Android Penetration Testing: From Memory Leaks to Exploitation

By /

Listen to this Post

Featured Image
Android penetration testing involves identifying vulnerabilities in Android applications, including memory leaks, insecure data storage, and denial-of-service (DoS) flaws. This guide covers practical steps, tools, and commands to exploit and secure Android apps.

You Should Know:

1. Identifying Memory Leaks

Memory leaks can lead to data exposure or crashes. Use these tools:
– Android Debug Bridge (ADB): 

adb shell dumpsys meminfo <package_name>

– LeakCanary (for developers):

Add to `build.gradle`:

debugImplementation 'com.squareup.leakcanary:leakcanary-android:2.12'

2. Exploiting Memory Leaks

If a memory leak exposes sensitive data, extract it using: 

adb shell cat /proc/<pid>/maps 
adb shell cat /proc/<pid>/mem > dumped_memory.hex

Analyze with GDB or Radare2:

r2 -AAA -d dumped_memory.hex

3. Denial-of-Service (DoS) Testing

Crash an app by flooding intents:

adb shell am broadcast -n <package>/<component> --es "key" "overflow_data_here"

4. Reverse Engineering APKs

Extract APK with APKTool:

apktool d target.apk -o output_dir

Decompile with JADX:

jadx-gui target.apk

5. Dynamic Analysis with Frida

Hook Android methods:

Java.perform(() => { 
let Activity = Java.use("android.app.Activity"); 
Activity.onCreate.overload('android.os.Bundle').implementation = function(bundle) { 
console.log("[] Activity created"); 
this.onCreate(bundle); 
}; 
});

Run with:

frida -U -l script.js -f <package_name>

6. Securing Android Apps

  • Enable ProGuard in build.gradle: 
    minifyEnabled true 
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt')
  • Use Android’s SafetyNet API for integrity checks.

What Undercode Say:

Android penetration testing requires a mix of static and dynamic analysis. Memory leaks, if unpatched, can expose sensitive data, while DoS flaws disrupt app functionality. Reverse engineering helps uncover hidden vulnerabilities, and tools like Frida enable runtime manipulation. Always test in a controlled environment and patch findings promptly.

Expected Output:

  • Extracted memory data (dumped_memory.hex)
  • Decompiled APK code (output_dir/)
  • Frida hook logs ([] Activity created)

Prediction:

As Android apps grow more complex, automated tools like MobSF and QARK will dominate penetration testing, but manual reverse engineering will remain critical for advanced exploits.

(No relevant URLs found in the original post.)

References:

Reported By: Muhamad Rizki – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: