Mobile Pentest

Tools and Common vulnerabilities

CheckList

Emulator

Intercept traffic

Dex2jar

MobSF

cSploit

Apepe

Apktool

# apktool d instant.apk
I: Using Apktool 2.7.0-dirty on instant.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory

# ls instant
AndroidManifest.xml  assets  lib       original  smali
apktool.yml          kotlin  META-INF  res       unknown

Androguard

Drozer

Frida

SSL-bypass

This Frida script bypasses root detection and SSL pinning in Android apps by blocking root checks, hiding root management tools, and overriding SSL/TLS trust settings to intercept encrypted traffic.

APKLeaks

APKx

Find sensitive info (key, etc.)

Firebase checker

MobApp-Storage Inspector

A tool for inspecting and analyzing mobile application storage files.

PAPIMonitor

Monitor user-select APIs during the app execution.

Code Analysis

Code Analysis

Search for API Keys

Open the APK with JADX:

jadx-gui base.apk

Search for API Keys:

  • Look for hardcoded strings, especially in files like BuildConfig.java, Constants.java, or any class that handles network requests.

Common Vulnerabilities

Cleartext Communications

In Android applications before 7.0 (API level 24), cleartext traffic was allowed by default. The 7.0 release introduced the Network Security Configuration (NSC) feature, allowing developers to customize network security settings through a declarative XML file. It wasn't until the release of Android 9 (API level 28) that cleartext traffic was disabled by default.

To use an NSC file, it must be declared in the application's AndroidManifest.xml file:

<manifest ... >
    <application
        android:networkSecurityConfig="@xml/network_security_config"
        ... >
        <!-- Place child elements of <application> element here. -->
    </application>
</manifest>

The res/xml/network_security_config.xml file must be manually created with the cleartextTrafficPermitted set to "false" to override the insecure default setting:

<base-config cleartextTrafficPermitted="false">
    <trust-anchors>
        <certificates src="system" />
    </trust-anchors>
</base-config>

ZipSlip

Resources


iOS Pentesting

Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

Last updated