Skip to content

10.1.Android-Pentesting.md

Latest commit

 

History

History
298 lines (213 loc) · 5.62 KB

10.1.Android-Pentesting.md

File metadata and controls

298 lines (213 loc) · 5.62 KB

Android Pentesting

Table of Contents

APK Decompilation

Quick Check (One-liner)

# Quick APK analysis
apktool d app.apk -o decompiled && grep -rE "password|api_key|secret|token" decompiled/

Using apktool

https://github.com/iBotPeaches/Apktool

# Decompile APK
apktool d app.apk

# Decompile with output directory
apktool d app.apk -o output_folder

# Force decompile (overwrite existing)
apktool d -f app.apk

Smali Files Location

# Main activity smali files
app/smali/com/example/appname/MainActivity.smali

# Find specific strings
grep -r "password" app/smali/
grep -r "api_key" app/smali/
grep -r "secret" app/smali/

Using jadx

https://github.com/skylot/jadx

# Decompile to Java source code
jadx app.apk

# Decompile with GUI
jadx-gui app.apk

# Export to directory
jadx -d output_folder app.apk

APK Modification

Rebuild APK

# Rebuild after modification
apktool b app_folder/ -o modified.apk

# Alternative with jar
java -jar apktool.jar b app_folder/ -o modified.apk

Sign APK

Generate Keystore

keytool -genkey -v -keystore my-release-key.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 10000

Sign with jarsigner

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore modified.apk myalias

Sign with apksigner (Recommended)

# Align APK first
zipalign -v 4 modified.apk modified-aligned.apk

# Sign with apksigner
apksigner sign --ks my-release-key.keystore --out signed.apk modified-aligned.apk

# Verify signature
apksigner verify signed.apk

ADB Commands

Device Connection

# List connected devices
adb devices

# Connect to device over WiFi
adb tcpip 5555
adb connect $device_ip:5555

# Restart ADB server
adb kill-server
adb start-server

# Get shell
adb shell
adb shell su     # Root shell

File Transfer

# Push file to device
adb push local_file /sdcard/

# Pull file from device
adb pull /sdcard/file local_file

# Pull APK from installed app
adb shell pm path com.example.app
adb pull /data/app/com.example.app/base.apk

App Management

# List installed packages
adb shell pm list packages
adb shell pm list packages | grep target

# Install APK
adb install app.apk
adb install -r app.apk      # Replace existing
adb install -t app.apk      # Allow test APK

# Uninstall app
adb uninstall com.example.app

# Clear app data
adb shell pm clear com.example.app

# Get app info
adb shell dumpsys package com.example.app

Logcat

# View all logs
adb logcat

# Filter by tag
adb logcat -s "MainActivity"

# Filter by priority (V/D/I/W/E/F)
adb logcat *:E

# Save to file
adb logcat > logs.txt

# Clear log buffer
adb logcat -c

Frida

Setup

# Install Frida
pip install frida-tools

# Download frida-server for Android
# https://github.com/frida/frida/releases

# Push to device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server

# Run frida-server (as root)
adb shell su -c "/data/local/tmp/frida-server &"

SSL Pinning Bypass

# List running apps
frida-ps -U

# Attach to app with SSL bypass script
frida -U -f com.example.app -l ssl_bypass.js --no-pause

# Using objection
pip install objection
objection -g com.example.app explore
objection> android sslpinning disable

Universal SSL Bypass Script

// ssl_bypass.js
Java.perform(function() {
    var TrustManager = Java.registerClass({
        name: 'com.custom.TrustManager',
        implements: [Java.use('javax.net.ssl.X509TrustManager')],
        methods: {
            checkClientTrusted: function(chain, authType) {},
            checkServerTrusted: function(chain, authType) {},
            getAcceptedIssuers: function() { return []; }
        }
    });
    
    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    var sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, [TrustManager.$new()], null);
    
    console.log("[+] SSL Pinning Bypassed");
});

Common Vulnerabilities

Insecure Data Storage

# Check shared preferences
adb shell cat /data/data/com.example.app/shared_prefs/*.xml

# Check SQLite databases
adb shell ls /data/data/com.example.app/databases/
adb pull /data/data/com.example.app/databases/app.db
sqlite3 app.db ".tables"
sqlite3 app.db "SELECT * FROM users;"

Hardcoded Secrets

# Search in decompiled source
grep -r "api_key" .
grep -r "password" .
grep -r "secret" .
grep -r "token" .
grep -rE "[A-Za-z0-9]{32,}" .    # Long strings (potential keys)

Exported Components

# Check AndroidManifest.xml for exported=true
grep -i "exported=\"true\"" AndroidManifest.xml

# Launch exported activity
adb shell am start -n com.example.app/.AdminActivity

# Send broadcast to exported receiver
adb shell am broadcast -a com.example.CUSTOM_ACTION

See Also