# Android Application Pentesting ## **Android PT Mindmap** ### Reversing #### Java/Kotlin * Decompile apk * [Jadx/Jadx-gui](https://github.com/skylot/jadx) * [Dex2Jar](https://github.com/pxb1988/dex2jar) * [APktool](https://apktool.org/) * Native * Identify `.so` inside app lib/\/\*.so * `rabin2 -I lib/x86_64/libnative-lib.so | grep -E "canary|pic"` * Decompile with Ghidra/IDApr/R2 * Resources * [Native decompiling](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0024/#ida-pro) * [Reversing Native Libraries](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/reversing-native-libraries.html) * \[Smali]\( * [JavaCode](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0017/) #### React Native * Disassembler and Assembler `assets/index.android.bundle` * [hermes-facebook](https://github.com/facebook/hermes/tree/main) * [hermes engine](https://hermesengine.dev/) * [hermes-dec](https://github.com/P1sec/hermes-dec) * [hbctool](https://github.com/bongtrop/hbctool) * [hbctool-fork](https://github.com/Kirlif/HBC-Tool) * [hasmer](https://github.com/lucasbaizer2/hasmer) * [hermes\_rs](https://github.com/Pilfer/hermes_rs) * Resources * [Reversing and Instrumenting React Native Apps](https://pilfer.github.io/mobile-reverse-engineering/react-native/reverse-engineering-and-instrumenting-react-native-apps/) * [Reversing React Native](https://pilfer.github.io/mobile-reverse-engineering/react-native/reverse-engineering-and-instrumenting-react-native-apps/) * [Reversing React Native apps](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/react-native-application.html) * [editing-and-patching-react-native-applications/](https://payatu.com/blog/editing-and-patching-react-native-applications/) * [understanding-modifying-hermes-bytecode](https://payatu.com/blog/understanding-modifying-hermes-bytecode/) #### Cordova/Ionic/Phone Gap * Source code located in `assets/www` * Resources * [effortless-pentesting-of-apache-cordova-applications](https://payatu.com/blog/effortless-pentesting-of-apache-cordova-applications/) * [Cordova Apps](https://book.hacktricks.wiki/en/mobile-pentesting/cordova-apps.html) #### Xamarin * Find `assemblies` in apk * [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress) * [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) * [dnSpy](https://github.com/dnSpy/dnSpy) * [dll-extractor-from-so-xamarin-app](https://github.com/Dado1513/dll-extractor-from-so-xamarin-app) * Resources * [xamarin-apps](https://book.hacktricks.wiki/en/mobile-pentesting/xamarin-apps.html) * [appknox-reversing-xamaring](https://www.appknox.com/blog/xamarin-reverse-engineering-a-guide-for-penetration-testers) #### Flutter * [Flutter Reversing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0112/) #### Apk Signature * Verify Signature * `apksigner verify --verbose example.apk` * `apksigner verify --print-certs --verbose example.apk` ### Static Analysis #### Insecure Crypto-Methods * [Insecure Algorithm](https://mas.owasp.org/MASTG/0x04g-Testing-Cryptography/#identifying-insecure-andor-deprecated-cryptographic-algorithms) * DES, 3DES * RC2 * RC4 * BLOWFISH * MD4 * MD5 * SHA1 * SecureRandom with Empty Argument #### Interesting File * Android Manifest `AndroidManifest.xml` * Network Security Config `NetworkSecurityConfig.xml` * `assets` directory * `res/xml` directory #### Find Secret/URL/Endpoint * `strings` command * [Retrieving String](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0019/) * [Apkleaks](https://github.com/dwisiswant0/apkleaks) #### Insecure DeepLink * Check if exists `/.well-known/assetlinks.json` * [Exploit deeplink](https://redfoxsec.com/blog/protect-your-android-app-preventing-exploitation-of-deep-links/) * [DeepLink Vulnerabilities](https://0xn3va.gitbook.io/cheat-sheets/android-application/intent-vulnerabilities/deep-linking-vulnerabilities) #### WebView * Arbitrary Resources Load * JavascriptInterface * Javascript Enable * Local File Inclusion * XSS ### Setup Device #### Emulator * [rootAVD](https://gitlab.com/newbit/rootAVD) * [OWASP Techniques Emulator](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0036/) #### Physical Device * Rooting * Magisk * lsposed * Magisk Hide * Enable Zygisk * Useful Modules * [MagiskFrida](https://github.com/ViRb3/magisk-frida) * [Custom-Certificate-Authorities](https://github.com/Magisk-Modules-Alt-Repo/custom-certificate-authorities) * [Magisk hide](https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf) #### Root Detection * Missing Root Detection * Bypass * Frida * Code / Repack * Magisk Hide #### Emulator Detection * Missing Check * Bypass * Frida * Code Manipulation / Patching #### Anti-Tampering * Check if signature is verified * use `uber-apk-signer` and try to execute app * Check if integrity of code is verified * patch code (native, hermes, js, smali), sign app and try to execute againg ### Dynamic Analysis #### Pull apk * list apk * `adb shell pm list packages` * get path apk (or apks) * `adb shell pm path sg.vp.owasp_mobile.omtg_android` * Download apk * `abd pull ` #### Content Provider * [Exploiting Content Provider](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/content-protocol.html) #### Binary Instrumentation * Dynamic Analysis on non rooted device * `objection patchapk --source UnCrackable-Level1.apk` * Tools * [Frida](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/frida-tutorial/index.html) * [Objection](https://github.com/sensepost/objection) #### Interact with App * [Drozer](https://github.com/WithSecureLabs/drozer) * [Tutorial Drozer](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html) * Attack Surface * `run app.package.attacksurface ` #### Process Exploration * [Fridump](https://github.com/Nightbringer21/fridump) * Objection * `objection --gadget sg.vantagepoint.helloworldjni explore` * `memory dump all` * [Process Exploation](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0044/) #### Method Tracing * [Execution Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0032/) * [Method Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0033/) * [Native Code Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0034/) * [JNI Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0035/) #### Hooking Method * Getting loaded classes * [OWASP Getting Loaded Classes](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0042/) * [OWASP Hooking](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0043/) #### Library Injection * [Library Injection MASTG](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0041/#patching-applications-native-library) #### Debugger * [OWASP Debugging](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0031/) * [Exploit App Debuggable](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html) * Resources * [Debugger](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0040/) ### Network #### Network Monitoring * [Set Proxy](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0011/) * [monitoring traffic](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0010/) * iptables * tcpdump #### SSL Pinning bypass * OWASP: [OWASP SSL Pinning Bypass](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0012/) * Using Frida * [ssl-pinning-bypass-android-frida](https://redfoxsec.com/blog/ssl-pinning-bypass-android-frida/) * [bypass-ssl-pinning-for-flutter](https://medium.com/@appsecwarrior/bypass-ssl-pinning-for-flutter-a2f9ae85762e) * Flutter App * [reFlutter](https://github.com/Impact-I/reFlutter) * [OWASP Flutter](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0109/) * [Flutter SSL Pinning Bypass Frida](https://github.com/horangi-cyops/flutter-ssl-pinning-bypass) * Tools * [apk-mitm](https://github.com/niklashigi/apk-mitm) * [frida-interception-and-unpinning](https://github.com/httptoolkit/frida-interception-and-unpinning) * [frida-android-unpinning](https://codeshare.frida.re/@masbog/frida-android-unpinning-ssl/) * [reFlutter](https://github.com/Impact-I/reFlutter) ### Storage #### Sensitive information in Local Storage * path `/data/data/` * SharedPref * Database * Other files * Objection `objection -g sg.vp.owasp_mobile.omtg_android explore` #### File in External Storage * Get list of file in `/sdcard` * `adb pull /sdcard` * Using Frida and monitoring Api * `getExternalStorageDirectory` * `getExternalStoragePublicDirectory` * `getExternalFilesDir` or `FileOutPutStream` * Permission `WRITE_EXTERNAL_STORAGE`, and `MANAGE_EXTERNAL_STORAG` #### Sensitive Information Logcat * [pidcat](https://github.com/JakeWharton/pidcat) * `adb logcat` * `Log`, `Logger`, `System.out.print`, `System.err.print`, and `java.lang.Throwable#printStackTrace` ### Misconfiguration #### Android Backup * `android:allowBackup="true"` * Android backup extractor [Android backup extractor](https://github.com/nelenkov/android-backup-extractor) #### Debug Certificate * Check if app use debug certificate * `apksigner verify --verbose example.apk` * `"CN=Android Debug,O=Android,C=US"` ### App Tampering * Modifying \[smali]\( * [Smali-Repack](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/smali-changes.html) * Resign `apk` [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer) ```bash # create sign key (can be found in "Android Studio\jbr\bin\keytool.exe" ) keytool -genkey -v -keystore your-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias # align the app (can be found in build-tools) zipalign -v 4 # sign the key (can be found in build-tools ) apksigner.bat sign --ks your-keystore.jks --ks-key-alias --out ``` * [Using Objection](https://github.com/sensepost/objection/wiki/Patching-Android-Applications) ### Useful Tools * [ghidraScript](https://github.com/ghidraninja/ghidra_scripts) * [Drozer](https://github.com/WithSecureLabs/drozer) * [Objection](https://github.com/sensepost/objection) * [RMS](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security) * [House](https://github.com/nccgroup/house) * [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer) * [Jadx/Jadx-gui](https://github.com/skylot/jadx) * [Dex2Jar](https://github.com/pxb1988/dex2jar) * [APktool](https://apktool.org/) * [fridump](https://github.com/Nightbringer21/fridump) * [Frida](https://frida.re/docs/examples/android/) * [pidcat](https://github.com/JakeWharton/pidcat) * [apkx](https://github.com/muellerberndt/apkx) * [Method Tracing Frida](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0033/) * [reFlutter](https://github.com/Impact-I/reFlutter) * [blutter](https://github.com/worawit/blutter) * [ProxyDroid](https://github.com/madeye/proxydroid/) * [ApkHunt](https://github.com/Cyber-Buddy/APKHunt) * [Sebastian](https://github.com/Dado1513/SEBASTiAn) * [PAPIMonitor](https://github.com/Dado1513/PAPIMonitor) * [scrcpy](https://github.com/Genymobile/scrcpy) * [apk-mitm](https://github.com/niklashigi/apk-mitm) ### Useful Resources * [android-penetration-testing-cheatsheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet) * [Android Pentesting](https://github.com/kiro6/penetration-testing-notes/tree/main/Pentesting/Android%20Pentesting) * [Hacktricks](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/index.html) * OWASP Mobile * [MASTG Techniques](https://mas.owasp.org/MASTG/techniques/) * [MASTG Test-beta](https://mas.owasp.org/MASTG/tests-beta/) * [MASTG Test](https://mas.owasp.org/MASTG/tests) * [MAS Checklist](https://mas.owasp.org/checklists/) * [MAS Checklist xlsx](https://github.com/OWASP/owasp-mastg/releases/latest/download/OWASP_MAS_Checklist.xlsx) * [Testing Tools](https://mas.owasp.org/MASTG/tools/) * Frida Script * [Frida Code Share](https://codeshare.frida.re/browse) * [Frida Mobile Script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/tree/master) * [frida.re](https://frida.re/docs/home) * [learnfrida.info](https://learnfrida.info) * [codeshare.frida.re](https://codeshare.frida.re) * [github.com/dweinstein/awesome-frida](https://github.com/dweinstein/awesome-frida) * [github.com/interference-security/frida-scripts](https://github.com/interference-security/frida-scripts)