Mobile Pentest

Tools and Common vulnerabilities

CheckList

LogoPentestingEverything/Mobile Pentesting/Android Pentesting at main · m14r41/PentestingEverythingGitHub

Emulator

LogoGenymotion – Android Emulator for app testing Cross-platform Android Emulator for manual and automated app testingGenymotion – Android Emulator for app testing

Intercept traffic

LogoGitHub - kaizensecurity/Intercept-Flutter-Apps: Learn how to intercept flutter appsGitHub
https://github.com/ptswarm/reFluttergithub.com

Dex2jar

LogoGitHub - pxb1988/dex2jar: Tools to work with android .dex and java .class filesGitHub

MobSF

LogoGitHub - MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.GitHub

cSploit

LogoGitHub - cSploit/android: cSploit - The most complete and advanced IT security professional toolkit on Android.GitHub

Apepe

LogoGitHub - 000pp/Apepe: 📲 Enumerate app information through the APK fileGitHub

Apktool

LogoApktool | Apktool
# apktool d instant.apk
I: Using Apktool 2.7.0-dirty on instant.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory

# ls instant
AndroidManifest.xml  assets  lib       original  smali
apktool.yml          kotlin  META-INF  res       unknown

Androguard

LogoGitHub - androguard/androguard: Reverse engineering, Malware and goodware analysis of Android applications ... and more (ninja !)GitHub

Drozer

LogoGitHub - WithSecureLabs/drozer: The Leading Security Assessment Framework for Android.GitHub
LogoExploiting Android Activities with Drozer: A Step-by-Step GuideMedium

Frida

LogoAndroidFrida • A world-class dynamic instrumentation framework

SSL-bypass

This Frida script bypasses root detection and SSL pinning in Android apps by blocking root checks, hiding root management tools, and overriding SSL/TLS trust settings to intercept encrypted traffic.

LogoGitHub - 0xCD4/SSL-bypass: SSL bypass checkGitHub

APKLeaks

LogoGitHub - dwisiswant0/apkleaks: Scanning APK file for URIs, endpoints & secrets.GitHub

APKx

Find sensitive info (key, etc.)

LogoGitHub - cyinnove/apkX: APKx is a high-performance tool written in Go for scanning Android APK files to discover sensitive information like URIs, endpoints, and secrets. It's inspired by APKLeaks but reimplemented in Go with enhanced features and YAML pattern support.GitHub

Firebase checker

LogoGitHub - Suryesh/Firebase_Checker: This Python script automates the process of identifying vulnerabilities in Firebase configurations extracted from APK files.GitHub

MobApp-Storage Inspector

A tool for inspecting and analyzing mobile application storage files.

LogoGitHub - thecybersandeep/mobapp-storage-inspector: A tool for inspecting and analyzing mobile application storage files.GitHub

PAPIMonitor

Monitor user-select APIs during the app execution.

LogoGitHub - Dado1513/PAPIMonitor: Python API Monitor for Android appsGitHub

Code Analysis

Code Analysis

Search for API Keys

LogoReverse Engineer Android Apps for API Keys

Open the APK with JADX:

jadx-gui base.apk

Search for API Keys:

  • Look for hardcoded strings, especially in files like BuildConfig.java, Constants.java, or any class that handles network requests.

Common Vulnerabilities

Cleartext Communications

In Android applications before 7.0 (API level 24), cleartext traffic was allowed by default. The 7.0 release introduced the Network Security Configuration (NSC) feature, allowing developers to customize network security settings through a declarative XML file. It wasn't until the release of Android 9 (API level 28) that cleartext traffic was disabled by default.

To use an NSC file, it must be declared in the application's AndroidManifest.xml file:

<manifest ... >
    <application
        android:networkSecurityConfig="@xml/network_security_config"
        ... >
        <!-- Place child elements of <application> element here. -->
    </application>
</manifest>

The res/xml/network_security_config.xml file must be manually created with the cleartextTrafficPermitted set to "false" to override the insecure default setting:

<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system" />
    </trust-anchors>
</base-config>

ZipSlip

LogoZip Path Traversal | Android Notebook

Resources

LogoGitHub - vaib25vicky/awesome-mobile-security: An effort to build a single place for all useful android and iOS security related stuff. All references and tools belong to their respective owners. I'm just maintaining it.GitHub
LogoThe ultimate beginner’s guide to Android hacking | @BugcrowdBugcrowd
LogoPentesting for Android Mobile ApplicationsHackerOne

iOS Pentesting

LogoA basic guide to iOS testing | @BugcrowdBugcrowd

Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up

Logocheckra1ncheckra1n

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousWifi PentestNextConfiguration Audit / Hardening

Last updated