Dado1513
  • Dado1513 Pentest Notes
  • Introduction & Documentation
  • Pentesting Methodologies
  • External Recon Pentesting
  • Brute Force
  • LotL - Living off the Land
  • Pivoting Tunnelling and Port Forward
  • Active Directory
    • 🛠️Active Directory Enumeration & Attacks
    • 🛠️ACL/ACE Abuse
    • 🛠️ADCS
    • Kerberos Attack Cheatsheet
    • 🛠️Trust Attacks
  • Linux Pentesting
    • Linux Privilege Escalation
  • Windows Pentesting
    • Windows Privilege Escalation
  • Mobile Pentesting
    • 🛠️Android Application Pentesting
    • 🛠️iOS Application Pentesting
  • Cloud Pentest
    • 🛠️Cloud Pentesting
  • Wireless Pentesting
    • 🛠️WiFi Pentesting
  • Web Pentesting
    • 🛠️XSS Cheatsheet
    • 🛠️SQL Injection
  • OSINT
    • Google Dorks
  • Network Services Pentest
    • Attacking Common Services
    • 🛠️139,445 SMB
    • 🛠️161,162,10161,10162- Pentesting SNMP
    • 🛠️winrm
  • Tools
    • NetExec
    • chisel
    • bloodyAD
    • PowerView
    • certipy
    • sqlmap
    • mimikatz
    • mSFVenom Cheatsheet
    • Ligolo-ng
    • Rubeus
    • ldapsearch
Powered by GitBook
On this page
  • Android PT Mindmap
  • Reversing
  • Static Analysis
  • Setup Device
  • Dynamic Analysis
  • Network
  • Storage
  • Misconfiguration
  • App Tampering
  • Useful Tools
  • Useful Resources
  1. Mobile Pentesting

Android Application Pentesting

Android PT Mindmap

Reversing

Java/Kotlin

  • Decompile apk

    • Jadx/Jadx-gui

    • Dex2Jar

    • APktool

  • Native

    • Identify .so inside app lib/<arch>/*.so

    • rabin2 -I lib/x86_64/libnative-lib.so | grep -E "canary|pic"

    • Decompile with Ghidra/IDApr/R2

  • Resources

    • Native decompiling

    • Reversing Native Libraries

    • [Smali](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0016/

    • JavaCode

React Native

  • Disassembler and Assembler assets/index.android.bundle

    • hermes-facebook

    • hermes engine

    • hermes-dec

    • hbctool

    • hbctool-fork

    • hasmer

    • hermes_rs

  • Resources

    • Reversing and Instrumenting React Native Apps

    • Reversing React Native

    • Reversing React Native apps

    • editing-and-patching-react-native-applications/

    • understanding-modifying-hermes-bytecode

Cordova/Ionic/Phone Gap

  • Source code located in assets/www

  • Resources

    • effortless-pentesting-of-apache-cordova-applications

    • Cordova Apps

Xamarin

  • Find assemblies in apk

    • xamarin-decompress

    • XamAsmUnZ

    • dnSpy

    • dll-extractor-from-so-xamarin-app

  • Resources

    • xamarin-apps

    • appknox-reversing-xamaring

Flutter

  • Flutter Reversing

Apk Signature

  • Verify Signature

    • apksigner verify --verbose example.apk

    • apksigner verify --print-certs --verbose example.apk

Static Analysis

Insecure Crypto-Methods

  • Insecure Algorithm

    • DES, 3DES

    • RC2

    • RC4

    • BLOWFISH

    • MD4

    • MD5

    • SHA1

  • SecureRandom with Empty Argument

Interesting File

  • Android Manifest AndroidManifest.xml

  • Network Security Config NetworkSecurityConfig.xml

  • assets directory

  • res/xml directory

Find Secret/URL/Endpoint

  • strings command

  • Retrieving String

  • Apkleaks

Insecure DeepLink

  • Check if exists /.well-known/assetlinks.json

  • Exploit deeplink

  • DeepLink Vulnerabilities

WebView

  • Arbitrary Resources Load

  • JavascriptInterface

  • Javascript Enable

  • Local File Inclusion

  • XSS

Setup Device

Emulator

  • rootAVD

  • OWASP Techniques Emulator

Physical Device

  • Rooting

  • Magisk

    • lsposed

    • Magisk Hide

    • Enable Zygisk

  • Useful Modules

    • MagiskFrida

    • Custom-Certificate-Authorities

    • Magisk hide

Root Detection

  • Missing Root Detection

  • Bypass

    • Frida

    • Code / Repack

    • Magisk Hide

Emulator Detection

  • Missing Check

  • Bypass

    • Frida

    • Code Manipulation / Patching

Anti-Tampering

  • Check if signature is verified

    • use uber-apk-signer and try to execute app

  • Check if integrity of code is verified

    • patch code (native, hermes, js, smali), sign app and try to execute againg

Dynamic Analysis

Pull apk

  • list apk

    • adb shell pm list packages

  • get path apk (or apks)

    • adb shell pm path sg.vp.owasp_mobile.omtg_android

  • Download apk

    • abd pull <path>

Content Provider

  • Exploiting Content Provider

Binary Instrumentation

  • Dynamic Analysis on non rooted device

    • objection patchapk --source UnCrackable-Level1.apk

  • Tools

    • Frida

    • Objection

Interact with App

  • Drozer

    • Tutorial Drozer

  • Attack Surface

    • run app.package.attacksurface <package_name>

Process Exploration

  • Fridump

  • Objection

    • objection --gadget sg.vantagepoint.helloworldjni explore

    • memory dump all

  • Process Exploation

Method Tracing

  • Execution Tracing

  • Method Tracing

  • Native Code Tracing

  • JNI Tracing

Hooking Method

  • Getting loaded classes

    • OWASP Getting Loaded Classes

  • OWASP Hooking

Library Injection

  • Library Injection MASTG

Debugger

  • OWASP Debugging

  • Exploit App Debuggable

  • Resources

    • Debugger

Network

Network Monitoring

  • Set Proxy

  • monitoring traffic

  • iptables

  • tcpdump

SSL Pinning bypass

  • OWASP: OWASP SSL Pinning Bypass

  • Using Frida

    • ssl-pinning-bypass-android-frida

    • bypass-ssl-pinning-for-flutter

  • Flutter App

    • reFlutter

    • OWASP Flutter

    • Flutter SSL Pinning Bypass Frida

  • Tools

    • apk-mitm

    • frida-interception-and-unpinning

    • frida-android-unpinning

    • reFlutter

Storage

Sensitive information in Local Storage

  • path /data/data/<package_name>

    • SharedPref

    • Database

    • Other files

  • Objection objection -g sg.vp.owasp_mobile.omtg_android explore

File in External Storage

  • Get list of file in /sdcard

    • adb pull /sdcard

  • Using Frida and monitoring Api

    • getExternalStorageDirectory

    • getExternalStoragePublicDirectory

    • getExternalFilesDir or FileOutPutStream

  • Permission WRITE_EXTERNAL_STORAGE, and MANAGE_EXTERNAL_STORAG

Sensitive Information Logcat

  • pidcat

  • adb logcat

  • Log, Logger, System.out.print, System.err.print, and java.lang.Throwable#printStackTrace

Misconfiguration

Android Backup

  • android:allowBackup="true"

  • Android backup extractor Android backup extractor

Debug Certificate

  • Check if app use debug certificate

    • apksigner verify --verbose example.apk

    • "CN=Android Debug,O=Android,C=US"

App Tampering

  • Modifying [smali](https://github.com/JesusFreke/smali/wiki/TypesMethodsAndFields

  • Smali-Repack

  • Resign apk uber-apk-signer

    # create sign key (can be found in "Android Studio\jbr\bin\keytool.exe" )
keytool -genkey -v -keystore your-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <key alias name>
# align the app (can be found in build-tools)
zipalign -v 4 <your_app.apk> <your_app_aligned.apk>
# sign the key (can be found in build-tools )
apksigner.bat sign --ks your-keystore.jks --ks-key-alias <key alias name> --out <signed_apk.apk> <not_signed_apk.apk>

  • Using Objection

Useful Tools

  • ghidraScript

  • Drozer

  • Objection

  • RMS

  • House

  • uber-apk-signer

  • Jadx/Jadx-gui

  • Dex2Jar

  • APktool

  • fridump

  • Frida

  • pidcat

  • apkx

  • Method Tracing Frida

  • reFlutter

  • blutter

  • ProxyDroid

  • ApkHunt

  • Sebastian

  • PAPIMonitor

  • scrcpy

  • apk-mitm

Useful Resources

  • android-penetration-testing-cheatsheet

  • Android Pentesting

  • Hacktricks

  • OWASP Mobile

    • MASTG Techniques

    • MASTG Test-beta

    • MASTG Test

    • MAS Checklist

    • MAS Checklist xlsx

  • Testing Tools

  • Frida Script

    • Frida Code Share

    • Frida Mobile Script

    • frida.re

    • learnfrida.info

    • codeshare.frida.re

    • github.com/dweinstein/awesome-frida

    • github.com/interference-security/frida-scripts

PreviousWindows Privilege EscalationNextiOS Application Pentesting

Last updated 2 months ago

🛠️