Android Application Pentesting

A comprehensive skill for security testing Android applications, covering static analysis, dynamic analysis, vulnerability assessment, and exploitation techniques.

Quick Start

# Install APK from device
adb install -r app.apk

# Extract APK from device
adb shell pm path com.example.app
adb pull /data/app/com.example.app-*/base.apk

# Start dynamic analysis with Frida
frida -U -f com.example.app -l script.js

Workflow Overview

1. Setup Environment - Configure ADB, emulator/device, and tools
2. Static Analysis - Decompile, analyze manifest, extract strings
3. Dynamic Analysis - Instrument with Frida, capture traffic, test components
4. Vulnerability Testing - Test exported components, SSL pinning, data storage
5. Reporting - Document findings and remediation

1. Environment Setup

ADB Connection

# Connect to device
adb devices

# Forward port for debugging
adb forward tcp:8080 tcp:8080

# Install app with all permissions
adb install -g -r app.apk

# Uninstall app
adb uninstall com.example.app

Emulator Options

• Android Studio AVD - Official emulator, supports x86/ARM
• Genymotion - Free Personal Edition, requires VirtualBox
• Appetize.io - Online emulator for quick testing

Root Access (Recommended)

For full pentesting capabilities, use a rooted device:

# Check root
adb shell su -c "id"

# Magisk setup (Pixel devices)
# 1. Patch boot.img with Magisk app
# 2. Flash via fastboot
# 3. Enable Zygisk + DenyList for root hiding

2. Static Analysis

Decompile APK

# Using apktool (Smali)
apktool d app.apk -o decompiled/

# Using jadx (Java)
jadx -d decompiled_java app.apk

# Using JADX-GUI for interactive analysis
jadx-gui app.apk

Extract APK from Device

# List packages
adb shell pm list packages

# Get APK path
adb shell pm path com.example.app

# Pull APK
adb pull /data/app/com.example.app-*/base.apk

# For split APKs, merge with APKEditor
mkdir splits
adb shell pm path com.example.app | cut -d ':' -f 2 | xargs -n1 -i adb pull {} splits
java -jar APKEditor.jar m -i splits/ -o merged.apk
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed.apk

Analyze Manifest.xml

Check for these vulnerabilities:

android:debuggable="true"

android:allowBackup="true"

android:exported="true"

android:usesCleartextTraffic="true"

minSdkVersion < 21

# Quick manifest check
cat decompiled/AndroidManifest.xml | grep -E "debuggable|allowBackup|exported|usesCleartext"

Extract Sensitive Strings

# Search for secrets in APK
strings app.apk | grep -iE "password|api_key|secret|token|credential"

# Search for URLs
strings app.apk | grep -iE "http://|https://|api\."

# Search for hardcoded keys
strings app.apk | grep -E "[A-Za-z0-9+/]{40,}={0,2}"

# Use apkurlgrep for URL extraction
apkurlgrep app.apk

SSL Pinning Detection

# Using SSLPinDetect
git clone https://github.com/aancw/SSLPinDetect
cd SSLPinDetect
pip install -r requirements.txt
python sslpindetect.py -f app.apk -a apktool.jar -v

# Check for common pinning patterns
grep -r "CertificatePinner" decompiled/smali/
grep -r "X509TrustManager" decompiled/smali/
grep -r "checkServerTrusted" decompiled/smali/

Identify Obfuscation

# Use APKiD to identify tools used
apkid app.apk

# Check for ProGuard/DexGuard signatures
grep -r "com.proguard" decompiled/smali/

3. Dynamic Analysis

Traffic Capture with Burp

# Install Burp CA certificate on device
# 1. Download cacert.pem from Burp
# 2. Push to device
adb push cacert.pem /sdcard/

# For API 24+, modify network_security_config.xml
# See: make-apk-accept-ca-certificate.md

# Set proxy
adb shell settings put global http_proxy 10.0.2.2:8080

# Clear proxy when done
adb shell settings put global http_proxy :0

Frida Instrumentation

# List running processes
frida-ps -Uai

# Attach to app
frida -U -f com.example.app -l script.js

# Use objection for quick commands
objection --gadget com.example.app explore

# Disable SSL pinning
objection explore --startup-command "android sslpinning disable"

# Disable root detection
objection explore --startup-command "android rootdisable"

# Dump memory
python3 fridump3.py -u com.example.app

Drozer for Component Testing

# Start drozer console
./drozer_console.py connect device:5555

drozer:~> run app.info list_packages
drozer:~> run app.activity list
drozer:~> run app.provider list
drozer:~> run app.service list
drozer:~> run app.receiver list

# Test exported activity
drozer:~> run app.activity start --component com.example.app/.MainActivity

# Test content provider
drozer:~> run app.provider query --uri content://com.example.provider/data

MobSF Automated Analysis

# Start MobSF
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

# Upload APK for static analysis
# Use web UI at http://localhost:8000

# For dynamic analysis, connect Genymotion first
# Then click "Start Instrumentation"

4. Vulnerability Testing

Exported Activities

# Find exported activities
grep -A2 "<activity" decompiled/AndroidManifest.xml | grep "exported"

# Launch exported activity via ADB
adb shell am start -n com.example.app/.ExportedActivity

# Test for auth bypass - can you access sensitive screens without login?

Content Providers

# Find exported content providers
grep -A3 "<provider" decompiled/AndroidManifest.xml | grep "exported"

# Query provider via ADB
adb shell content query --uri content://com.example.provider/data

# Test for SQL injection and path traversal

Services

# Find exported services
grep -A2 "<service" decompiled/AndroidManifest.xml | grep "exported"

# Bind to service via Drozer
drozer:~> run app.service bind --component com.example.app/.Service

Deep Links / URL Schemes

# Find intent filters
grep -B5 -A5 "<intent-filter" decompiled/AndroidManifest.xml | grep "data"

# Test deep link via ADB
adb shell am start -a android.intent.action.VIEW -d "scheme://path" com.example.app

# Check for sensitive data in URL parameters
# Check for path traversal: scheme://path/../../../etc/passwd

Data Storage

# Check shared preferences
adb shell run-as com.example.app
cat /data/data/com.example.app/shared_prefs/*

# Check databases
adb shell run-as com.example.app
sqlite3 /data/data/com.example.app/databases/*.db
.tables
.schema <table_name>

# Check external storage
adb shell ls -la /sdcard/Android/data/com.example.app/

SSL Pinning Bypass

# Method 1: Frida script
frida -U -f com.example.app -l ssl-unpinning.js

# Method 2: Objection
objection --gadget com.example.app explore --startup-command "android sslpinning disable"

# Method 3: APK modification
apk-mitm -i app.apk -o app_patched.apk

# Method 4: Network Security Config
# Add to AndroidManifest.xml:
# <application android:networkSecurityConfig="@xml/network_security_config">
# Create res/xml/network_security_config.xml:
# <network-security-config>
#   <base-config cleartextTrafficPermitted="true">
#     <trust-anchors>
#       <certificates src="system" />
#       <certificates src="user" />
#     </trust-anchors>
#   </base-config>
# </network-security-config>

Biometric Authentication Bypass

# Frida script for biometric bypass
frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f com.example.app

# Check for FLAG_SECURE (prevents screenshots)
# If not set, background images may leak sensitive data
adb shell ls -la /data/system_ce/0/snapshots/

WebView Vulnerabilities

# Check for dangerous WebView settings
grep -r "setJavaScriptEnabled" decompiled/smali/
grep -r "addJavascriptInterface" decompiled/smali/
grep -r "setAllowFileAccess" decompiled/smali/

# Test for XSS, file access, and JavaScript injection

5. Common Vulnerabilities Checklist

High Priority

• Exported activities with sensitive data
• Exported content providers with SQL injection
• Hardcoded secrets/API keys
• SSL pinning (can be bypassed)
• Insecure data storage (shared_prefs, databases)
• Debuggable app in production

Medium Priority

• Backup enabled (

  allowBackup="true"

  )
• Cleartext traffic allowed
• Exported services
• Deep link vulnerabilities
• Intent injection
• WebView misconfigurations

Low Priority

• Low minSdkVersion
• Missing root detection
• Missing emulator detection
• No code obfuscation
• Sensitive data in logs

6. Tools Reference

Static Analysis

apktool d app.apk

jadx app.apk

apkid app.apk

python sslpindetect.py -f app.apk

qark --apk app.apk

python androbugs.py -f app.apk

Dynamic Analysis

frida -U -f package -l script.js

objection --gadget package explore

./drozer_console.py connect device:5555

pidcat com.example.app

python3 fridump3.py -u package

Utilities

adb devices

java -jar APKEditor.jar m -i splits/

java -jar uber-apk-signer.jar -a app.apk

apkLeaks -f app.apk

7. Reporting

Finding Template

## [Vulnerability Name]

**Severity:** [Critical/High/Medium/Low]

**Location:** [Component/File/Line]

**Description:**
[Brief description of the vulnerability]

**Impact:**
[What an attacker could do]

**Proof of Concept:**
[Steps to reproduce]

**Remediation:**
[How to fix]

**References:**
[OWASP, CWE, etc.]

Severity Guidelines

• Critical: Remote code execution, authentication bypass, data exfiltration
• High: Sensitive data exposure, privilege escalation
• Medium: Information disclosure, weak cryptography
• Low: Missing security headers, debug info in release

8. Best Practices

For Pentesters

1. Always test on a rooted device or emulator
2. Use Frida for dynamic analysis - it's powerful and flexible
3. Check both static and dynamic aspects of the app
4. Document everything - screenshots, commands, findings
5. Test on multiple Android versions if possible

For Developers (Remediation)

1. Set

   android:debuggable="false"

   in release builds
2. Set

   android:allowBackup="false"

   for sensitive apps
3. Implement proper SSL pinning (but test it!)
4. Use Android Keystore for sensitive data
5. Don't store secrets in code or resources
6. Validate all inputs, especially from deep links
7. Use ProGuard/R8 for code obfuscation
8. Implement root detection for sensitive apps
9. Set

   FLAG_SECURE

   on sensitive screens
10. Keep SDK versions up to date

9. Quick Commands Cheat Sheet

# ADB Basics
adb devices
adb install -r app.apk
adb uninstall com.example.app
adb shell pm list packages
adb shell pm path com.example.app
adb pull /path/to/apk
adb push local.apk /sdcard/
adb logcat
adb shell am start -n com.example.app/.Activity

# Frida
frida-ps -Uai
frida -U -f com.example.app -l script.js
frida-trace -U -f com.example.app -o trace.txt

# Objection
objection --gadget com.example.app explore
objection explore --startup-command "android sslpinning disable"
objection explore --startup-command "android rootdisable"

# Drozer
./drozer_console.py connect device:5555
run app.info list_packages
run app.activity list
run app.provider query --uri content://provider/path

# Static Analysis
apktool d app.apk -o decompiled/
jadx -d decompiled_java app.apk
strings app.apk | grep -i password
apkid app.apk

# Memory Dump
python3 fridump3.py -u com.example.app
strings dump/* | grep -E "[a-z0-9]{32,}"

# SSL Pinning Detection
python sslpindetect.py -f app.apk -a apktool.jar -v

10. References

• OWASP Mobile Security Testing Guide
• OWASP Mobile Top 10
• Android Security Documentation
• Frida Documentation
• Drozer Documentation
• MobSF Documentation
• HackTricks Android Pentesting

Scripts

See the

scripts/

• sslpin-detect.sh

  - SSL pinning detection wrapper

• apk-extract.sh

  - Extract APK from device

• manifest-check.sh

  - Quick manifest vulnerability scan

• frida-ssl-bypass.js

  - Frida script for SSL pinning bypass