Android Application Pentesting
Last updated
Last updated
Decompile apk
Native
Identify .so
inside app lib/<arch>/*.so
rabin2 -I lib/x86_64/libnative-lib.so | grep -E "canary|pic"
Decompile with Ghidra/IDApr/R2
Resources
[Smali](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0016/
Disassembler and Assembler assets/index.android.bundle
Resources
Source code located in assets/www
Resources
Find assemblies
in apk
Resources
Verify Signature
apksigner verify --verbose example.apk
apksigner verify --print-certs --verbose example.apk
DES, 3DES
RC2
RC4
BLOWFISH
MD4
MD5
SHA1
SecureRandom with Empty Argument
Android Manifest AndroidManifest.xml
Network Security Config NetworkSecurityConfig.xml
assets
directory
res/xml
directory
strings
command
Check if exists /.well-known/assetlinks.json
Arbitrary Resources Load
JavascriptInterface
Javascript Enable
Local File Inclusion
XSS
Rooting
Magisk
lsposed
Magisk Hide
Enable Zygisk
Useful Modules
Missing Root Detection
Bypass
Frida
Code / Repack
Magisk Hide
Missing Check
Bypass
Frida
Code Manipulation / Patching
Check if signature is verified
use uber-apk-signer
and try to execute app
Check if integrity of code is verified
patch code (native, hermes, js, smali), sign app and try to execute againg
list apk
adb shell pm list packages
get path apk (or apks)
adb shell pm path sg.vp.owasp_mobile.omtg_android
Download apk
abd pull <path>
Dynamic Analysis on non rooted device
objection patchapk --source UnCrackable-Level1.apk
Tools
Attack Surface
run app.package.attacksurface <package_name>
Objection
objection --gadget sg.vantagepoint.helloworldjni explore
memory dump all
Getting loaded classes
Resources
iptables
tcpdump
Using Frida
Flutter App
Tools
path /data/data/<package_name>
SharedPref
Database
Other files
Objection objection -g sg.vp.owasp_mobile.omtg_android explore
Get list of file in /sdcard
adb pull /sdcard
Using Frida and monitoring Api
getExternalStorageDirectory
getExternalStoragePublicDirectory
getExternalFilesDir
or FileOutPutStream
Permission WRITE_EXTERNAL_STORAGE
, and MANAGE_EXTERNAL_STORAG
adb logcat
Log
, Logger
, System.out.print
, System.err.print
, and java.lang.Throwable#printStackTrace
android:allowBackup="true"
Check if app use debug certificate
apksigner verify --verbose example.apk
"CN=Android Debug,O=Android,C=US"
Modifying [smali](https://github.com/JesusFreke/smali/wiki/TypesMethodsAndFields
OWASP Mobile
Frida Script
OWASP:
Android backup extractor
Resign apk