Android Penetration Testing Guide

In the last 20 years the world we live in has changed significantly. We went from relying on a simple piece of paper with a bunch of marks on it to a new era where technology is the only thing we trust. It contains all our data, everything from our names or birth dates to our credit cards and bindings. So one can only expect the best security measures have been taken to make sure our information is safe. While in the world of web it might be the case, I’m afraid that the mobile world didn’t recieve the same amount of attention.

DISCLAIMER

Attempting to hack or even extract apk without explicit permission from the owner is illegal. This information is provided for educational purposes only and should not be used for any illegal or unauthorized purposes.

Now we can start analysing, First you need an app for testing Luckily owasp mobile posted a list of target apps made for pentest called crack-me

Or if you want to test on a real app you can pull the app from the phone connect the phone to the computer,

adb shell pm list packages
adb shell pm path com.app.name
adb pull /path/to/app.apk

if you have multiple phones you can add -s with the serial number or just set a default one.

adb devices
export ANDROID_SERIAL=[SERIAL]

or just download the apk from the appstore directly using apk downloader

You can use online tools like MobSF to automatically test for vulns but be aware that your report is public and everyone can see it.

Step 1: extract the apk

To get the java code I would recommand using jadx or dex2jar

jadx app.apk -d code
d2j -f app.apk

And for getting the smali code and resources you could use apktool

apktool d test.apk -o testResources

to extract the native code c/cpp libraries you can use ghidra or cutter

Step 2: static analysis

Go through the code and look for human errors. Gather as much information as you can, look for Any strings that are saved in plain text using apkurlgrep

apkurlgrep -a app.apk

and try to look for any information in the code that could help throught the dynamic analysis.

There are no strict rules to static analysis the goal is just to go through the code and try to understand the functionality and methods of the target application just based on the java or native code, look for any defense mechanism that you will have to bypass and try to understand how they work.

Step 3: dynamic analysis

Frida is a great tool for dynamic analysis, it allows you to override functions in live action start the frida server

adb shell "/data/local/tmp/frida-server &"

bypass anti debugger

frida -U --codeshare meerkati/universal-android-debugging-bypass -f pakcage --no-pause

bypass ssl pinning:

frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f 

resources:

hacktricks