Nutcracker - Mobile Security & Offensive Threat Intelligence

Nutcracker banner

Attackers capitalize on one thing better than anyone else: the moment we start seeing security as a burden.

It happens more often than we’d like to admit. There’s pressure to ship a new release, the market pushes, and suddenly the new feature turns out to be incompatible with the RASP protection. The “quick fix”? Temporarily lower the defenses: *”We’ll reconfigure it later”*.

Or sometimes it’s not even a conscious decision. Any silent error in the pipeline can cause the same effect, letting the app reach production without RASP integrated into the final build.

And of course, the market doesn’t wait — but cybercriminals don’t either. That “temporary gap” is exactly what they’re looking for.

What is Nutcracker?

Nutcracker is an open-source Python tool focused on being the last line of defense. It lets you monitor applications directly from the app store to hunt for those missing security controls that manage to slip past traditional DevSecOps stages.

The idea is simple: point it to an app on Google Play, and Nutcracker does the rest.

1

python nutcracker.py scan "https://play.google.com/store/apps/details?id=com.example.app"

Nutcracker in action

What does it detect?

Nutcracker identifies and attempts to bypass known RASP protections. If the protection can be broken with Frida, you’ll know.

But it doesn’t stop there. Once it captures the APK, the pipeline automates:

🔍 Secret extraction: Finds and extracts hardcoded secrets, API keys, tokens, and URLs directly from the binary using internal rules + apkleaks + gitleaks on the decompiled code.

🌐 Automated OSINT: Takes those endpoints and credentials and autonomously searches for them in GitHub repositories, Postman collections, FOFA, Wayback Machine, and more.

⚙️ Static analysis (SAST): Can integrate with SEMGREP or other SAST solutions.

📄 PDF Report: Everything is consolidated into a technical report ready to deliver, with an executive summary, findings per module, and aligned to MASVS.

The dynamic analysis flow

For protected apps, Nutcracker implements a runtime deobfuscation pipeline that tries different strategies in order:

1
2
3
4
5
6
7
8

APK
 └─► Install on emulator/device
      ├─► frida-dexdump   (extracts DEX from memory)
      │    └─► fails →
      ├─► Frida Gadget    (instrumentation embedded in APK)
      │    └─► fails →
      └─► FART            (classloader hook via Frida)
           └─► jadx → scan → PDF

Why I built it

The core idea is to lighten the manual validation burden for offensive teams. Saving hours of initial recon on a single app is already a win, but multiply that time across 10, 20, or more apps monitored on a recurring basis, and the operational benefit becomes massive.

I also wanted a tool that doesn’t just scream “it’s unprotected!” but actually goes further: find what was exposed, what can be exploited, and document it all automatically.

The repo is on GitHub, open-source and with a well-documented README to get you started quickly: github.com/drneox/nutcracker

Special thanks to Ruben Anthony Ricapa Corrales for the help supporting physical devices and all the feedback provided.

How many times have you seen that *”just this one unprotected deploy”* become the norm in your team?