Mobile Pentest

Tools and Common vulnerabilities

CheckList

PentestingEverything/Mobile Pentesting/Android Pentesting at main · m14r41/PentestingEverythingGitHub

Create a Lab for Android Pentest

The bug hunter’s guide to building an Android mobile hacking labYesWeHack

Emulator

Genymotion is not compatible with last app running only on ARM devices. Create a AVD with Android Studio for this kind of apps

Genymotion - Android Emulator in the Cloud and for PC & MacGenymotion

Intercept traffic

GitHub - kaizensecurity/Intercept-Flutter-Apps: Learn how to intercept flutter appsGitHub

GitHub - ptswarm/reFlutter: Flutter Reverse Engineering FrameworkGitHub

Dex2jar

GitHub - pxb1988/dex2jar: Tools to work with android .dex and java .class filesGitHub

MobSF

GitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.GitHub

MARA

git clone https://github.com/xtiankisutsa/MARA_Framework.git
cd MARA_Framework
./mara.sh

Extracting the complete API attack surface

./mara.sh -s target.apk

cSploit

GitHub - cSploit/android: cSploit - The most complete and advanced IT security professional toolkit on Android.GitHub

Apepe

GitHub - 0xdsm/Apepe: 📲 Apepe is a project developed to help to capture informations from a Android app through his APK file. It can be used to extract the content, get app settings, suggest SSL Pinning bypass based on the app detected language, extract deeplinks from AndroidManifest.xml, JSONs and DEX files.GitHub

Apktool

Apktoolapktool.org

# apktool d instant.apk
I: Using Apktool 2.7.0-dirty on instant.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory

# ls instant
AndroidManifest.xml  assets  lib       original  smali
apktool.yml          kotlin  META-INF  res       unknown

Troubleshooting: "Could not decode"

$ apktool d --use-aapt2 app.apk
I: Using Apktool 2.7.0 on app.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
W: Could not decode attr value, using undecoded value instead: ns=android, name=versionCode, value=0x77e1502d
W: Could not decode attr value, using undecoded value instead: ns=android, name=versionName, value=0x00000023
<--SNIP-->

$ mkdir -p /tmp/apktool-framework

$ apktool d --use-aapt2 app.apk -frame-path /tmp/apktool-framework -f
I: Using Apktool 2.7.0 on app.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /tmp/apktool-framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Baksmaling classes3.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory

Androguard

GitHub - androguard/androguard: Reverse engineering and pentesting for Android applicationsGitHub

Drozer

GitHub - ReversecLabs/drozer: The Leading Security Assessment Framework for Android.GitHub

Exploiting Android Activities with Drozer: A Step-by-Step GuideMedium

Frida

AndroidFrida • A world-class dynamic instrumentation toolkit

SSL-bypass

This Frida script bypasses root detection and SSL pinning in Android apps by blocking root checks, hiding root management tools, and overriding SSL/TLS trust settings to intercept encrypted traffic.

GitHub - 0xCD4/SSL-bypass: SSL bypass checkGitHub

Automated URL extraction

git clone https://github.com/n0mi1k/apk2url
./apk2url.sh /path/to/target.apk

APKLeaks

GitHub - dwisiswant0/apkleaks: Scanning APK file for URIs, endpoints & secrets.GitHub

APKx

Find sensitive info (key, etc.)

GitHub - h0tak88r/apkX: Advanced APK analysis tool with intelligent caching, pattern matching, and comprehensive security vulnerability detectionGitHub

Firebase checker

GitHub - Suryesh/Firebase_Checker: Firebase_Checker is Python tool to analyze APK files and web applications for Firebase-related vulnerabilities. This tool identifies security misconfigurations in Firebase implementations for both Android and web applications. Designed for security researchers, developers, and penetration testers to identify potential security risks in applicationsGitHub

Hacking Firebase Targets: Advanced Exploitation GuideIntigriti

MobApp-Storage Inspector

A tool for inspecting and analyzing mobile application storage files.

GitHub - thecybersandeep/mobapp-storage-inspector: A tool for inspecting and analyzing mobile application storage files.GitHub

PAPIMonitor

Monitor user-select APIs during the app execution.

GitHub - 0xdad0/PAPIMonitor: Python API Monitor for Android appsGitHub

Code Analysis

Code Analysis

APKHunt

Static code analysis based on the OWASP MASVS framework

GitHub - Cyber-Buddy/APKHunt: APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.GitHub

Search for API Keys

Reverse Engineer Android Apps for API Keyspwn.guide

Open the APK with JADX:

jadx-gui base.apk

Search for API Keys:

• Look for hardcoded strings, especially in files like BuildConfig.java, Constants.java, or any class that handles network requests.

Common Vulnerabilities

Cleartext Communications

In Android applications before 7.0 (API level 24), cleartext traffic was allowed by default. The 7.0 release introduced the Network Security Configuration (NSC) feature, allowing developers to customize network security settings through a declarative XML file. It wasn't until the release of Android 9 (API level 28) that cleartext traffic was disabled by default.

To use an NSC file, it must be declared in the application's AndroidManifest.xml file:

<manifest ... >
    <application
        android:networkSecurityConfig="@xml/network_security_config"
        ... >
        <!-- Place child elements of <application> element here. -->
    </application>
</manifest>

The res/xml/network_security_config.xml file must be manually created with the cleartextTrafficPermitted set to "false" to override the insecure default setting:

<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system" />
    </trust-anchors>
</base-config>

ZipSlip

Zip Path Traversal | Android Notebookandroid-notebook.hanmajid.com

Resources

GitHub - vaib25vicky/awesome-mobile-security: An effort to build a single place for all useful android and iOS security related stuff. All references and tools belong to their respective owners. I'm just maintaining it.GitHub

The ultimate beginner’s guide to Android hacking | @BugcrowdBugcrowd

Pentesting for Android Mobile Applications | HackerOneHackerOne

Android recon for Bug Bounty hunters: A complete guideYesWeHack

---

iOS Pentesting

A basic guide to iOS testing | @BugcrowdBugcrowd

Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up

checkra1ncheckra1n

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Learning Pentesting for Android Devices A practical guide to learning penetration testing for Android devices and applications

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.