View Full Report (PDF) →
// built by

Wyatt Becker, OSCP.

Offensive security professional with 7 years of direct penetration-testing experience. Shipped RedOps Mobile solo as a proprietary end-to-end mobile security platform.

Currently looking for penetration tester, red team, cybersecurity engineer, or security consultant roles. Remote worldwide or hybrid, happy to work across timezones.

The landing page you're reading is the front end of a proprietary Android app I built solo, end to end — UI, chroot bridge, Frida tooling, reporting pipeline, and AI agent integration. Real results live in Proof above.

NAME
Wyatt Becker
CERTS
OSCP
XP
7 yrs offensive security
LOCATION
Remote worldwide / hybrid
✉  Email ←  Full resume