Testing Mobile Applications
When to Use
- •Android APK analysis and exploitation
- •iOS application pentesting
- •Mobile app security assessment
- •Bypassing security controls (SSL pinning, root detection)
- •Testing mobile-specific vulnerabilities
Android Pentesting
APK Analysis Tools
bash
# Decompile APK apktool d app.apk -o app_decompiled # Convert DEX to JAR d2j-dex2jar app.apk # View JAR with JD-GUI jd-gui app-dex2jar.jar # Automated analysis mobsf # Mobile Security Framework jadx app.apk # APK to Java decompiler
ADB (Android Debug Bridge)
bash
# List devices adb devices # Connect over network adb connect 192.168.1.100:5555 # Install APK adb install app.apk # Uninstall adb uninstall com.package.name # List packages adb shell pm list packages adb shell pm list packages | grep -i "keyword" # Get APK path adb shell pm path com.package.name # Pull APK from device adb pull /data/app/com.package.name-xxx/base.apk # Start activity adb shell am start -n com.package.name/.MainActivity # View logs adb logcat # Shell access adb shell
Static Analysis
Search for Sensitive Data:
bash
# Extract strings strings app.apk | grep -i password strings app.apk | grep -i api strings app.apk | grep -i token strings app.apk | grep -i key # Search in decompiled code grep -r "password" app_decompiled/ grep -r "http://" app_decompiled/ grep -r "api_key" app_decompiled/
Check AndroidManifest.xml:
bash
# Decompile and view apktool d app.apk cat app_decompiled/AndroidManifest.xml # Look for: # - android:debuggable="true" # - android:allowBackup="true" # - Exported activities/services # - Custom permissions # - URL schemes
Dynamic Analysis
Frida (Runtime Instrumentation):
bash
# List running apps frida-ps -U # Attach to app frida -U -n "App Name" frida -U -f com.package.name # Load script frida -U -f com.package.name -l script.js # Common scripts # - Bypass SSL pinning # - Bypass root detection # - Hook functions # - Dump memory
SSL Pinning Bypass:
javascript
// Frida script - Universal SSL pinning bypass
Java.perform(function() {
var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
TrustManager.checkServerTrusted.implementation = function() {};
var SSLContext = Java.use('javax.net.ssl.SSLContext');
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function(a,b,c) {
this.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').call(this, a, null, c);
};
});
Root Detection Bypass:
javascript
// Frida - Bypass root detection
Java.perform(function() {
var RootClass = Java.use('com.package.name.RootDetection');
RootClass.isRooted.implementation = function() {
return false;
};
});
Intercepting Traffic
Burp Suite Setup:
bash
# 1. Install Burp CA certificate # Download from http://burp:8080 on device # Install in Settings -> Security -> Install from storage # 2. Configure proxy adb shell settings put global http_proxy 192.168.1.100:8080 # 3. For apps with SSL pinning, use Frida bypass # 4. Clear proxy when done adb shell settings put global http_proxy :0
mitmproxy:
bash
# Start mitmproxy mitmproxy --listen-port 8080 # Install certificate on device # http://mitm.it # Set device proxy to attacker IP:8080
Modifying and Repackaging APK
bash
# 1. Decompile apktool d app.apk -o app_mod # 2. Modify smali code # Edit files in app_mod/smali/ # 3. Recompile apktool b app_mod -o app_modified.apk # 4. Sign APK # Generate keystore (first time only) keytool -genkey -v -keystore my-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 # Sign jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-key.keystore app_modified.apk alias_name # Or use uber-apk-signer java -jar uber-apk-signer.jar -a app_modified.apk # 5. Install adb install app_modified.apk
Common Vulnerabilities
Insecure Data Storage:
bash
# Check shared preferences adb shell cd /data/data/com.package.name/shared_prefs/ cat *.xml # Check databases cd /data/data/com.package.name/databases/ sqlite3 database.db .tables SELECT * FROM users; # Check files cd /data/data/com.package.name/files/ ls -la cat *
Exported Components:
bash
# List exported activities adb shell dumpsys package com.package.name | grep -A 20 "Activity" # Start exported activity adb shell am start -n com.package.name/.ExportedActivity # Call exported service adb shell am startservice -n com.package.name/.ExportedService # Broadcast to receiver adb shell am broadcast -a com.package.name.ACTION
Insecure WebView:
bash
# Check for JavaScript enabled # Look in code for: webView.getSettings().setJavaScriptEnabled(true); # Check for addJavascriptInterface # Can lead to RCE if exposed
iOS Pentesting
Setup
Jailbreak Tools:
- •checkra1n (iOS 12-14)
- •unc0ver (iOS 11-14.8)
- •Taurine (iOS 14-14.3)
SSH Access:
bash
# Default credentials ssh root@<device-ip> # password: alpine # Change default password! passwd
IPA Analysis
bash
# Extract IPA unzip app.ipa # View binary otool -L Payload/App.app/App strings Payload/App.app/App # Class dump class-dump Payload/App.app/App > classes.txt # Decrypt binary (on jailbroken device) frida-ios-dump -u App # Static analysis with Hopper/Ghidra
Runtime Analysis
Frida on iOS:
bash
# List apps frida-ps -Ua # Attach frida -U -n "App Name" frida -U -f com.company.app # SSL pinning bypass (iOS) objection -g "App Name" explore ios sslpinning disable
Objection:
bash
# Launch objection objection -g com.company.app explore # Common commands ios info binary ios hooking list classes ios hooking search methods MainActivity ios sslpinning disable ios jailbreak disable ios keychain dump ios nsuserdefaults get
File System Access
bash
# Connect via SSH ssh root@device-ip # App data location cd /var/mobile/Containers/Data/Application/<UUID>/ # Find app UUID ipainstaller -l # List apps ls /var/mobile/Containers/Data/Application/ # Common paths Documents/ Library/ Library/Preferences/ # plist files Library/Caches/ tmp/
Keychain Access
bash
# Using objection ios keychain dump # Manual (requires keychain-dumper on device) ./keychain_dumper # Specific item security find-generic-password -s "ServiceName"
Common iOS Vulnerabilities
Insecure Data Storage:
bash
# Check plist files plutil -p Info.plist # Check UserDefaults ios nsuserdefaults get # Check SQLite databases sqlite3 database.db .tables SELECT * FROM sensitive_table;
Binary Protections:
bash
# Check for PIE otool -hv App | grep PIE # Check for stack canaries otool -I App | grep stack_chk # Check for ARC otool -I App | grep objc_release
Mobile-Specific Attacks
Deep Link Exploitation:
bash
# Android adb shell am start -a android.intent.action.VIEW -d "app://open?param=value" # iOS xcrun simctl openurl booted "app://open?param=value"
Intent Injection:
bash
# Send malicious intent adb shell am start -n com.package/.Activity --es "extra_key" "malicious_value"
Backup Extraction:
bash
# Android backup adb backup -f backup.ab com.package.name # Extract java -jar abe.jar unpack backup.ab backup.tar # iOS backup idevicebackup2 backup --full backup_directory
Tools
Android:
- •APKTool - Decompile/recompile APKs
- •dex2jar - Convert DEX to JAR
- •JADX - APK to Java decompiler
- •Frida - Dynamic instrumentation
- •Objection - Frida-based toolkit
- •MobSF - Automated analysis
- •Drozer - Android security framework
iOS:
- •Frida - Dynamic instrumentation
- •Objection - Frida toolkit
- •class-dump - Extract class info
- •Hopper/Ghidra - Disassemblers
- •frida-ios-dump - Decrypt binaries
- •iproxy - Forward ports
Quick Testing Workflow
- •Static Analysis - Decompile, search strings, analyze manifest/Info.plist
- •Install - Install on emulator/device
- •Intercept Traffic - Set up Burp/mitmproxy, bypass SSL pinning
- •Dynamic Analysis - Use Frida to hook functions, bypass protections
- •Test Components - Test exported components, deep links, intents
- •Data Storage - Check for insecure data storage in files/DB/keychain
- •Repackage - Modify and recompile to test additional scenarios