# Mobile Pentest [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## CheckList {% embed url="" %} ## Create a Lab for Android Pentest {% embed url="" %} ### Emulator {% hint style="danger" %} *Genymotion is not compatible with last app running only on ARM devices. Create a AVD with Android Studio for this kind of apps* {% endhint %} {% embed url="" %} ## Intercept traffic {% embed url="" %} {% embed url="" %} ## Dex2jar {% embed url="" %} ## MobSF {% embed url="" %} ## MARA ``` git clone https://github.com/xtiankisutsa/MARA_Framework.git cd MARA_Framework ./mara.sh ``` #### Extracting the complete API attack surface ``` ./mara.sh -s target.apk ``` ## cSploit {% embed url="" %} ## Apepe {% embed url="" %} ## Apktool {% embed url="" %} ``` # apktool d instant.apk I: Using Apktool 2.7.0-dirty on instant.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... I: Copying META-INF/services directory # ls instant AndroidManifest.xml assets lib original smali apktool.yml kotlin META-INF res unknown ``` Troubleshooting: "Could not decode" ``` $ apktool d --use-aapt2 app.apk I: Using Apktool 2.7.0 on app.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... W: Could not decode attr value, using undecoded value instead: ns=android, name=versionCode, value=0x77e1502d W: Could not decode attr value, using undecoded value instead: ns=android, name=versionName, value=0x00000023 <--SNIP--> $ mkdir -p /tmp/apktool-framework $ apktool d --use-aapt2 app.apk -frame-path /tmp/apktool-framework -f I: Using Apktool 2.7.0 on app.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /tmp/apktool-framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Baksmaling classes2.dex... I: Baksmaling classes3.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... I: Copying META-INF/services directory ``` ## Androguard {% embed url="" %} ## Drozer {% embed url="" %} {% embed url="" %} ## Frida {% embed url="" %} ## SSL-bypass This Frida script bypasses root detection and SSL pinning in Android apps by blocking root checks, hiding root management tools, and overriding SSL/TLS trust settings to intercept encrypted traffic. {% embed url="" %} ## Automated URL extraction ``` git clone https://github.com/n0mi1k/apk2url ./apk2url.sh /path/to/target.apk ``` ## APKLeaks {% embed url="" %} ## APKx Find sensitive info (key, etc.) {% embed url="" %} ## Firebase checker {% embed url="" %} {% embed url="" %} ## MobApp-Storage Inspector A tool for inspecting and analyzing mobile application storage files. {% embed url="" %} ## PAPIMonitor Monitor user-select APIs during the app execution. {% embed url="" %} ## Code Analysis {% content-ref url="code-analysis" %} [code-analysis](https://0xss0rz.gitbook.io/0xss0rz/pentest/code-analysis) {% endcontent-ref %} ### APKHunt Static code analysis based on the OWASP MASVS framework {% embed url="" %} ### Search for API Keys {% embed url="" %} Open the APK with JADX: ``` jadx-gui base.apk ``` **Search for API Keys**: * Look for hardcoded strings, especially in files like `BuildConfig.java`, `Constants.java`, or any class that handles network requests. ## Common Vulnerabilities #### Cleartext Communications In Android applications before 7.0 (API level 24), cleartext traffic was allowed by default. The 7.0 release introduced the **Network Security Configuration** (**NSC**) feature, allowing developers to customize network security settings through a declarative XML file. It wasn't until the release of Android 9 (API level 28) that cleartext traffic was disabled by default. To use an NSC file, it must be declared in the application's AndroidManifest.xml file: ```plaintext ``` The res/xml/network\_security\_config.xml file must be manually created with the cleartextTrafficPermitted set to "false" to override the insecure default setting: ```plaintext

``` ### ZipSlip {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} *** ## iOS Pentesting {% embed url="" %} ### Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up {% embed url="" %} ## Interesting Books {% content-ref url="../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Learning Pentesting for Android Devices**](https://www.amazon.fr/dp/B00JAAW0ZY?tag=0xss0rz-21)\ A practical guide to learning penetration testing for Android devices and applications ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/mobile-pentest.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.