This is more of a checklist for myself. May contain useful tips and tricks. Still need to add a lot of things.
Everything was tested on Kali Linux v2023.1 (64-bit) and Samsung A5 (2017) with Android OS v8.0 (Oreo) and Magisk root v25.2.
Check Magisk if you want to root your Android device. I have no liability over your actions.
For help with any of the tools type <tool_name> [-h | -hh | --help] or man <tool_name>.
If you didn't already, read OWASP MSTG and OWASP MASVS. You can download OWASP MSTG checklist from here.
Highly recommend reading HackTricks - Android Applications Pentesting.
Websites that you should use while writing the report:
- cwe.mitre.org/data
- owasp.org/projects
- owasp.org/www-project-mobile-top-10
- cheatsheetseries.owasp.org
- nvd.nist.gov/vuln-metrics/cvss/v3-calculator
- nvd.nist.gov/ncp/repository
- attack.mitre.org
My other cheat sheets:
Future plans:
- install Burp Proxy and ZAP certificates,
- test widgets, push notifications, and Firebase,
- deeplink hijacking, task hijacking, intent hijacking,
- intent provider injections, content provider injections, broadcast receiver injections,
- SMALI code injection,
- WebView attacks,
- create more Frida scripts.
- WiFi ADB - Debug Over Air
- Magisk Frida
- Magisk SQLite 3
- Kali Linux Tools
- Java
- Apktool
- Mobile Security Framework (MobSF)
- Drozer
1. Basics
- Android Debug Bridge (ADB)
- Install/Uninstall an APK
- Pull an APK (base.apk)
- Download/Upload Files and Directories
- Bypassing Permission Denied
3. Search for Files and Directories
5. Deeplinks
6. Frida
7. Objection
8. Drozer
10. Repackage an APK
11. Miscellaneous
12. Tips and Security Best Practices
Install WiFi ADB - Debug Over Air. To be used with ADB.
Figure 1 - WiFi ADB - Debug Over Air
Download Magisk Frida, then, open your Magisk app and install Frida by importing the downloaded archive.
Figure 2 - Magisk Frida
Download Magisk SQLite 3, then, open your Magisk app and install SQLite 3 by importing the downloaded archive.
Install required tools on your Kali Linux:
apt-get -y install docker.io
systemctl start docker
apt-get -y install adb dex2jar jadx nuclei radare2 sqlite3 sqlitebrowser xmlstarlet zipalign
pip3 install frida-tools objection file-scraper
More information about my tool can be found at ivan-sincek/file-scraper.
Make sure that Frida and Objection are always up to date:
pip3 install --upgrade frida-tools objection
Install:
apt-get -y install default-jdk
More Java/JDK versions can be found at oracle.com/java/technologies/downloads/archive.
To switch between multiple Java/JDK versions, run:
update-alternatives --config java
update-alternatives --config javac
Download and install:
apt-get -y install aapt
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O apktool
chmod +x apktool && cp apktool /usr/local/bin/apktool
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.7.0.jar -O apktool.jar
chmod +x apktool.jar && cp apktool.jar /usr/local/bin/apktool.jarInstall:
docker pull opensecurity/mobile-security-framework-mobsf
Run:
docker run -it --rm --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf
Navigate to http://localhost:8000 using your preferred web browser.
Uninstall:
docker image rm opensecurity/mobile-security-framework-mobsf
Install:
docker pull fsecurelabs/drozer
Run:
docker run -it --rm --name drozer fsecurelabs/drozer
Download Drozer Agent and install it either manually or by using ADB.
Uninstall:
docker image rm fsecurelabs/drozer
Start the server:
adb start-server
Stop the server:
adb kill-server
List attached devices:
adb devices
Connect to a remote device using WiFi ADB:
adb connect 192.168.1.10:5555
Open a system shell as non-root:
adb shell
Open a system shell as root:
adb shell su
Install an APK (specify -s to install the APK to a removable storage):
adb install someapp.apk
adb install -s someapp.apk
Uninstall an APK (specify -k to keep the data and cache directories):
adb uninstall com.someapp.dev
adb uninstall -k com.someapp.dev
adb shell pm list packages 'keyword' | cut -d ':' -f2
adb pull $(adb shell pm path com.someapp.dev | cut -d ':' -f2 | grep 'base.apk') ./Pull an APK by specific keyword (one-liner):
keyword="keyword"; pkg=$(adb shell pm list packages "${keyword}" | head -n 1 | cut -d ':' -f2); adb pull $(adb shell pm path "${pkg}" | cut -d ':' -f2 | grep 'base.apk') ./Some of the internal storage paths:
cd /data/local/tmp/
cd /data/data/com.someapp.dev/cache/
cd /data/user/0/com.someapp.dev/cache/
cd /mnt/sdcard/Android/data/com.someapp.dev/cache/
cd /storage/emulated/0/Android/data/com.someapp.dev/cache/
cd /mnt/sdcard/Android/obb/com.someapp.dev/cache/
cd /storage/emulated/0/Android/obb/com.someapp.dev/cache/
cd /mnt/media_rw/3664-6132/Android/data/com.someapp.dev/files
cd /storage/3664-6132/Android/data/com.someapp.dev/files
Number 0 in both, /data/user/0/ and /storage/emulated/0/ paths, represents the first user in a multi-user device.
Don't confuse /mnt/sdcard/ path with a real removable storage path because sometimes such path is device specific, so you will need to search it on the internet or extract it using some Java code. In my case it is /mnt/media_rw/3664-6132/ path.
XML --> Java Method --> Path
<files-path/> --> getContext().getFilesDir() --> /data/user/0/com.someapp.dev/files
<cache-path/> --> getContext().getCacheDir() --> /data/user/0/com.someapp.dev/cache
<external-path/> --> Environment.getExternalStorageDirectory() --> /storage/emulated/0
<external-files-path/> --> getContext().getExternalFilesDir("") --> /storage/emulated/0/Android/data/com.someapp.dev/files
<external-cache-path/> --> getContext().getExternalCacheDir() --> /storage/emulated/0/Android/data/com.someapp.dev/cache
<external-media-path/> --> getContext().getExternalMediaDirs() --> /storage/emulated/0/Android/media/com.someapp.dev
/storage/3664-6132/Android/media/com.someapp.dev
- --> getContext().getExternalFilesDirs("") --> /storage/emulated/0/Android/data/com.someapp.dev/files
/storage/3664-6132/Android/data/com.someapp.dev/files
Tilde ~ is short for the root directory.
Download a file or directory from your Android device:
adb pull ~/somefile.txt ./
adb pull ~/somedir ./
Keep in mind that not all directories have the write and/or execute permission; regardless, you can always upload files to and execute from /data/local/tmp/ directory.
Upload a file or directory to your Android device:
adb push somefile.txt /data/local/tmp/
adb push somedir /data/local/tmp/
Empty directories will not be uploaded.
Download a file from your Android device:
adb shell su -c 'cat ~/somefile.txt' > somefile.txt
adb shell su -c 'run-as com.someapp.dev cat ~/somefile.txt' > somefile.txtDownload a directory from your Android device:
dir="somedir"; IFS=$'\n'; for subdir in $(adb shell su -c "find \"${dir}\" -type d"); do mkdir -p ".${subdir}"; done; for file in $(adb shell su -c "find \"${dir}\" -type f"); do adb shell su -c "cat \"${file// /\\\ }\"" > ".${file}"; done;Upload a file or directory to your Android device:
src="somefile.txt"; dst="/data/data/com.someapp.dev/"; tmp="/data/local/tmp/"; base=$(basename "${src}"); adb push "${src}" "${tmp}"; adb shell su -c "cp -r \"${tmp}${base}\" \"${dst}\" && rm -rf \"${tmp}${base}\""Search for files and directories from the root directory:
find / -iname '*keyword*'Search for files and directories in the app specific directories (run env in Objection):
cd /data/user/0/com.someapp.dev/
cd /storage/emulated/0/Android/data/com.someapp.dev/
cd /storage/emulated/0/Android/obb/com.someapp.dev/If you want to download a whole directory from your Android device, see section Download/Upload Files and Directories.
I preffer downloading the app specific directories, and then doing the file inspection on my Kali Linux.
Search for files and directories from the current directory:
find . -iname '*keyword*'
for keyword in 'access' 'account' 'admin' 'card' 'cer' 'conf' 'cred' 'customer' 'email' 'history' 'info' 'json' 'jwt' 'key' 'kyc' 'log' 'otp' 'pass' 'pem' 'pin' 'plist' 'priv' 'refresh' 'salt' 'secret' 'seed' 'setting' 'sign' 'sql' 'token' 'transaction' 'transfer' 'tar' 'txt' 'user' 'zip' 'xml'; do find . -iname "*${keyword}*"; doneSearch for files and directories in SharedPreferences insecure storage directory:
cd /data/user/0/com.someapp.dev/shared_prefs/The files should not be world-readable (e.g. -rw-rw-r--):
ls /data/user/0/com.someapp.dev/shared_prefs/ -alThe production build should not be debuggable.
Download a file from SharedPreferences as non-root:
adb exec-out run-as com.someapp.dev cat /data/user/0/com.someapp.dev/shared_prefs/somefile.xml > somefile.xmlIf the production build is debuggable, it is possible to get the read access rights to the app specific directories as a low-privileged user by leveraging run-as command.
SharedPreferences is unencrypted and backed up by default, and as such, should not contain any sensitive data after user logs out - it should be cleared by calling SharedPreferences.Editor.clear(). It should also be excluded from backups by specifying dataExtractionRules inside app's AndroidManifest.xml.
Inspect memory dumps, binaries, files inside a decompiled APK, files inside the app specific directories, or any other files.
After you finish testing [and logout], don't forget to download the app specific directories and inspect all the files inside. Inspect what is new and what still persists after logout.
There will be some false positive results since the regular expressions are not perfect. I prefer to use rabin2 over strings because it can read Unicode characters.
On your Android device, try to modify app's files to test the filesystem checksum validation, i.e. to test the file integrity validation.
Search for hardcoded sensitive data:
rabin2 -zzzqq somefile | grep -Pi '[^\w\d\n]+(?:basic|bearer)\ .+'
rabin2 -zzzqq somefile | grep -Pi '(?:access|account|admin|basic|bearer|card|conf|cred|customer|email|history|id|info|jwt|key|kyc|log|otp|pass|pin|priv|refresh|salt|secret|seed|setting|sign|token|transaction|transfer|user)[\w\d]*(?:\"\ *\:|\ *\=).+'
rabin2 -zzzqq somefile | grep -Pi '[^\w\d\n]+(?:bug|comment|fix|issue|note|problem|to(?:\_|\ |)do|work)[^\w\d\n]+.+'Extract URLs, deeplinks, IPs, etc.:
rabin2 -zzzqq somefile | grep -Po '\w+\:\/\/[\w\-\.\@\:\/\?\=\%\&\#]+' | sort -uf | tee urls.txt
rabin2 -zzzqq somefile | grep -Po '(?:\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}' | sort -uf | tee ips.txtExtract all strings and decode Base64 strings:
rabin2 -zzzqq somefile | sort -uf > strings.txt
grep -Po '(?:[a-zA-Z0-9\+\/]{4})*(?:[a-zA-Z0-9\+\/]{4}|[a-zA-Z0-9\+\/]{3}\=|[a-zA-Z0-9\+\/]{2}\=\=)' strings.txt | sort -uf > base64.txt
for string in $(cat base64.txt); do res=$(echo "${string}" | base64 -d 2>/dev/null | grep -PI '[\s\S]+'); if [[ ! -z $res ]]; then echo -n "${string}\n${res}\n\n"; fi; done | tee base64_decoded.txtSearch for hardcoded sensitive data:
IFS=$'\n'; for file in $(find . -type f); do echo -n "\nFILE: \"${file}\"\n"; rabin2 -zzzqq "${file}" 2>/dev/null | grep -Pi '[^\w\d\n]+(?:basic|bearer)\ .+'; done
IFS=$'\n'; for file in $(find . -type f); do echo -n "\nFILE: \"${file}\"\n"; rabin2 -zzzqq "${file}" 2>/dev/null | grep -Pi '(?:access|account|admin|basic|bearer|card|conf|cred|customer|email|history|id|info|jwt|key|kyc|log|otp|pass|pin|priv|refresh|salt|secret|seed|setting|sign|token|transaction|transfer|user)[\w\d]*(?:\"\ *\:|\ *\=).+'; done
IFS=$'\n'; for file in $(find . -type f); do echo -n "\nFILE: \"${file}\"\n"; rabin2 -zzzqq "${file}" 2>/dev/null | grep -Pi '[^\w\d\n]+(?:bug|comment|fix|issue|note|problem|to(?:\_|\ |)do|work)[^\w\d\n]+.+'; doneExtract URLs, deeplinks, IPs, etc.:
IFS=$'\n'; for file in $(find . -type f); do rabin2 -zzzqq "${file}" 2>/dev/null; done | grep -Po '\w+\:\/\/[\w\-\.\@\:\/\?\=\%\&\#]+' | grep -Piv '\.(css|gif|jpeg|jpg|ogg|otf|png|svg|ttf|woff|woff2)' | sort -uf | tee urls.txt
IFS=$'\n'; for file in $(find . -type f); do rabin2 -zzzqq "${file}" 2>/dev/null; done | grep -Po '(?:\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}' | sort -uf | tee ips.txtExtract all strings and decode Base64 strings:
IFS=$'\n'; for file in $(find . -type f); do rabin2 -zzzqq "${file}" 2>/dev/null; done | sort -uf > strings.txt
grep -Po '(?:[a-zA-Z0-9\+\/]{4})*(?:[a-zA-Z0-9\+\/]{4}|[a-zA-Z0-9\+\/]{3}\=|[a-zA-Z0-9\+\/]{2}\=\=)' strings.txt | sort -uf > base64.txt
for string in $(cat base64.txt); do res=$(echo "${string}" | base64 -d 2>/dev/null | grep -PI '[\s\S]+'); if [[ ! -z $res ]]; then echo -n "${string}\n${res}\n\n"; fi; done | tee base64_decoded.txtAutomate all of the above file scraping (and more) with a single tool.
apt-get -y install radare2
pip3 install file-scraperfile-scraper -dir source -o results.html -e default
More about my other project at ivan-sincek/file-scraper.
Use adb to download database files, and then open them using DB Browser for SQLite.
To inspect the content, navigate to Browse Data tab, expand Table dropdown menu, and select the desired table.
Figure 3 - DB Browser for SQLite
To inspect and/or edit database files on your Android device directly, use SQLite 3; adb to your Android device and run the following commands:
sqlite3 somefile
.dump
.tables
SELECT * FROM sometable;
.quitDownload mobile Nuclei templates:
git clone https://github.com/optiv/mobile-nuclei-templates ~/mobile-nuclei-templates
Decode an APK using Apktool.
Search for hardcoded sensitive data:
echo decoded | nuclei -t ~/mobile-nuclei-templates/Keys -o nuclei_keys_results.txt
cat nuclei_keys_results.txt | grep -Po '(?<=\]\ ).+' | sort -uf > nuclei_keys_results_sorted.txt
echo decoded | nuclei -t ~/mobile-nuclei-templates/Android -o nuclei_android_results.txt
cat nuclei_android_results.txt | grep -Po '(?<=\]\ ).+' | sort -uf > nuclei_android_results_sorted.txtCreate a backup of the whole Android device:
adb backup -system -apk -shared -all -f backup.ab
Create a backup of a specific app:
adb backup -nosystem -noapk -noshared -f backup.ab com.someapp.dev
App should not backup any sensitive data.
Restore from a backup:
adb restore backup.ab
Download the latest Android Backup Extrator, and repackage a backup:
java -jar abe.jar unpack backup.ab backup.tar
java -jar abe.jar pack backup.tar backup.ab
Test /.well-known/assetlinks.json using developers.google.com/digital-asset-links/tools/generator.
To do.
Useful resources:
- frida.re
- learnfrida.info
- codeshare.frida.re
- github.com/dweinstein/awesome-frida
- github.com/interference-security/frida-scripts
- github.com/m0bilesecurity/Frida-Mobile-Scripts
- github.com/WithSecureLabs/android-keystore-audit
List processes:
frida-ps -Uai
frida-ps -Uai | grep -i 'keyword'Get PID for a specified keyword:
frida-ps -Uai | grep -i 'keyword' | cut -d ' ' -f 1Discover internal methods/calls:
frida-discover -U -f com.someapp.dev | tee frida_discover.txtTrace internal methods/calls:
frida-trace -U -p 1337
frida-trace -U -p 1337 -i 'recv*' -i 'send*'Bypass SSL Pinning using android-ssl-pinning-bypass-2 script:
frida -U -no-pause -l android-ssl-pinning-bypass-2.js -f com.someapp.dev
frida -U -no-pause --codeshare ivan-sincek/android-ssl-pinning-bypass-2 -f com.someapp.dev
I prefer to use the built-in method in Objection.
For this Frida script to work, you need to push your Burp Proxy or ZAP certificate to a specific location with the specific name cacert.der:
adb push cacert.der /data/local/tmp/cacert.der
Bypass SSL Pinning using android-ssl-pinning-bypass script:
frida -U -no-pause -l android-ssl-pinning-bypass.js -f com.someapp.dev
frida -U -no-pause --codeshare ivan-sincek/android-ssl-pinning-bypass -f com.someapp.dev
I prefer to use the built-in method in Objection.
Useful resources:
Run:
objection -g com.someapp.dev explore
Run a Frida script in Objection:
import somescript.js
objection -g com.someapp.dev explore --startup-script somescript.js
Get environment variables:
env
List KeyStore:
android keystore list
Dump app's memory to a file:
memory dump all mem.dmp
Dump app's memory after e.g. 10 minutes of inactivity, then, check if sensitive data is still in the memory. See section 4. Inspect Files.
In case Objection detaches from the app, use the process ID to attach it back without restarting the app.
Search app's memory directly:
memory search 'somestring' --stringList classes and methods:
android hooking list classes
android hooking search classes com.someapp.dev
android hooking search classes 'keyword'
android hooking list class_methods 'someclass'
android hooking search methods com.someapp.dev 'someclass'Hook on a class or method:
android hooking watch class 'someclass'
android hooking watch class_method 'somemethod' --dump-args --dump-backtrace --dump-returnChange the method's return value:
android hooking set return_value 'somemethod' falseMonitor the clipboard:
android clipboard monitor
Bypass a root detection:
android root disable --quiet
objection -g com.someapp.dev explore --startup-command 'android root disable --quiet'Bypass SSL pinning:
android sslpinning disable --quiet
objection -g com.someapp.dev explore --startup-command 'android sslpinning disable --quiet'Also, you can import Frida script.
Connect to a remote agent:
drozer console connect --server 192.168.1.10
List modules and show module details:
list
run somemodule --help
List packages:
run app.package.list
run app.package.list -f 'keyword'
run app.package.backup
run app.package.debuggable
Show a package information:
run app.package.info -a com.someapp.dev
Show app's AndroidManifest.xml:
run app.package.manifest com.someapp.dev
In case Drozer cannot fetch the whole manifest file, decode an APK using Apktool and inspect the file manually.
Show app's attack surface:
run app.package.attacksurface com.someapp.dev
List exported activities and intent filters:
run app.activity.info -i -a com.someapp.dev
Start an activity:
run app.activity.start --help
run app.activity.start --component com.someapp.dev com.someapp.dev.SomeActivity
run app.activity.start --component com.someapp.dev com.someapp.dev.SomeActivity --action android.intent.action.SOMEACTION --data-uri somescheme://somehost --extra string someKey someValue
Drozer is not able to pass arrays, lists, objects, etc. to intent filters due to console interface limitations.
List exported and unexported content providers:
run app.provider.info -a com.someapp.dev
run app.provider.info -u -a com.someapp.dev
List, try to query, and do a vulnerability scan for all content providers' URIs:
run app.provider.finduri com.someapp.dev
run scanner.provider.finduris -a com.someapp.dev
run scanner.provider.injection -a com.someapp.dev
run scanner.provider.sqltables -a com.someapp.dev
run scanner.provider.traversal -a com.someapp.dev
Get the Java source code from an APK.
d2j-dex2jar + jadx gives the best results. But, it also gives a different directory structure, so you might want to decompile both, base.jar and base.apk.
Convert an APK to a JAR:
d2j-dex2jar base.apk -o base.jar
Decompile:
jadx -j $(grep -c 'processor' /proc/cpuinfo) -d /root/Desktop/source/ /root/Desktop/base.jarMake sure to specify a full path to the output directory; otherwise, it will default to /usr/share/jadx/bin/ directory (i.e. to the root directory).
Make sure to specify a full path to the base.jar (preferred) or base.apk; otherwise, JADX might not recognize it.
To inspect the source code using GUI, run the following command and open either base.jar (preferred) or base.apk:
jadx-gui
To resolve java.lang.OutOfMemoryError issue, modify /usr/bin/d2j-dex2jar by increasing the heap size specified in -Xms and -Xmx parameters, for example:
java -Xms1024m -Xmx4096m -classpath "${_classpath}" "com.googlecode.dex2jar.tools.Dex2jarCmd" "$@"
Sometimes, for some reason, MobSF might not want to parse your APK; in such case, try to decode and repackage your APK, and then upload it again.
Get the SMALI source code from an APK. Convenient for quickly fetching and inspecting app's AndroidManifest.xml.
apktool decode base.apk -o decoded
Always inspect /decoded/res/values/values.xml for sensitive data.
Decode an APK without decoding the sources and resources:
apktool decode -r -s base.apk -o decoded
Create a repackaged APK from the decoded directory:
apktool build -f decoded -o repackaged.apk
ZIP align all the files inside the repackaged APK:
zipalign -v 4 repackaged.apk
Generate a code signing certificate:
keytool -genkey -keyalg RSA -validity 365 -keysize 2048 -storetype PKCS12 -alias apk_rsa_priv -keystore apk_rsa_priv.key -storepass 12345678
Code sign the repackaged APK:
jarsigner -sigalg SHA256withRSA -digestalg SHA-256 -tsa http://timestamp.digicert.com -keystore apk_rsa_priv.key -storepass 12345678 repackaged.apk apk_rsa_priv
Verify the repackaged APK's code signature:
jarsigner -verify -certs repackaged.apk
On your Kali Linux, run the following command:
adb logcat | grep 1337
Or, get the PID from a keyword:
keyword="keyword"; adb logcat | grep $(frida-ps -Uai | grep -i "${keyword}" | tr -s '[:blank:]' ' ' | cut -d ' ' -f 1)
On your Kali Linux, download the latest fsmon version from GitHub, upload it to your Android device, give it necessary permissions, and run it:
adb push fsmon-and-arm /data/local/tmp/
adb shell su
chmod 777 /data/local/tmp/fsmon-and-arm
/data/local/tmp/fsmon-and-arm /data/data/com.someapp.dev/Always look for created or cached files, images/screenshots, etc.
Sensitive files such as know your customer (KYC) and similar, should not persists in the app specific directories on the user device after the file upload.
Images/screenshots path:
cd /mnt/sdcard/DCIM
cd /storage/emulated/0/DCIM
cd /mnt/media_rw/3664-6132/DCIM
cd /storage/3664-6132/DCIM
Bypass any keyboard restriction by copying and pasting data into an input field.
Access tokens should be short lived, and if possible, invalidated on logout.
Don't forget to test widgets, push notifications, and Firebase.
Only if explicitly allowed, try flooding 3rd party APIs to cause possible monetary damage to the company, or denial-of-service (DoS) by exhausting the allowed quotas / limits.
App should not disclose sensitive data in the predictive text (due to incorrectly defined input field type), app switcher, and push notifications.
App should warn a user when taking a screenshot of sensitive data.
App should warn a user that it is trivial to bypass biometrics authentication if Android device is jailbroken.
Production app (i.e. build) should never be debuggable.
- zxing.org/w/decode.jspx (decode QR codes)
- odinforum.com (firmware flashing tool for Samsung devices)
- samfrew.com (firmwares for Samsung devices)