Android

R3zk0n Β· October 2, 2025

Evasion   Linux   Security   Windows
Contents

    Taint Analysis (Appshark)

    • https://github.com/bytedance/appshark

    For Unknown Payloads (.bin files)

    • https://github.com/vm03/payload_dumper
    • Locate the magic bytes using xxd

    Install Android Tooling

    Android Studio

    https://developer.android.com/studio

    Genymotion

    https://www.genymotion.com/ (Desktop Version)

    Android Debug Bridge (ADB)

    Installation
https://www.xda-developers.com/install-adb-windows-macos-linux/

ADB Commands
https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/adb-commands

    Decompilation

    • JADX - https://github.com/skylot/jadx - Can be ran as cli program headless to allow mass decompilation of APK files.
    • JEB - https://www.pnfsoftware.com/jeb - Jeb is far better at reverse to java and native smali code

    Apktool (Obsolete)

    Decode resources to near original form
Download:
https://ibotpeaches.github.io/Apktool/

    Basic Commands

    Extracting Packages from Device

    List Packages
  + `adb shell pm list packages`
  + `adb shell pm path au.com.[app]`

Pull Packages
  + `adb pull /data/app/com.example.someapp-2.apk path/to/desired/destination`

Analyse Packages (Decoding Manifest)
  + `~/Library/Android/sdk/tools/bin/apkanalyzer manifest print [APK_File]`
  + Use JADX to extract manifest file

Installation of APK files
  + `adb install [test].apk`
  + Drag + Drop

Download (Most) APK files
  + Find application on Play Store
  + Use app.evozi.com to download

    Install Burp Certificates

      + For Android Nougat (7.0)
    + System Level CA: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/
    + It’s no longer possible to just install the Burp CA from the sdcard to start intercepting app traffic. 
    + Unless otherwise specified, apps will now only trust system level CAs.
  + Genymotion
    + https://security-simplified.com/blog/NDg/android-pentesting-with-genymotion-and-burp
  + Android 11+ (Annoying)

    Bypassing SSL Pinning via Frida (Android 7.0)

      + https://infosecwriteups.com/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29
    + Install Frida
      + pip install Frida
      + pip install objection
      + pip install frida-tools
    + Frida Javascript SSL Bypass Script
      + https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
    + Activating Frida + SSL Bypass
      + `frida-ps -U -a`
      + `adb shell getprop ro.product.cpu.abi`
      + https://github.com/frida/frida/releases/ --> Find matching
      + `adb push <path_of_frida_server_folder><space></data/local/tmp>`
      + `adb shell chmod 777 /data/local/tmp/frida-server`
      + Install Burp Certificate (Follow instructions above)
      + adb shell /data/local/tmp/frida-server &
    + `frida -U -f com.twitter.android -l D:\frida\fridascript.js --no-paus`

    Bypass Root / Emulator Detection

      + https://theoffensivelabs.medium.com/bypassing-root-detection-and-emulator-detection-in-android-apps-using-frida-e938109e468c

    Code Review Setup

    # JADX
git clone https://github.com/skylot/jadx.git
cd jadx
./gradlew dist
/home/kali/Desktop/jadx/build/jadx/bin/jadx-gui

    Troubleshooting
1. Outdated Binary (App Store Update)
2. SSL Pinning (Find Frida Script to bypass)
3. Root Detection (Find Frida Script to bypass)
4. Burp Certificate
5. Burp Proxy Enabled
6. Use Burp to intercept and debug
7. Genymotion (Virtualbox could be outdated)
8. VirtualBox - Host Only + NAT

    Android Theory

    Intents
  + Resources:
    + https://www.javatpoint.com/android-intent-tutorial
  + Android Intent is the message that is passed between components such as activities, content providers, broadcast receivers, services etc.
  + Android intents are mainly used to:
    + Start the service
    + Launch an activity
    + Display a web page
    + Display a list of contacts
    + Broadcast a message
    + Dial a phone call etc.

    Testing Android Application Basics

    Android Basics
  + https://payatu.com/blog/amit/Need-to-know-Android
  + https://blog.oversecured.com/
  + https://labs.withsecure.com/advisories/

Android Vulnerability Basics
  + https://payatu.com/blog/amit/Penetrate_the_protected_component_in_android_Part-0

View Android Manifest
  + JADX decompilation
  + Introduction to Android Manifest file
    + https://developer.android.com/guide/topics/manifest/manifest-intro

Intent Redirection
  + https://payatu.com/blog/amit/Penetrate_the_protected_component_in_android_Part-0

    Code Review

    Cross App Scripting (https://hackerone.com/reports/401793)
  + loadUrl
  + evaluateJavascript

Intent Redirection
  + getExtras()
  + startActivity()

Intent Broadcasting
  + sendBroadcast()

Unprotected Activity
  + exported="true"

    Twitter, Facebook