Listen to this Post
Introduction:
Android penetration testing is a critical discipline for identifying vulnerabilities in the world’s most popular mobile operating system. As applications handle increasingly sensitive data, mastering the tools and techniques for assessing their security is paramount for any red team operator or security professional. This guide provides a hands-on arsenal of verified commands and methodologies to emulate real-world threats against Android applications.
Learning Objectives:
- Master the setup of a dynamic analysis environment for Android applications (APKs).
- Execute fundamental static and dynamic analysis techniques to identify common vulnerabilities.
- Leverage advanced tools for deep-dive assessment, including hooking and traffic interception.
You Should Know:
1. Setting Up Your Android Assessment Lab
Before any testing begins, a proper lab environment is essential. This involves setting up an emulator or connecting a physical device with developer options enabled.
Verified Commands & Guide:
Update package list and install essential tools sudo apt update && sudo apt install adb fastboot apktool jadx -y Check if the device is connected and authorized adb devices -l Get a shell on the device adb shell
Step-by-step guide: This set of commands prepares your Linux machine for Android testing. First, update your package manager and install the Android Debug Bridge (adb), Apktool, and JADX. The `adb devices` command lists all connected Android devices or emulators. Ensure your device is in “Developer Mode” and has “USB Debugging” enabled. A successful connection will show the device serial number. The `adb shell` command drops you into a Linux shell on the Android device, allowing for direct command execution.
2. Extracting and Decompiling the APK
Static analysis begins with obtaining the application’s code. The APK file, which is essentially a ZIP archive, can be decompiled to examine its resources and smali code, or reverse-engineered to produce semi-readable Java source code.
Verified Commands & Guide:
Pull the APK from the connected device adb shell pm list packages -f | grep -i "targetapp" adb shell pm path com.example.targetapp adb pull /system/app/TargetApp/TargetApp.apk ./TargetApp.apk Decompile with Apktool to get Smali code and resources apktool d TargetApp.apk -o TargetApp_Decompiled Reverse engineer to Java-like code using JADX jadx -d TargetApp_JADX TargetApp.apk
Step-by-step guide: Use `adb shell pm list packages` to find the full path of the installed application package. Then, `adb pull` to download the APK file to your machine. Apktool decodes the resources and converts the Dalvik bytecode (dex files) to Smali, a human-readable assembly-like language. JADX performs a more advanced decompilation, attempting to reconstruct Java source code, which is significantly easier to audit for logic flaws and vulnerabilities.
3. Traffic Interception with Proxy Tools
Dynamic analysis often requires inspecting the network traffic between the app and its backend servers. This helps identify issues like unencrypted communication, weak authentication, and insecure API endpoints.
Verified Commands & Guide:
Configure proxy settings on the Android device via ADB adb shell settings put global http_proxy 192.168.1.100:8080 (To remove the proxy) adb shell settings delete global http_proxy adb shell settings delete global global_http_proxy_host adb shell settings delete global global_http_proxy_port
Step-by-step guide: Replace `192.168.1.100` with the IP address of your machine running a proxy tool like Burp Suite or OWASP ZAP. This command configures the Android device to route all HTTP/HTTPS traffic through your proxy. You must also install the proxy’s CA certificate on the Android device to intercept HTTPS traffic. Place the certificate in the user store and ensure the device is configured to trust it for successful MITM (Man-in-the-Middle) interception.
4. Bypassing SSL Pinning
Many applications employ SSL certificate pinning to prevent proxies from intercepting their traffic. Bypassing this is crucial for a thorough assessment. Tools like Frida and Objection are industry standards.
Verified Commands & Guide:
Install Frida server on the Android device adb push frida-server-16.1.7-android-x86 /data/local/tmp/frida-server adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" Use Objection to bypass SSL pinning frida-ps -Ua objection -g com.example.targetapp explore android sslpinning disable
Step-by-step guide: After pushing the correct architecture version of Frida server to the device and making it executable, you run it in the background. The `frida-ps -Ua` command lists running applications on the USB-connected device. Finally, Objection is used to inject a Frida script into the target application that hooks into common pinning logic libraries (like OkHttp, TrustKit) and disables them, allowing your proxy to intercept the traffic.
5. Root Detection Bypass
Similar to SSL pinning, applications may implement root detection to prevent execution on compromised devices. Objection can also be used to bypass common root checks.
Verified Commands & Guide:
Using Objection to bypass root detection objection -g com.example.targetapp explore android root disable
Step-by-step guide: This simple Objection command works by hooking into common methods used to detect root, such as checking for the presence of the `su` binary, specific packages like SuperSU, or the device’s build properties. When these methods are called, the hook returns a false value, tricking the application into believing it is running on a non-rooted device.
6. Analyzing Application Databases and Shared Preferences
Sensitive data is often stored locally in SQLite databases and Shared Preferences files. Inspecting these can reveal hardcoded keys, passwords, or other sensitive information.
Verified Commands & Guide:
Find the application's data directory adb shell "su -c 'find /data/data -name \".db\"'" adb shell "su -c 'find /data/data -name \".xml\"'" Pull a database file for local inspection adb exec-out "su -c 'cat /data/data/com.example.targetapp/databases/users.db'" > users.db Open the database using the sqlite3 CLI sqlite3 users.db .tables SELECT FROM users;
Step-by-step guide: The `find` commands, run with root privileges via su, locate all database and XML (Shared Preferences) files within the app’s private data directory. You can then pull these files to your host machine for analysis. Using the `sqlite3` command-line interface, you can list all tables (.tables) and query them to extract stored data, which might include session tokens or poorly encrypted credentials.
7. Dynamic Instrumentation with Frida Scripts
For more sophisticated bypasses or to manipulate application logic at runtime, custom Frida scripts are indispensable. They allow you to hook into Java and native functions.
Verified Commands & Guide:
// Example Frida script (hook_android.js) to hook a login method
Java.perform(function() {
var LoginActivity = Java.use("com.example.targetapp.LoginActivity");
LoginActivity.verifyPassword.implementation = function(password) {
console.log("[+] verifyPassword called with: " + password);
var result = this.verifyPassword(password);
console.log("[+] verifyPassword result: " + result);
return true; // Always return true to bypass login
};
});
Step-by-step guide: Save this JavaScript code to a file, e.g., hook_android.js. The script uses Frida’s `Java.use` to get a reference to the `LoginActivity` class and overrides the `verifyPassword` method. Every time the app calls this method, your hook will execute, printing the supplied password to the console and then forcing the method to return true, effectively bypassing the authentication. Run it with: frida -U -l hook_android.js -f com.example.targetapp --no-pause.
What Undercode Say:
- The Barrier to Entry is Lowering: Tools like Objection and Frida have dramatically simplified advanced techniques like pinning and root bypass, making what was once a highly specialized skill more accessible to a broader range of security testers.
- Comprehensive Testing is a Multi-Tool Effort: No single tool is sufficient. A professional assessment requires a layered approach, combining static analysis (JADX), dynamic analysis (proxy), and deep runtime manipulation (Frida) to uncover the full spectrum of vulnerabilities.
The proliferation of powerful, scriptable frameworks means defenders must assume that SSL pinning and root detection are merely speed bumps for a determined attacker. The focus must shift towards robust secure coding practices, runtime application self-protection (RASP), and rigorous server-side validation, as the client-side defenses can and will be bypassed.
Prediction:
The continued automation and integration of these mobile pentesting tools into CI/CD pipelines will make security testing a more standard part of the development lifecycle. However, this will be met with increasingly sophisticated client-side protection SDKs, leading to an ongoing arms race between app developers and pentesters. The future of mobile app security will hinge on AI-powered code analysis that can predict vulnerability patterns and automated runtime protection that can adapt to new hooking techniques in real-time.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: 0xfrost Android – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
