Mobile Lab: /api/ (vulnerable REST), /mdm/ (fake MDM portal)