Android Penetration Testing Guide 🚀

This guide covers the complete process of Android application pentesting — from retrieving APKs and analyzing their structure to performing static and dynamic analysis, network monitoring, automation, and exploitation.

---

📦 APK File Structure Explained

Understanding the APK file structure is essential to know what you're working with during pentesting:

Each component serves a purpose:

AndroidManifest.xml – Contains app metadata and permissions.

classes.dex – Compiled Dalvik bytecode.

res/ – App UI resources (uncompiled).

lib/ – Native code libraries.

META-INF/ – Signatures and certificates.

---

🔧 Lab & Tool Setup

Frida & Objection

pip3 install frida-tools
pip3 install objection

Add their paths to your environment variables.

Android SDK & APKTool Setup

Download SDK: https://developer.android.com/tools/releases/platform-tools

Install APKTool: https://apktool.org/

# apktool.bat content for Windows
@echo off
java -jar C:\apktool\apktool_2.5.0.jar %*

Set environment variables for platform-tools and APKTool.

---

📥 How to Get an APK

ADB Method

adb shell pm list packages
adb pull /data/app/<package_name>/<file>.apk

Online Tools

• https://apps.evozi.com/apk-downloader/
• https://apkcombo.com/

APK Extractor App

Apk Extractor

---

🔎 Static Analysis

APKTool

apktool d application.apk

JADX

Decompiler to Java. Easier than reading smali code.

Dex2Jar + JD-GUI

/path/to/dex2jar/d2j-dex2jar.sh app.apk

Open .jar file in JD-GUI.

JEB

Commercial tool for deep inspection.

---

🧪 Dynamic Analysis

Enable Debugging

<application android:debuggable="true">

apktool b app_folder -o output.apk

Sign using:

git clone https://github.com/appium/sign
java -jar sign/dist/signapk.jar sign/testkey.x509.pem sign/testkey.pk8 output.apk signed.apk
adb install signed.apk

Frida Setup

adb shell getprop ro.product.cpu.abi
adb root
adb push frida-server /data/local/tmp
adb shell chmod 777 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

SSL Pinning Bypass

adb push fridascript.js /data/local/tmp
frida -U -f com.target.app -l /data/local/tmp/fridascript.js --no-pause

---

🌐 Network Analysis

Use Bettercap:

sudo bettercap -T <device_ip> -X
sudo bettercap -T <device_ip> --proxy --proxy-https --no-sslstrip

---

🔁 Automation Tools

RMS - Runtime Mobile Security

npm install -g rms-runtime-mobile-security
rms
rms --port 9000

Online Automated Analysis

• https://www.immuniweb.com/mobile/
• https://www.joesecurity.org/joe-sandbox-mobile

---

🔐 Hardcoded Secrets Detection

Search source for patterns like:

grep -r "API_KEY" ./
grep -r "password" ./

Use tools like truffleHog.

---

🎯 Attacking Activities

Every activity can be tested for export and abuse:

run app.activity.info -a com.target.app
run app.activity.start --component com.target.app com.target.app.loginActivity

Or search for:

<activity android:exported="true">

---

🧪 Sandboxing Analysis

CuckooDroid

https://github.com/idanr1986/cuckoo-droid

Joe Sandbox Mobile

https://www.joesecurity.org/joe-sandbox-mobile

---

✅ Summary Checklist

• [x] Retrieve APK
• [x] Static analysis (Manifest, smali, secrets)
• [x] Decompiled Java code (JADX, JD-GUI)
• [x] Frida and SSL pinning bypass
• [x] Network inspection (Bettercap)
• [x] Exploit exported components
• [x] Use automation tools for dynamic insights

---

📚 References

• Android Developer Docs
• Frida Codeshare
• Burp Suite Android Configuration

---

Let the hacking begin 🔐💥