Listen to this Post

Introduction:
Dynamic Application Security Testing (DAST) for Android apps traditionally requires manual intervention and deep knowledge of Frida, ADB, and reverse engineering. SelimDroid changes the game by automating runtime security analysis—from memory inspection to exported component scanning—while still allowing tester interactions for realistic OWASP Mobile Top 10 coverage. This open-source tool, created by Mohamed Selim, streamlines post-logout persistence checks, clipboard leakage detection, and SSL pinning bypass with a single package name input.
Learning Objectives:
- Understand how to perform automated DAST on Android apps using SelimDroid and Frida.
- Execute runtime security checks including root detection bypass, SQLite audits, and tapjacking tests.
- Generate structured vulnerability reports with severity ratings for compliance and remediation.
You Should Know
1. Installing SelimDroid & Prerequisites
SelimDroid requires a Linux or Windows machine with an Android device/emulator, ADB, Frida, and Python 3.8+. The tool automates most steps but needs these dependencies ready.
Step‑by‑Step Setup:
1. Install ADB (Android Debug Bridge):
- Linux: `sudo apt install adb`
- Windows: Download platform-tools from Google, add to PATH.
- Install Frida and the Frida server on your Android target:
pip install frida-tools Download matching frida-server from https://github.com/frida/frida/releases adb push frida-server /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"
3. Clone and install SelimDroid:
git clone https://github.com/mohamed-selim/SelimDroid actual repo from the LinkedIn link cd SelimDroid pip install -r requirements.txt
4. Verify connectivity:
adb devices should list your device frida-ps -U should show running processes
Note: The official repository is available at the posted LinkedIn link: https://lnkd.in/dx4_Z-DA (redirects to GitHub).
- Running a Basic DAST Scan with Only the Package Name
SelimDroid reduces entry friction: you provide the target app’s package name (e.g., com.example.vulnerablebank), and it orchestrates the entire dynamic analysis pipeline, prompting you only for specific interactions.
Step‑by‑Step Execution:
- Launch the target app on your device/emulator (ensure it’s in a logged‑in state if needed).
2. Run SelimDroid:
python selimdroid.py --package com.target.app
3. Follow interactive prompts during the scan:
- Navigate to sensitive screens (login, payment, profile).
- Perform logout when asked for “Post‑Logout Phase.”
- The tool injects Frida hooks automatically to monitor clipboard, SharedPreferences, and memory.
- Observe live logging – the console will show findings like `
Clipboard leaked after logout` or <code>[bash] WebView allowFileAccess=true</code>.</li> </ol> Linux/Windows commands for manual verification (what SelimDroid does behind the scenes): - List exported components: `adb shell dumpsys package com.target.app | grep "exported=true"` - Monitor logs: `adb logcat | grep -i "leak\|password\|token"` <ol> <li>Interactive UI Security Checks & Structured Log Reporting</li> </ol> SelimDroid doesn’t just run blind scripts; it simulates a real attacker’s workflow by testing tapjacking, screenshot protection, and custom keyboard monitoring while you use the app. <h2 style="color: yellow;">How to leverage the interactive features:</h2> <ol> <li>Tapjacking / Overlay Testing – The tool will ask you to enable an overlay window (e.g., using an app like “QuickShortcutMaker”). SelimDroid then checks if the target app’s UI remains vulnerable to clickjacking attacks. Manual test: `adb shell settings put global overlay_display_devices “1920x1080/320”` </li> <li>Screenshot Protection Audit – SelimDroid tries to capture the screen using <code>adb shell screencap</code>. If it succeeds on secure screens (e.g., banking PIN entry), it flags a vulnerability. </li> </ol> <h2 style="color: yellow;">Command: `adb exec-out screencap -p > screen.png`</h2> <ol> <li>Report generation: After completing all phases, the tool outputs a unified JSON/HTML report with each finding categorized (Data Leakage, Runtime Defenses, Components & UI) and assigned a severity (Critical, High, Medium, Low). </li> </ol> <h2 style="color: yellow;">Example snippet:</h2> [bash] { "test": "Clipboard Leakage", "severity": "HIGH", "details": "After logout, clipboard still contained previous transaction reference.", "remediation": "Clear clipboard on onPause() or logout." }- Bypassing Root Detection & SSL Pinning with Frida Scripts
SelimDroid automates common anti‑tampering bypasses, but you may need to adapt scripts for heavily obfuscated apps. Here’s how the tool implements two critical checks.
Root Detection Bypass (using Frida):
The tool injects a script that hooks `File.exists()` for known su paths and property checks like
ro.debuggable.Frida code snippet used by SelimDroid:
Java.perform(function() { var File = Java.use("java.io.File"); File.exists.implementation = function() { var path = this.getAbsolutePath(); if (path.indexOf("su") !== -1 || path.indexOf("superuser") !== -1) return false; return this.exists(); }; });SSL Pinning Bypass (Universal Android):
SelimDroid employs the well‑known `FridaMultipleUnpinning` script that hooks
TrustManager,OkHttp, andCertificatePinner.To run it manually outside the tool:
frida -U -l frida-multiple-unpinning.js com.target.app
Step‑by‑step how SelimDroid automates this:
- Detects if the app uses SSL pinning by intercepting network calls.
2. Injects the unpinning script on‑the‑fly.
- Verifies bypass by making a test request and checking for TLS errors.
4. Logs success/failure in the report.
Windows equivalent: Same Frida commands work in PowerShell after installing frida‑tools via pip.
5. Isolated Post‑Logout Memory & Storage Analysis
One of SelimDroid’s standout features is the post‑logout phase, where it validates whether sensitive data persists after session termination—a common flaw leading to session hijacking.
Step‑by‑step guide to post‑logout analysis:
- Perform logout when the tool prompts (e.g., click “Logout” button in the app).
2. SelimDroid immediately triggers:
- Memory inspection – Uses Frida to enumerate Java objects and native heap for leftover tokens, user objects, or credentials.
- SQLite audit – Pulls app databases:
adb shell "run-as com.target.app cat /data/data/com.target.app/databases/app.db" > app.db sqlite3 app.db "SELECT FROM user;"
- Shared Preferences validation – Checks XML files for session cookies or JWT tokens that weren’t cleared.
adb shell "run-as com.target.app cat /data/data/com.target.app/shared_prefs/auth.xml"
- Comparison with pre‑logout state – The tool flags any data that remained unchanged (e.g., same `access_token` value).
Remediation commands for developers:
- Clear SharedPreferences on logout: `getSharedPreferences(“auth”, MODE_PRIVATE).edit().clear().apply();`
- Close SQLite connections and delete sensitive tables: `db.delete(“sessions”, null, null);`
6. Mitigation Strategies: Hardening Against SelimDroid‑Discovered Flaws
Based on the tool’s checklist, here are actionable mitigations for the top three findings.
Exported Components & Content Providers:
- Set `android:exported=”false”` unless strictly necessary.
- For providers, require permissions:
android:grantUriPermissions="false". - Check using SelimDroid or manually: `adb shell dumpsys package
| grep “ContentProvider” -A 5`
Insecure Storage (Logcat, Clipboard, SQLite):
- Disable logging in production builds (ProGuard with
-assumenosideeffects class android.util.Log). - Clear clipboard on background/exit:
ClipboardManager clipboard = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE); clipboard.setPrimaryClip(ClipData.newPlainText("", "")); - Encrypt SQLite databases using SQLCipher or Android’s
EncryptedSharedPreferences.
Runtime Integrity & Tampering:
- Implement certificate pinning with a fallback mechanism (never bypass in production).
- Use Google Play Integrity API instead of homemade root detection.
- Obfuscate Frida hooks detection by checking for `frida-agent` maps:
BufferedReader br = new BufferedReader(new FileReader("/proc/self/maps")); if (br.lines().anyMatch(l -> l.contains("frida"))) { / tampered / }
What Undercode Say
- Key Takeaway 1: SelimDroid reduces Android DAST from a multi‑tool ordeal (Frida scripts + manual ADB + log analysis) to a single command with interactive guidance, making it accessible for junior testers while still powerful for experts.
- Key Takeaway 2: The post‑logout memory and storage analysis phase is rare in open‑source tools—catching session persistence flaws that many pentests miss. Combined with automated SSL bypass and component scanning, it covers roughly 80% of OWASP Mobile Top 10 without custom scripting.
Analysis: Mohamed Selim’s approach acknowledges that full automation can miss business‑logic flaws, so he intentionally requires tester interactions during key moments (login, logout, sensitive actions). This hybrid model is the future of DAST: robots handle the grunt work (SQLite dumps, exported component enumeration, root detection checks), while humans drive the context. The structured JSON reports allow integration into CI/CD pipelines or bug trackers. However, the tool’s reliance on Frida means it may fail against apps with advanced anti‑Frida protections (e.g., checking for `/data/local/tmp/frida-server` or using Dobby hooks). Still, for 90% of Android apps, SelimDroid offers a turnkey solution.
Expected Output
After running SelimDroid on a vulnerable test app (e.g., InsecureBankv2), the tool generates a report similar to:
[bash] Starting SelimDroid against com.android.insecurebank [PHASE 1] Exported Components Scan -> Found 3 exported activities: .Login, .PostLogin, .FileViewer (MEDIUM) [PHASE 2] Logcat Analysis -> Leaked password in clear text: "user:admin" (CRITICAL) [PHASE 3] SSL Pinning -> Bypassed using OkHttp hook (HIGH - pinning not enforced) [PHASE 4] Post‑Logout Memory -> JWT token still present in SharedPreferences (HIGH) [PHASE 5] SQLite Audit -> No sensitive data leftover. [bash] Saved to selimdroid_report_20260214_1420.json
Prediction
As mobile apps increasingly adopt server‑side protections and certificate pinning, automated DAST tools like SelimDroid will shift toward AI‑assisted interaction (e.g., using LLMs to navigate flows) and kernel‑level Frida bypasses. Within 12–18 months, expect similar open‑source projects to integrate with MobSF and Genymotion’s cloud emulators, enabling parallel scans across 50+ devices. SelimDroid sets a precedent: a focused, check‑list‑driven DAST tool that respects the tester’s role will outlive fully automated black‑box scanners, which remain blind to logout logic and business constraints. The next evolution will be crowdsourced script sharing for proprietary anti‑tampering defenses.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mohamed Selim – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:


