# Android Application Pentesting

## **Android PT Mindmap**

### Reversing

#### Java/Kotlin

* Decompile apk
  * [Jadx/Jadx-gui](https://github.com/skylot/jadx)
  * [Dex2Jar](https://github.com/pxb1988/dex2jar)
  * [APktool](https://apktool.org/)
* Native
  * Identify `.so` inside app lib/\<arch>/\*.so
  * `rabin2 -I lib/x86_64/libnative-lib.so | grep -E "canary|pic"`
  * Decompile with Ghidra/IDApr/R2
* Resources
  * [Native decompiling](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0024/#ida-pro)
  * [Reversing Native Libraries](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/reversing-native-libraries.html)
  * \[Smali]\(<https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0016/>
  * [JavaCode](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0017/)

#### React Native

* Disassembler and Assembler `assets/index.android.bundle`
  * [hermes-facebook](https://github.com/facebook/hermes/tree/main)
  * [hermes engine](https://hermesengine.dev/)
  * [hermes-dec](https://github.com/P1sec/hermes-dec)
  * [hbctool](https://github.com/bongtrop/hbctool)
  * [hbctool-fork](https://github.com/Kirlif/HBC-Tool)
  * [hasmer](https://github.com/lucasbaizer2/hasmer)
  * [hermes\_rs](https://github.com/Pilfer/hermes_rs)
* Resources
  * [Reversing and Instrumenting React Native Apps](https://pilfer.github.io/mobile-reverse-engineering/react-native/reverse-engineering-and-instrumenting-react-native-apps/)
  * [Reversing React Native](https://pilfer.github.io/mobile-reverse-engineering/react-native/reverse-engineering-and-instrumenting-react-native-apps/)
  * [Reversing React Native apps](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/react-native-application.html)
  * [editing-and-patching-react-native-applications/](https://payatu.com/blog/editing-and-patching-react-native-applications/)
  * [understanding-modifying-hermes-bytecode](https://payatu.com/blog/understanding-modifying-hermes-bytecode/)

#### Cordova/Ionic/Phone Gap

* Source code located in `assets/www`
* Resources
  * [effortless-pentesting-of-apache-cordova-applications](https://payatu.com/blog/effortless-pentesting-of-apache-cordova-applications/)
  * [Cordova Apps](https://book.hacktricks.wiki/en/mobile-pentesting/cordova-apps.html)

#### Xamarin

* Find `assemblies` in apk
  * [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress)
  * [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ)
  * [dnSpy](https://github.com/dnSpy/dnSpy)
  * [dll-extractor-from-so-xamarin-app](https://github.com/Dado1513/dll-extractor-from-so-xamarin-app)
* Resources
  * [xamarin-apps](https://book.hacktricks.wiki/en/mobile-pentesting/xamarin-apps.html)
  * [appknox-reversing-xamaring](https://www.appknox.com/blog/xamarin-reverse-engineering-a-guide-for-penetration-testers)

#### Flutter

* [Flutter Reversing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0112/)

#### Apk Signature

* Verify Signature
  * `apksigner verify --verbose example.apk`
  * `apksigner verify --print-certs --verbose example.apk`

### Static Analysis

#### Insecure Crypto-Methods

* [Insecure Algorithm](https://mas.owasp.org/MASTG/0x04g-Testing-Cryptography/#identifying-insecure-andor-deprecated-cryptographic-algorithms)
  * DES, 3DES
  * RC2
  * RC4
  * BLOWFISH
  * MD4
  * MD5
  * SHA1
* SecureRandom with Empty Argument

#### Interesting File

* Android Manifest `AndroidManifest.xml`
* Network Security Config `NetworkSecurityConfig.xml`
* `assets` directory
* `res/xml` directory

#### Find Secret/URL/Endpoint

* `strings` command
* [Retrieving String](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0019/)
* [Apkleaks](https://github.com/dwisiswant0/apkleaks)

#### Insecure DeepLink

* Check if exists `/.well-known/assetlinks.json`
* [Exploit deeplink](https://redfoxsec.com/blog/protect-your-android-app-preventing-exploitation-of-deep-links/)
* [DeepLink Vulnerabilities](https://0xn3va.gitbook.io/cheat-sheets/android-application/intent-vulnerabilities/deep-linking-vulnerabilities)

#### WebView

* Arbitrary Resources Load
* JavascriptInterface
* Javascript Enable
* Local File Inclusion
* XSS

### Setup Device

#### Emulator

* [rootAVD](https://gitlab.com/newbit/rootAVD)
* [OWASP Techniques Emulator](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0036/)

#### Physical Device

* Rooting
* Magisk
  * lsposed
  * Magisk Hide
  * Enable Zygisk
* Useful Modules
  * [MagiskFrida](https://github.com/ViRb3/magisk-frida)
  * [Custom-Certificate-Authorities](https://github.com/Magisk-Modules-Alt-Repo/custom-certificate-authorities)
  * [Magisk hide](https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf)

#### Root Detection

* Missing Root Detection
* Bypass
  * Frida
  * Code / Repack
  * Magisk Hide

#### Emulator Detection

* Missing Check
* Bypass
  * Frida
  * Code Manipulation / Patching

#### Anti-Tampering

* Check if signature is verified
  * use `uber-apk-signer` and try to execute app
* Check if integrity of code is verified
  * patch code (native, hermes, js, smali), sign app and try to execute againg

### Dynamic Analysis

#### Pull apk

* list apk
  * `adb shell pm list packages`
* get path apk (or apks)
  * `adb shell pm path sg.vp.owasp_mobile.omtg_android`
* Download apk
  * `abd pull <path>`

#### Content Provider

* [Exploiting Content Provider](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/content-protocol.html)

#### Binary Instrumentation

* Dynamic Analysis on non rooted device
  * `objection patchapk --source UnCrackable-Level1.apk`
* Tools
  * [Frida](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/frida-tutorial/index.html)
  * [Objection](https://github.com/sensepost/objection)

#### Interact with App

* [Drozer](https://github.com/WithSecureLabs/drozer)
  * [Tutorial Drozer](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html)
* Attack Surface
  * `run app.package.attacksurface <package_name>`

#### Process Exploration

* [Fridump](https://github.com/Nightbringer21/fridump)
* Objection
  * `objection --gadget sg.vantagepoint.helloworldjni explore`
  * `memory dump all`
* [Process Exploation](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0044/)

#### Method Tracing

* [Execution Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0032/)
* [Method Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0033/)
* [Native Code Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0034/)
* [JNI Tracing](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0035/)

#### Hooking Method

* Getting loaded classes
  * [OWASP Getting Loaded Classes](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0042/)
* [OWASP Hooking](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0043/)

#### Library Injection

* [Library Injection MASTG](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0041/#patching-applications-native-library)

#### Debugger

* [OWASP Debugging](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0031/)
* [Exploit App Debuggable](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html)
* Resources
  * [Debugger](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0040/)

### Network

#### Network Monitoring

* [Set Proxy](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0011/)
* [monitoring traffic](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0010/)
* iptables
* tcpdump

#### SSL Pinning bypass

* OWASP: [OWASP SSL Pinning Bypass](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0012/)
* Using Frida
  * [ssl-pinning-bypass-android-frida](https://redfoxsec.com/blog/ssl-pinning-bypass-android-frida/)
  * [bypass-ssl-pinning-for-flutter](https://medium.com/@appsecwarrior/bypass-ssl-pinning-for-flutter-a2f9ae85762e)
* Flutter App
  * [reFlutter](https://github.com/Impact-I/reFlutter)
  * [OWASP Flutter](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0109/)
  * [Flutter SSL Pinning Bypass Frida](https://github.com/horangi-cyops/flutter-ssl-pinning-bypass)
* Tools
  * [apk-mitm](https://github.com/niklashigi/apk-mitm)
  * [frida-interception-and-unpinning](https://github.com/httptoolkit/frida-interception-and-unpinning)
  * [frida-android-unpinning](https://codeshare.frida.re/@masbog/frida-android-unpinning-ssl/)
  * [reFlutter](https://github.com/Impact-I/reFlutter)

### Storage

#### Sensitive information in Local Storage

* path `/data/data/<package_name>`
  * SharedPref
  * Database
  * Other files
* Objection `objection -g sg.vp.owasp_mobile.omtg_android explore`

#### File in External Storage

* Get list of file in `/sdcard`
  * `adb pull /sdcard`
* Using Frida and monitoring Api
  * `getExternalStorageDirectory`
  * `getExternalStoragePublicDirectory`
  * `getExternalFilesDir` or `FileOutPutStream`
* Permission `WRITE_EXTERNAL_STORAGE`, and `MANAGE_EXTERNAL_STORAG`

#### Sensitive Information Logcat

* [pidcat](https://github.com/JakeWharton/pidcat)
* `adb logcat`
* `Log`, `Logger`, `System.out.print`, `System.err.print`, and `java.lang.Throwable#printStackTrace`

### Misconfiguration

#### Android Backup

* `android:allowBackup="true"`
* Android backup extractor [Android backup extractor](https://github.com/nelenkov/android-backup-extractor)

#### Debug Certificate

* Check if app use debug certificate
  * `apksigner verify --verbose example.apk`
  * `"CN=Android Debug,O=Android,C=US"`

### App Tampering

* Modifying \[smali]\(<https://github.com/JesusFreke/smali/wiki/TypesMethodsAndFields>
* [Smali-Repack](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/smali-changes.html)
* Resign `apk` [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer)

  ```bash
  # create sign key (can be found in "Android Studio\jbr\bin\keytool.exe" )
  keytool -genkey -v -keystore your-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <key alias name>
  # align the app (can be found in build-tools)
  zipalign -v 4 <your_app.apk> <your_app_aligned.apk>
  # sign the key (can be found in build-tools )
  apksigner.bat sign --ks your-keystore.jks --ks-key-alias <key alias name> --out <signed_apk.apk> <not_signed_apk.apk>
  ```
* [Using Objection](https://github.com/sensepost/objection/wiki/Patching-Android-Applications)

### Useful Tools

* [ghidraScript](https://github.com/ghidraninja/ghidra_scripts)
* [Drozer](https://github.com/WithSecureLabs/drozer)
* [Objection](https://github.com/sensepost/objection)
* [RMS](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
* [House](https://github.com/nccgroup/house)
* [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer)
* [Jadx/Jadx-gui](https://github.com/skylot/jadx)
* [Dex2Jar](https://github.com/pxb1988/dex2jar)
* [APktool](https://apktool.org/)
* [fridump](https://github.com/Nightbringer21/fridump)
* [Frida](https://frida.re/docs/examples/android/)
* [pidcat](https://github.com/JakeWharton/pidcat)
* [apkx](https://github.com/muellerberndt/apkx)
* [Method Tracing Frida](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0033/)
* [reFlutter](https://github.com/Impact-I/reFlutter)
* [blutter](https://github.com/worawit/blutter)
* [ProxyDroid](https://github.com/madeye/proxydroid/)
* [ApkHunt](https://github.com/Cyber-Buddy/APKHunt)
* [Sebastian](https://github.com/Dado1513/SEBASTiAn)
* [PAPIMonitor](https://github.com/Dado1513/PAPIMonitor)
* [scrcpy](https://github.com/Genymobile/scrcpy)
* [apk-mitm](https://github.com/niklashigi/apk-mitm)

### Useful Resources

* [android-penetration-testing-cheatsheet](https://github.com/ivan-sincek/android-penetration-testing-cheat-sheet)
* [Android Pentesting](https://github.com/kiro6/penetration-testing-notes/tree/main/Pentesting/Android%20Pentesting)
* [Hacktricks](https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/index.html)
* OWASP Mobile
  * [MASTG Techniques](https://mas.owasp.org/MASTG/techniques/)
  * [MASTG Test-beta](https://mas.owasp.org/MASTG/tests-beta/)
  * [MASTG Test](https://mas.owasp.org/MASTG/tests)
  * [MAS Checklist](https://mas.owasp.org/checklists/)
  * [MAS Checklist xlsx](https://github.com/OWASP/owasp-mastg/releases/latest/download/OWASP_MAS_Checklist.xlsx)
* [Testing Tools](https://mas.owasp.org/MASTG/tools/)
* Frida Script
  * [Frida Code Share](https://codeshare.frida.re/browse)
  * [Frida Mobile Script](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/tree/master)
  * [frida.re](https://frida.re/docs/home)
  * [learnfrida.info](https://learnfrida.info)
  * [codeshare.frida.re](https://codeshare.frida.re)
  * [github.com/dweinstein/awesome-frida](https://github.com/dweinstein/awesome-frida)
  * [github.com/interference-security/frida-scripts](https://github.com/interference-security/frida-scripts)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.dado1513.dev/mobile-pentesting/android-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.