# Mobile Pentest [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## CheckList {% embed url="" %} ## Create a Lab for Android Pentest {% embed url="" %} ### Emulator {% hint style="danger" %} *Genymotion is not compatible with last app running only on ARM devices. Create a AVD with Android Studio for this kind of apps* {% endhint %} {% embed url="" %} ## Intercept traffic {% embed url="" %} {% embed url="" %} ## Dex2jar {% embed url="" %} ## MobSF {% embed url="" %} ## MARA ``` git clone https://github.com/xtiankisutsa/MARA_Framework.git cd MARA_Framework ./mara.sh ``` #### Extracting the complete API attack surface ``` ./mara.sh -s target.apk ``` ## cSploit {% embed url="" %} ## Apepe {% embed url="" %} ## Apktool {% embed url="" %} ``` # apktool d instant.apk I: Using Apktool 2.7.0-dirty on instant.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... I: Copying META-INF/services directory # ls instant AndroidManifest.xml assets lib original smali apktool.yml kotlin META-INF res unknown ``` Troubleshooting: "Could not decode" ``` $ apktool d --use-aapt2 app.apk I: Using Apktool 2.7.0 on app.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... W: Could not decode attr value, using undecoded value instead: ns=android, name=versionCode, value=0x77e1502d W: Could not decode attr value, using undecoded value instead: ns=android, name=versionName, value=0x00000023 <--SNIP--> $ mkdir -p /tmp/apktool-framework $ apktool d --use-aapt2 app.apk -frame-path /tmp/apktool-framework -f I: Using Apktool 2.7.0 on app.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /tmp/apktool-framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Baksmaling classes2.dex... I: Baksmaling classes3.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... I: Copying META-INF/services directory ``` ## Androguard {% embed url="" %} ## Drozer {% embed url="" %} {% embed url="" %} ## Frida {% embed url="" %} ## SSL-bypass This Frida script bypasses root detection and SSL pinning in Android apps by blocking root checks, hiding root management tools, and overriding SSL/TLS trust settings to intercept encrypted traffic. {% embed url="" %} ## Automated URL extraction ``` git clone https://github.com/n0mi1k/apk2url ./apk2url.sh /path/to/target.apk ``` ## APKLeaks {% embed url="" %} ## APKx Find sensitive info (key, etc.) {% embed url="" %} ## Firebase checker {% embed url="" %} {% embed url="" %} ## MobApp-Storage Inspector A tool for inspecting and analyzing mobile application storage files. {% embed url="" %} ## PAPIMonitor Monitor user-select APIs during the app execution. {% embed url="" %} ## Code Analysis {% content-ref url="code-analysis" %} [code-analysis](https://0xss0rz.gitbook.io/0xss0rz/pentest/code-analysis) {% endcontent-ref %} ### APKHunt Static code analysis based on the OWASP MASVS framework {% embed url="" %} ### Search for API Keys {% embed url="" %} Open the APK with JADX: ``` jadx-gui base.apk ``` **Search for API Keys**: * Look for hardcoded strings, especially in files like `BuildConfig.java`, `Constants.java`, or any class that handles network requests. ## Common Vulnerabilities #### Cleartext Communications In Android applications before 7.0 (API level 24), cleartext traffic was allowed by default. The 7.0 release introduced the **Network Security Configuration** (**NSC**) feature, allowing developers to customize network security settings through a declarative XML file. It wasn't until the release of Android 9 (API level 28) that cleartext traffic was disabled by default. To use an NSC file, it must be declared in the application's AndroidManifest.xml file: ```plaintext ``` The res/xml/network\_security\_config.xml file must be manually created with the cleartextTrafficPermitted set to "false" to override the insecure default setting: ```plaintext

``` ### ZipSlip {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} *** ## iOS Pentesting {% embed url="" %} ### Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up {% embed url="" %} ## Interesting Books {% content-ref url="../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Learning Pentesting for Android Devices**](https://www.amazon.fr/dp/B00JAAW0ZY?tag=0xss0rz-21)\ A practical guide to learning penetration testing for Android devices and applications ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)