Mobile Pentest

Tools and Common vulnerabilities

CheckList

PentestingEverything/Mobile Pentesting/Android Pentesting at main · m14r41/PentestingEverythingGitHub

Emulator

Genymotion – Android Emulator for app testing Cross-platform Android Emulator for manual and automated app testingGenymotion – Android Emulator for app testing

Intercept traffic

GitHub - kaizensecurity/Intercept-Flutter-Apps: Learn how to intercept flutter appsGitHub

https://github.com/ptswarm/reFluttergithub.com

Dex2jar

GitHub - pxb1988/dex2jar: Tools to work with android .dex and java .class filesGitHub

MobSF

GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.GitHub

cSploit

GitHub - cSploit/android: cSploit - The most complete and advanced IT security professional toolkit on Android.GitHub

Apepe

GitHub - 000pp/Apepe: 📲 Enumerate app information through the APK fileGitHub

Apktool

Apktool | Apktool

# apktool d instant.apk
I: Using Apktool 2.7.0-dirty on instant.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory

# ls instant
AndroidManifest.xml  assets  lib       original  smali
apktool.yml          kotlin  META-INF  res       unknown

Androguard

GitHub - androguard/androguard: Reverse engineering, Malware and goodware analysis of Android applications ... and more (ninja !)GitHub

Drozer

GitHub - WithSecureLabs/drozer: The Leading Security Assessment Framework for Android.GitHub

Exploiting Android Activities with Drozer: A Step-by-Step GuideMedium

Frida

AndroidFrida • A world-class dynamic instrumentation framework

SSL-bypass

This Frida script bypasses root detection and SSL pinning in Android apps by blocking root checks, hiding root management tools, and overriding SSL/TLS trust settings to intercept encrypted traffic.

GitHub - 0xCD4/SSL-bypass: SSL bypass checkGitHub

APKLeaks

GitHub - dwisiswant0/apkleaks: Scanning APK file for URIs, endpoints & secrets.GitHub

APKx

Find sensitive info (key, etc.)

GitHub - cyinnove/apkX: APKx is a high-performance tool written in Go for scanning Android APK files to discover sensitive information like URIs, endpoints, and secrets. It's inspired by APKLeaks but reimplemented in Go with enhanced features and YAML pattern support.GitHub

Firebase checker

GitHub - Suryesh/Firebase_Checker: This Python script automates the process of identifying vulnerabilities in Firebase configurations extracted from APK files.GitHub

MobApp-Storage Inspector

A tool for inspecting and analyzing mobile application storage files.

GitHub - thecybersandeep/mobapp-storage-inspector: A tool for inspecting and analyzing mobile application storage files.GitHub

PAPIMonitor

Monitor user-select APIs during the app execution.

GitHub - Dado1513/PAPIMonitor: Python API Monitor for Android appsGitHub

Code Analysis

Code Analysis

Search for API Keys

Reverse Engineer Android Apps for API Keys

Open the APK with JADX:

jadx-gui base.apk

Search for API Keys:

• Look for hardcoded strings, especially in files like BuildConfig.java, Constants.java, or any class that handles network requests.

Common Vulnerabilities

Cleartext Communications

In Android applications before 7.0 (API level 24), cleartext traffic was allowed by default. The 7.0 release introduced the Network Security Configuration (NSC) feature, allowing developers to customize network security settings through a declarative XML file. It wasn't until the release of Android 9 (API level 28) that cleartext traffic was disabled by default.

To use an NSC file, it must be declared in the application's AndroidManifest.xml file:

<manifest ... >
    <application
        android:networkSecurityConfig="@xml/network_security_config"
        ... >
        <!-- Place child elements of <application> element here. -->
    </application>
</manifest>

The res/xml/network_security_config.xml file must be manually created with the cleartextTrafficPermitted set to "false" to override the insecure default setting:

<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system" />
    </trust-anchors>
</base-config>

ZipSlip

Zip Path Traversal | Android Notebook

Resources

GitHub - vaib25vicky/awesome-mobile-security: An effort to build a single place for all useful android and iOS security related stuff. All references and tools belong to their respective owners. I'm just maintaining it.GitHub

The ultimate beginner’s guide to Android hacking | @BugcrowdBugcrowd

Pentesting for Android Mobile ApplicationsHackerOne

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Learning Pentesting for Android Devices A practical guide to learning penetration testing for Android devices and applications

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.