Mobile application security testing is a growing discipline as apps handle increasingly sensitive data. Android app pentesting involves static analysis (examining the APK without running it), dynamic analysis (testing the running app), and network traffic interception. This guide covers the essential toolkit and methodology for Android security assessments.
Lab Setup
You need:
- Kali Linux or any Linux distro as your workstation
- Android Studio with an emulator, or a physical Android device (preferably rooted)
- ADB (Android Debug Bridge) for device communication
- Genymotion or Android Studio AVD for emulation
Install ADB:
sudo apt install adb android-tools-adb
adb devices # List connected devices
| Tool | Purpose |
|---|
| APKTool | Decompile/recompile APKs |
| jadx | Decompile APK to Java source |
| MobSF | Automated static + dynamic analysis |
| Frida | Dynamic instrumentation framework |
| Burp Suite | HTTP/HTTPS traffic interception |
| objection | Runtime mobile exploration (built on Frida) |
Step 1: Obtain and Decompile the APK
Get the APK from the device:
# Find package name
adb shell pm list packages | grep appname
# Pull APK from device
adb shell pm path com.target.app
adb pull /data/app/com.target.app-1.apk ./target.apk
Or download from APKPure/APKMirror for apps in scope.
Decompile with APKTool:
apktool d target.apk -o target_decompiled/
This gives you AndroidManifest.xml, resources, and Smali bytecode.
Decompile to Java with jadx:
jadx -d target_jadx/ target.apk
# Or use the GUI:
jadx-gui target.apk
jadx produces readable Java code, making it easier to trace application logic.
Step 2: Static Analysis
Review AndroidManifest.xml
cat target_decompiled/AndroidManifest.xml
Look for:
android:debuggable="true" — allows debugging on non-rooted devicesandroid:allowBackup="true" — allows backup of app data via ADB- Exported activities/services/receivers with no permission requirements
- Hardcoded URLs, API endpoints, or suspicious permissions
Search for Hardcoded Secrets
# Search for API keys, tokens, passwords
grep -rn "api_key\|apikey\|secret\|password\|token\|AWS\|PRIVATE" target_jadx/
grep -rn "http://\|https://" target_jadx/ | grep -i "api\|endpoint"
# Find SQLite database paths
grep -rn "SQLiteDatabase\|getWritableDatabase" target_jadx/
MobSF Automated Analysis
MobSF performs comprehensive static (and dynamic) analysis:
# Install MobSF with Docker
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
# Access at http://localhost:8000
# Upload your APK and get an automated report
MobSF checks for: insecure data storage, weak cryptography, exported components, network security config issues, and more.
Step 3: Dynamic Analysis with Frida
Frida is a dynamic instrumentation toolkit that lets you inject JavaScript into running processes to hook functions, bypass SSL pinning, and inspect runtime behavior.
Setup Frida
On your PC:
pip3 install frida-tools --break-system-packages
On the Android device/emulator:
# Download frida-server matching your Frida version and device architecture
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell su -c "/data/local/tmp/frida-server &"
Verify connection:
frida-ps -U # List running processes on USB-connected device
Bypass SSL Certificate Pinning
Many apps implement SSL pinning to prevent traffic interception. Frida can bypass it:
# Using objection (Frida-based tool)
pip3 install objection --break-system-packages
# Start the app and attach objection
adb shell am start -n com.target.app/.MainActivity
objection -g com.target.app explore
# Inside objection shell:
android sslpinning disable
Or use the popular Frida SSL bypass script:
frida -U -f com.target.app -l ssl_bypass.js
Runtime Hooking
Hook a specific function to see its arguments and return values:
// hook_example.js
Java.perform(function() {
var MainActivity = Java.use('com.target.app.MainActivity');
MainActivity.checkLogin.implementation = function(user, pass) {
console.log('Username: ' + user);
console.log('Password: ' + pass);
return this.checkLogin(user, pass);
};
});
frida -U -f com.target.app -l hook_example.js
Step 4: Network Traffic Interception
Configure Burp Suite to intercept Android traffic:
- In Burp: Proxy > Options > set listener to
0.0.0.0:8080
- On Android: Settings > Wi-Fi > modify network > proxy > enter your PC IP and port 8080
- Navigate to
http://burp in Android browser and install the Burp CA certificate
- Install the cert under Settings > Security > Install from storage
After SSL pinning bypass via Frida/objection, all HTTPS traffic appears in Burp in plaintext.
Step 5: Insecure Data Storage Testing
Check for sensitive data stored insecurely:
# Access app's private directory (requires root)
adb shell su -c "ls /data/data/com.target.app/"
adb pull /data/data/com.target.app/shared_prefs/ .
cat *.xml # Look for tokens, passwords
# Check external storage
adb shell ls /sdcard/Android/data/com.target.app/
Common findings: auth tokens in SharedPreferences, SQLite databases with sensitive data, cleartext files on external storage.
Reporting Findings
Key vulnerabilities to document for mobile app assessments:
- Hardcoded credentials or API keys
- Insecure data storage (SharedPreferences, SQLite, external storage)
- Weak or broken cryptography
- SSL pinning absence or bypassable implementation
- Exported components accessible without authentication
- Debugging enabled in production build
- Sensitive data in logs (
adb logcat)
Mobile app pentesting certifications: eMAPT (eLearnSecurity), GMOB (GIAC Mobile Device Security Analyst), and Certified Mobile Application Security Tester (CMAST).