🛠️Android Application Pentesting
Android PT Mindmap
Reversing
Java/Kotlin
Decompile apk
Native
Identify
.soinside app lib/<arch>/*.sorabin2 -I lib/x86_64/libnative-lib.so | grep -E "canary|pic"Decompile with Ghidra/IDApr/R2
Resources
[Smali](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0016/
React Native
Disassembler and Assembler
assets/index.android.bundle
Cordova/Ionic/Phone Gap
Source code located in
assets/www
Xamarin
Find
assembliesin apk
Flutter
Apk Signature
Verify Signature
apksigner verify --verbose example.apkapksigner verify --print-certs --verbose example.apk
Static Analysis
Insecure Crypto-Methods
DES, 3DES
RC2
RC4
BLOWFISH
MD4
MD5
SHA1
SecureRandom with Empty Argument
Interesting File
Android Manifest
AndroidManifest.xmlNetwork Security Config
NetworkSecurityConfig.xmlassetsdirectoryres/xmldirectory
Find Secret/URL/Endpoint
stringscommand
Insecure DeepLink
Check if exists
/.well-known/assetlinks.json
WebView
Arbitrary Resources Load
JavascriptInterface
Javascript Enable
Local File Inclusion
XSS
Setup Device
Emulator
Physical Device
Rooting
Magisk
lsposed
Magisk Hide
Enable Zygisk
Useful Modules
Root Detection
Missing Root Detection
Bypass
Frida
Code / Repack
Magisk Hide
Emulator Detection
Missing Check
Bypass
Frida
Code Manipulation / Patching
Anti-Tampering
Check if signature is verified
use
uber-apk-signerand try to execute app
Check if integrity of code is verified
patch code (native, hermes, js, smali), sign app and try to execute againg
Dynamic Analysis
Pull apk
list apk
adb shell pm list packages
get path apk (or apks)
adb shell pm path sg.vp.owasp_mobile.omtg_android
Download apk
abd pull <path>
Content Provider
Binary Instrumentation
Dynamic Analysis on non rooted device
objection patchapk --source UnCrackable-Level1.apk
Interact with App
Attack Surface
run app.package.attacksurface <package_name>
Process Exploration
Objection
objection --gadget sg.vantagepoint.helloworldjni explorememory dump all
Method Tracing
Hooking Method
Getting loaded classes
Library Injection
Debugger
Resources
Network
Network Monitoring
iptables
tcpdump
SSL Pinning bypass
OWASP: OWASP SSL Pinning Bypass
Storage
Sensitive information in Local Storage
path
/data/data/<package_name>SharedPref
Database
Other files
Objection
objection -g sg.vp.owasp_mobile.omtg_android explore
File in External Storage
Get list of file in
/sdcardadb pull /sdcard
Using Frida and monitoring Api
getExternalStorageDirectorygetExternalStoragePublicDirectorygetExternalFilesDirorFileOutPutStream
Permission
WRITE_EXTERNAL_STORAGE, andMANAGE_EXTERNAL_STORAG
Sensitive Information Logcat
adb logcatLog,Logger,System.out.print,System.err.print, andjava.lang.Throwable#printStackTrace
Misconfiguration
Android Backup
android:allowBackup="true"Android backup extractor Android backup extractor
Debug Certificate
Check if app use debug certificate
apksigner verify --verbose example.apk"CN=Android Debug,O=Android,C=US"
App Tampering
Modifying [smali](https://github.com/JesusFreke/smali/wiki/TypesMethodsAndFields
Resign
apkuber-apk-signer# create sign key (can be found in "Android Studio\jbr\bin\keytool.exe" ) keytool -genkey -v -keystore your-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <key alias name> # align the app (can be found in build-tools) zipalign -v 4 <your_app.apk> <your_app_aligned.apk> # sign the key (can be found in build-tools ) apksigner.bat sign --ks your-keystore.jks --ks-key-alias <key alias name> --out <signed_apk.apk> <not_signed_apk.apk>
Useful Tools
Useful Resources
Last updated