Mobile Pentest
Tools and Common vulnerabilities
CheckList
Emulator
Intercept traffic
Dex2jar
MobSF
cSploit
Apepe
Apktool
# apktool d instant.apk
I: Using Apktool 2.7.0-dirty on instant.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory
# ls instant
AndroidManifest.xml assets lib original smali
apktool.yml kotlin META-INF res unknown
Androguard
Drozer
Frida
SSL-bypass
This Frida script bypasses root detection and SSL pinning in Android apps by blocking root checks, hiding root management tools, and overriding SSL/TLS trust settings to intercept encrypted traffic.
APKLeaks
APKx
Find sensitive info (key, etc.)
Firebase checker
MobApp-Storage Inspector
A tool for inspecting and analyzing mobile application storage files.
PAPIMonitor
Monitor user-select APIs during the app execution.
Code Analysis
Code AnalysisSearch for API Keys
Open the APK with JADX:
jadx-gui base.apk
Search for API Keys:
Look for hardcoded strings, especially in files like
BuildConfig.java
,Constants.java
, or any class that handles network requests.
Common Vulnerabilities
Cleartext Communications
In Android applications before 7.0 (API level 24), cleartext traffic was allowed by default. The 7.0 release introduced the Network Security Configuration (NSC) feature, allowing developers to customize network security settings through a declarative XML file. It wasn't until the release of Android 9 (API level 28) that cleartext traffic was disabled by default.
To use an NSC file, it must be declared in the application's AndroidManifest.xml file:
<manifest ... >
<application
android:networkSecurityConfig="@xml/network_security_config"
... >
<!-- Place child elements of <application> element here. -->
</application>
</manifest>
The res/xml/network_security_config.xml file must be manually created with the cleartextTrafficPermitted set to "false" to override the insecure default setting:
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
ZipSlip
Resources
iOS Pentesting
Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up
Interesting Books
Interesting BooksLearning Pentesting for Android Devices A practical guide to learning penetration testing for Android devices and applications
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated