Skip to content

DevHackz/Android-Pentesting

Repository files navigation

Android-Application-Pentesting

android-g30bff2539_640

Android Development

For Beginners

Youtube Videos In English :

Youtube Videos In Hindi :

PDF Books

Android SSL Pinning Bypass

How to find bug on android application

  1. Testing-Frida
  2. Testing-Drozer
  3. ADB-Command-Cheatsheet
  4. Automated-Analysis-Using-MobSF
  5. Testing-Webview-Attacks
  6. Deep-Link-Exploitation

APK Download

  1. https://apk-dl.com/
  2. https://en.uptodown.com/
  3. https://en.aptoide.com/
  4. https://www.apkmirror.com/
  5. https://f-droid.org/en/
  6. https://en.softonic.com/
  7. https://androidapksfree.com/

Tool For Windows

  1. Appie
    • Appie Framework is a popular open-source framework used for Android application penetration testing. It provides a comprehensive, self-contained environment specifically designed to facilitate testing of Android applications

Objection Tool Usage Guide

This repository provides a comprehensive guide on how to use the Objection tool for mobile security testing. Objection is a runtime mobile exploration toolkit, powered by Frida, designed to help penetration testers assess the security of mobile applications without requiring a jailbreak or root access.

Table of Contents

Introduction

Objection is a powerful tool that allows security researchers to explore and test the security of mobile applications at runtime. It provides an easy-to-use interface for tasks like bypassing SSL pinning, manipulating application data, exploring the file system, and much more. Objection is particularly useful because it works on both Android and iOS devices without the need for root or jailbreak.

Features

  • Bypass SSL Pinning: Easily disable SSL pinning in mobile apps to intercept network traffic.
  • File System Exploration: Access and manipulate the file system of the mobile app at runtime.
  • Runtime Manipulation: Modify application behavior and data while the app is running.
  • Cross-Platform: Supports both Android and iOS devices.

Installation

Prerequisites

Before installing Objection, ensure that you have the following installed on your system:

  • Python 3.x: Objection is a Python-based tool and requires Python 3.x to run.
  • Frida: Objection uses Frida under the hood. You can install Frida using pip:
    pip install frida-tools
  • ADB (Android Debug Bridge): Required for interacting with Android devices.

Installing Objection

You can install Objection using pip:

pip install objection

After installation, verify that Objection is installed correctly by running:

objection --help

Basic Usage

Starting Objection

To start using Objection with a mobile application, first ensure that the app is running on the device. Then, launch Objection using the following command:

objection -g <app_package_name> explore

Replace <app_package_name> with the actual package name of the mobile app (e.g., com.example.app).

Common Commands

  • Bypass SSL Pinning:

    android sslpinning disable

    This command disables SSL pinning, allowing you to intercept HTTPS traffic.

  • Explore the File System:

    android fs ls /

    Lists the files and directories in the root directory of the app's file system.

  • Dumping SQLite Databases:

    android sqlite list
    android sqlite dump <database_name>

    Lists and dumps the contents of SQLite databases used by the app.

  • Inspecting Keychain/Shared Preferences:

    android prefs list
    ios keychain dump

    Lists and dumps shared preferences on Android or keychain data on iOS.

Advanced Usage

Bypassing SSL Pinning

Objection makes it easy to bypass SSL pinning in mobile applications, which is useful for intercepting and analyzing HTTPS traffic during security assessments. Simply use the following command:

android sslpinning disable

Interacting with the File System

You can explore and manipulate the file system of the app directly from the Objection command line:

  • List Files:
    android fs ls /data/data/com.example.app/files/
  • Download a File:
    android fs download /data/data/com.example.app/files/secret.txt

Manipulating Application Data

Objection allows you to modify the data used by the app at runtime:

  • Change the Value of a Variable:

    android hooking set class_variable com.example.app.ClassName variableName newValue
  • Trigger a Function:

    android hooking call com.example.app.ClassName methodName arg1,arg2

Troubleshooting

  • Objection Not Connecting: Ensure that your device is properly connected via USB and that ADB is running for Android devices. For iOS, ensure that Frida is correctly installed on the device.
  • SSL Pinning Not Disabled: Some apps may implement SSL pinning in ways that are resistant to Objection's default bypass method. In such cases, you may need to use custom Frida scripts.

Bug Find Checklist For Android

CTF & Chalenges

  1. InsecureShopApp : https://www.insecureshopapp.com GitHub : https://github.com/hax0rgb/InsecureShop
  2. Allsafe
  3. InjuredAndroid
  4. HpAndro1337
  5. KGB_Messenger

Telegram Channels

Android Security Crash Course

Youtube

Root Detection Bypass Using Frida

https://codeshare.frida.re/@dzonerzy/fridantiroot/

frida --codeshare dzonerzy/fridantiroot -U -f YOUR_BINARY

Demo video :

Screencast.from.16-06-23.07.05.56.AM.IST.webm