{"id":13589452,"url":"https://github.com/Hrishikesh7665/Android-Pentesting-Checklist","last_synced_at":"2025-04-08T09:32:52.921Z","repository":{"id":163323433,"uuid":"583820857","full_name":"Hrishikesh7665/Android-Pentesting-Checklist","owner":"Hrishikesh7665","description":"Delve into a comprehensive checklist, your ultimate companion for Android app penetration testing. Identify vulnerabilities in network, data, storage, and permissions effortlessly. Boost security skills with essential tools and user-friendly guides. Elevate Android security seamlessly!","archived":false,"fork":false,"pushed_at":"2024-10-20T13:35:00.000Z","size":742,"stargazers_count":177,"open_issues_count":0,"forks_count":32,"subscribers_count":9,"default_branch":"main","last_synced_at":"2024-11-06T09:39:43.324Z","etag":null,"topics":["android","android-app","android-penetration-testing-checklist","android-pentesting-checklist","bug-bounty","bugbounty","checklist","cybersecurity","frida","magisk","objection","penetration-testing","pentesting","red-teaming","vulnerability-assessment","vulnerability-checklist"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hrishikesh7665.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-12-31T03:25:44.000Z","updated_at":"2024-11-06T02:20:34.000Z","dependencies_parsed_at":"2023-12-04T13:30:24.545Z","dependency_job_id":"e30e74d4-f3b4-4d5b-9de7-52da1d9ba86e","html_url":"https://github.com/Hrishikesh7665/Android-Pentesting-Checklist","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hrishikesh7665%2FAndroid-Pentesting-Checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hrishikesh7665%2FAndroid-Pentesting-Checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hrishikesh7665%2FAndroid-Pentesting-Checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hrishikesh7665%2FAndroid-Pentesting-Checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hrishikesh7665","download_url":"https://codeload.github.com/Hrishikesh7665/Android-Pentesting-Checklist/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247814216,"owners_count":21000522,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","android-app","android-penetration-testing-checklist","android-pentesting-checklist","bug-bounty","bugbounty","checklist","cybersecurity","frida","magisk","objection","penetration-testing","pentesting","red-teaming","vulnerability-assessment","vulnerability-checklist"],"created_at":"2024-08-01T16:00:30.346Z","updated_at":"2025-04-08T09:32:52.567Z","avatar_url":"https://github.com/Hrishikesh7665.png","language":null,"funding_links":[],"categories":["Mobile Pentesting"],"sub_categories":["Android"],"readme":"\u003ca href='#' target=\"_blank\"\u003e\u003cimg alt='android' src='https://img.shields.io/badge/Android_Checklist-100000?style=flat-square\u0026logo=android\u0026logoColor=white\u0026labelColor=8FC965\u0026color=5D9741'/\u003e\u003c/a\u003e\n\u003ca href='#' target=\"_blank\"\u003e\u003cimg alt='android' src='https://img.shields.io/badge/Android-4630EB.svg?style=flat-square\u0026logo=ANDROID\u0026labelColor=A4C639\u0026logoColor=fff'/\u003e\u003c/a\u003e\n\n# Android App Pentesting Checklist\n\n**Welcome to the \"Android App Penetration Testing Checklist\" Repository!**\n\nExplore the ultimate companion for Android app penetration testing, meticulously crafted to identify vulnerabilities in network, data, storage, and permissions effortlessly. This repository merges a comprehensive checklist of tasks and cutting-edge techniques, providing security professionals with a robust framework for a thorough security assessment of Android applications.\n\nThe checklist covers a range of topics, including:\n\n**Static analysis:** reviewing the app's source code and resources for potential vulnerabilities\n\n**Dynamic analysis:** analyzing the app's behavior and interactions with the device and network during runtime\n\n**Network analysis:** analyzing the app's communication with servers and other external resources over the network\n\n**Permission analysis:** reviewing the app's requested permissions and assessing whether they are appropriate and secure\n\n**Cryptographic analysis:** reviewing the app's use of cryptography and ensuring that it is implemented securely\n\n**Data storage analysis:** analyzing the app's handling of sensitive data, including how it is stored and transmitted\n\nThis checklist is intended as a starting point for penetration testers and bug bounty hunters to identify common security issues in Android applications. It is not a comprehensive guide to all possible security issues and should be used in conjunction with other resources and best practices.\n\n## Table of Content\n\n- [Android Applications Penetration Testing Checklist (v1.1)](#android-applications-penetration-testing-checklist-v11)\n- [Understanding Vulnerabilities: Definitions and Mitigations](#understanding-vulnerabilities-definitions-and-mitigations-)\n - [SSL Pinning](#ssl-pinning)\n- [Important Tools](#important-tools)\n- [Tools Installation/Setup](#tools-installationsetup)\n- [Prerequisites](#prerequisites)\n - [Hardware requirements](#hardware-requirements)\n - [Software/Tools prerequisites](#softwaretools-prerequisites)\n - [1. Java (Jdk)](#1-java-jdk-link)\n - [2. Python/Python3](#2-pythonpython3-link)\n - [3. Genymotion](#3-genymotion-link)\n - [4. Docker](#4-docker-link)\n - [5. Android Debug Bridge (adb)](#5-android-debug-bridge-adb-link)\n - [6. Magisk](#6-magisk-link)\n- [Mobile Security Framework (MobSF)](#mobile-security-framework-mobsf)\n - [MobSF Installation on Docker](#mobsf-installation-on-docker)\n - [MobSF Installation on Physical Machine](#mobsf-installation-on-physical-machine)\n- [Drozer (on desktop)](#drozer-on-desktop)\n- [APKLeaks](#apkleaks)\n- [Apktool](#apktool)\n- [APKToolGUI](#apktoolgui)\n- [JADX](#jadx)\n- [JD-GUI](#jd-gui)\n- [Dex2Jar](#dex2jar)\n- [Objection](#objection)\n- [Burp Suite](#burp-suite)\n- [Postman](#postman)\n- [Radare2](#radare2)\n- [Nuclei](#nuclei)\n- [Zipalign](#zipalign)\n- [DB Browser for SQLite](#db-browser-for-sqlite)\n- [Frida Tools](#frida-tools)\n- [Frida Server (Magisk-Frida)](#frida-server-magisk-frida)\n- [Always Trust User Certs \\\u0026 Burp-cert Magisk Modules](#always-trust-user-certs--burp-cert-magisk-modules)\n- [Fridump](#fridump)\n- [Useful Commands \\\u0026 Tools Usage](#useful-commands--tools-usage)\n- [ADB Commands](#adb-commands)\n- [Frida Commands](#frida-commands)\n- [Objection Commands](#objection-commands)\n- [Drozer Commands](#drozer-commands)\n- [Terminology's](#terminologys)\n - [KeyStore](#keystore)\n - [Memory Dump](#memory-dump)\n- [Important Links](#important-links)\n- [Intentionally Vulnerable Applications For Practice](#intentionally-vulnerable-applications-for-practice)\n\n## Android Applications Penetration Testing Checklist (v1.1)\n\n| **C01** | **SSL Pinning** | Discovered | Undiscovered |\n| :-----: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | An SSL pinning vulnerability in an Android app occurs when the app does not properly verify the server's SSL certificate or public key during the SSL/TLS handshake process, allowing a man-in-the-middle attacker to intercept and decrypt the app's communication. | | |\n| 1 | Missing SSL Pinning | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check if is it bypassable or not using Frida/Objection | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check code manipulation possible or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C02** | **Root Detection** | Discovered | Undiscovered |\n| :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------------------: | :--------------------: |\n| | A root detection vulnerability in an Android app occurs when the app does not properly detect and prevent access by rooted devices, allowing users to potentially gain unauthorized access to the app's data or functionality. | | |\n| 1 | Missing Root Detection | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check if is it bypassable or not using frida/Objection | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check that internal logic flow can be modified or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C03** | **Emulator Detection** | Discovered | Undiscovered |\n| :-----: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | An emulator detection vulnerability in an Android app occurs when the app does not properly detect and prevent access by emulators, allowing users to potentially bypass security controls or access unauthorized functionality. | | |\n| 1 | Missing Emulator Detection | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check if is it bypassable or not using frida | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C04** | **Sensitive data in ADB Logcat Logs** | Discovered | Undiscovered |\n| :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------------------: | :--------------------: |\n| | A sensitive data in ADB Logcat vulnerability in an Android app occurs when the app logs sensitive data, such as passwords or personal information, to the system log using Android Debug Bridge (ADB), potentially exposing the data to attackers or unauthorized users. | | |\n| 1 | Check Logcat logs for sensitive information/data | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check if is it bypassable or not using frida/Objection | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check for any unencrypted request/data in Logcat logs | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C05** | **Sensitive data/info stored in Local Storage** | Discovered | Undiscovered |\n| :-----: | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | A sensitive data stored in local storage vulnerability in an Android app occurs when the app stores sensitive data, such as passwords or personal information, in unencrypted or unsecured local storage on the device, potentially exposing the data to attackers or unauthorized users. | | |\n| 1 | Check for sensitive information/data store on Shared Preferences or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for any information/data stored in temporary files or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check if sensitive information/data is stored in the local storage database using strong encryption on or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 4 | Check for any information/data stored in any other files or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C06** | **Sensitive data/info in Application Memory** | Discovered | Undiscovered |\n| :-----: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | A sensitive data in application memory vulnerability in an Android app occurs when the app stores sensitive data, such as passwords or personal information, in memory in an unencrypted or unsecured manner, potentially exposing the data to attackers or unauthorized users who have access to the device's memory. | | |\n| 1 | Check for any sensitive information/data temporarily stored on Application Memory or not[ Use fridump.py (https://github.com/Nightbringer21/fridump/blob/master/fridump.py) ] | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C07** | **Weak Signer Certificate** | Discovered | Undiscovered |\n| :-----: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | A weak signer certificate vulnerability in an Android app occurs when the app is signed with a weak or compromised certificate, potentially allowing attackers to modify the app or gain unauthorized access to the app's functionality. | | |\n| 1 | Check if the app signed with a weak algorithm such as \"SHC1withRSA\" | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for Janus Vulnerability | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check for the application if is it signed with debug certificate or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C08** | **Vulnerable Android Activities** | Discovered | Undiscovered |\n| :-----: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Android activities are components of an Android app that represent a screen or part of the app's user interface. A vulnerable Android activity is one that contains vulnerabilities, such as insecure coding practices or the use of third-party libraries with known vulnerabilities, that could be exploited by attackers to gain unauthorized access to the app's data or functionality. | | |\n| 1 | Check for the protected activity that can be accessible by calling the activity from the ADB bypassing the Authentication activity (Authentication Bypass)Example: An application having a login screen if login is successful the app launch the second activity, and any user has to authenticate herself. But that can bypass though ADB by calling the second activity directly from ADB | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for exported android activity is set false, and check for the android activity can activity can be launched by any other applications or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check if any of the application activities can be hijacked through ADB or any others tools | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 4 | Check if any of the application activities cause the Denial of Service or App crash | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C09** | **WebView** | Discovered | Undiscovered |\n| :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------------------: | :--------------------: |\n| | Android WebView is a component of an Android app that allows the app to display web content within the app's user interface. It can contain vulnerabilities, such as insecure coding practices improper validation, etc. | | |\n| 1 | Check for Cross sites scripting vulnerability in android activity WebView | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for Local File Inclusion (LFI) vulnerability in android activity WebView | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check for insecure JavaScript enabled for WebView | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C10** | **Intent Filters** | Discovered | Undiscovered |\n| :-----: | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Intent redirection is an embedded intent it can be implicit or explicit Intent which is used to move one android component to another component. This vulnerability occurs when the developer does not retrieve the intent data via filtering. This vulnerability is similar to OpenRedirect for web security. | | |\n| 1 | Check for intent spoofing or intent sniffing vulnerabilities (those can occur when the developer does not retrieve the intent data via filtering) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C11** | **Broadcast Receivers** | Discovered | Undiscovered |\n| :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | A vulnerable Android Broadcast Receiver is a component of an Android app that allows the app to receive and respond to system-wide broadcasts, such as the receipt of a text message or the disconnection of a charger. It can be exploited | | |\n| 1 | Check the manifest file for the receiver tag and the exported attribute if it is True and if there is no other permission is set. It can be exploited. | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C12** | **Content Provider** | Discovered | Undiscovered |\n| :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------------------: | :--------------------: |\n| | Content providers in Android are used to share data between applications. They use standard insert, update, delete, and query methods to access data and are assigned a special URI starting with \"content://\". If proper security controls are not implemented, it can lead to the leakage of information. An example of a content provider is the built-in SMS application, which can be accessed by other apps using a specific URI and the READ_SMS permission. There may be cases where content providers are not implemented for sharing data or where access is restricted to apps with proper permissions. | | |\n| 1 | If security controls are not properly implemented, content providers can lead to SQL injection. | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | If security controls are not properly implemented, content providers can lead to Path Traversal. | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | If security controls are not properly implemented in content providers, it may lead to internal data access vulnerability | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C13** | **Source Code Obfuscation** | Discovered | Undiscovered |\n| :-----: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Source code obfuscation in Android is the process of making the source code of an Android app difficult to understand or reverse engineer, typically to protect intellectual property or prevent unauthorized modifications. | | |\n| 1 | Check for Code Obfuscation(PRO Guard) implemented or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | If Code Obfuscation is implemented partially check for the main sensitive codes is properly obfuscated | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C14** | **Sensitive Information/Auth-Keys Hardcoded** | Discovered | Undiscovered |\n| :-----: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Hardcoded information vulnerability is the practice of storing sensitive data, such as passwords or security keys, directly in the source code of an application, potentially exposing the data to attackers or unauthorized users who have access to the source code. | | |\n| 1 | Check the Source Code for any hardcoded API Key/Token, Auth-Key, Passwords, Credentials, etc.(This task can be automated by using tools like MobSF) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C15** | **Insecure Coding Practice** | Discovered | Undiscovered |\n| :-----: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Insecure coding practice refers to the use of coding techniques or practices that do not adequately protect an application or system from security vulnerabilities or threats, such as using weak passwords or failing to properly validate user input. Insecure coding practices can make an application or system more susceptible to attacks or data breaches. To prevent insecure coding practices, developers should follow best practices for secure coding and regularly review and test their code for vulnerabilities. | | |\n| 1 | Check for use of Insecure Random Number Generator functions (Like generating guessable OTP) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for use of Insecure functions or insure functions/objects calling | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Uses of weak cryptography or easily reversible encryption method (like MD5 Hash, Base64 Encoding) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 4 | Check for any other Insecure Coding Weakness presence | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C16** | **Insecure Deeplinks** | Discovered | Undiscovered |\n| :-----: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Insecure deeplinks in Android can allow attackers to access sensitive data or functionality within an app. Developers can prevent this by validating and securing deeplinks and implementing appropriate security controls. | | |\n| 1 | Check for any explicit deeplink that PendingIntent to a specific location within the application | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for any implicit deeplink that refers to a specific destination in an app when the deeplink is invoked | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C17** | **Missing Integrity Checks** | Discovered | Undiscovered |\n| :-----: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Integrity checks in Android refer to the process of verifying the authenticity or integrity of an app's source code, to ensure that it has not been tampered with or modified by an unauthorized party. This can help protect against attacks that aim to inject malicious code or modify the app's functionality, such as man-in-the-middle attacks or repackaging attacks. | | |\n| 1 | Decompile the application, modify its code, recompile it, and sign it to check if it still functions properly or not. | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C18** | **Insecure Android Permissions** | Discovered | Undiscovered |\n| :-----: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Android applications have a number of permissions that can be set in the \"AndroidManifest.xml\" file. If these permissions are not properly filtered or validated, they can be exploited. | | |\n| 1 | Check for clear text traffic option enable or not in \"AndroidManifest.xml\" file | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for debug mode option enable or not in \"AndroidManifest.xml\" file | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check for `dataExtractionRules` properly defined or not in \"AndroidManifest.xml\" file | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 4 | Check for backup mode option enable or not in \"AndroidManifest.xml\" file | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 5 | Check for any other Unnecessary Permission in \"AndroidManifest.xml\" file | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C19** | **Background Screen Caching** | Discovered | Undiscovered |\n| :-----: | --------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Screen caching is a mobile vulnerability, caused due to a performance/usability feature present in mobile OS’s. | | |\n| 1 | Check for screenshots are taken when the application is sent to background | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C20** | **Insecure Firebase Database** | Discovered | Undiscovered |\n| :-----: | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Firebase Database is a cloud-based real-time database service that allows developers to store and sync data across multiple devices and platforms. | | |\n| 1 | Append \".json\" payload at the end of Firebase instance to see if \"read\" permission are enable or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Also try replacing \"firebaseio.com\" with \"appspot.com\" with \"/.json\" appended at the end may allow you to access appspot instance. (Check for CORS in Firebase) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C21** | **Android Lock/Biometric Authentication Bypass** | Discovered | Undiscovered |\n| :-----: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Some applications use the Android Screen Lock/Biometric Authentication to validate the user before providing any specific service or before launching the application's main interface. | | |\n| 1 | If the application uses Android Lock/Biometric Authentication check for that can be bypassed or not in runtime by runtime hooking or code level modification | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C22** | **Key-Checks in Dynamic Analysis** | Discovered | Undiscovered |\n| :-----: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------: |\n| | Some applications use the Android Screen Lock/Biometric Authentication to validate the user before providing any specific service or before launching the application's main interface. | | |\n| 1 | Checks for all possible the possible test cases that’s are applicable on API Check (Use a comprehensive API checklist) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for Broken Access Controls and Authentications (Checks mainly in server side) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Checks for Server-Side Injections and Security misconfigurations | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 4 | Check for Sensitive Data exposer | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 5 | Fuzzing | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n| **C-** | **Some Other Checks** | Discovered | Undiscovered |\n| :----: | ---------------------------------------------------------------------------------------------------------------- | :--------------------: | :--------------------------: |\n| | N/A | | |\n| 1 | Check for the application doesn't reuse the same cryptographic key for multiple purposes | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 2 | Check for any sensitive data or information exposed through the user interface or leaks to screenshots or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 3 | Check for whether the keyboard cache for the application is disable or not | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 4 | Check the application does not allow users to copy/paste any secret data (like passwords, credit card info, etc) | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 5 | Check if the sensitive data is not masked when performing app switching | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n| 6 | Check for the Third-Party Keyboard applications that are disabled specifically in the sensitive fields | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e | \u003cul\u003e\u003cli\u003e[ ] \u003c/li\u003e\u003c/ul\u003e |\n\n**NB:** This list does not follow the OWASP vulnerability indexing order.\n\n## Understanding Vulnerabilities: Definitions and Mitigations \u003cimg src=\"https://www.fg-a.com/new/new06p.gif\"\u003e\n\n### SSL Pinning\n\n**Definition:**\\\nSSL (Secure Socket Layer) pinning in Android is a security measure where a mobile app validates a server's SSL certificate against a pre-defined certificate or public key embedded within the app. This helps prevent man-in-the-middle attacks by ensuring a secure and trusted connection.\n\n**Explanation:**\\\n**Scenario A: An Android Application with No SSL Pinning**\\\nIn this scenario, an Android device relies on its own 'Trusted Credential' list, which contains all primary trusted root certificates. Suppose you developed an Android application that checks the wallet balance of your e-commerce service. When the app communicates with your e-commerce service (e.g., through an API call), the device verifies the service's SSL certificate against its 'Trusted Credential' list.\\\n$\\quad$ The problem arises if a hacker intercepts the connection and pretends to be your e-commerce service using a valid SSL/TLS certificate. In this case, both the Android device and your app could be tricked into communicating with the hacker's fraudulent service.\n\n**Scenario B: An Android Application with SSL Pinning (Hardcoded Certificate)**\\\nIn this scenario, your app has a hardcoded certificate for your e-commerce service. When the app makes an API call, the device still verifies the service's SSL certificate against its 'Trusted Credential' list. However, your app will also compare the server's certificate with the hardcoded one.\\\n$\\quad$ If a hacker intercepts the connection and pretends to be your e-commerce service with a valid SSL/TLS certificate, the device will perform its verification. Still, your app will recognize the mismatch between the hardcoded certificate and the presented one. As a result, the app will terminate the connection, thereby preventing communication with the malicious service.\n\n**Mitigations:**\\\nThe general solution is to hardcode the SSL/TLS certificate of your web service directly into your Android app and validate the certificate with each web request.\\\nFor more information on implementing SSL pinning, you can refer to the [Android Developer Guide on SSL](https://developer.android.com/privacy-and-security/security-ssl) and this helpful discussion on [Stack Overflow](https://stackoverflow.com/questions/35163485/android-manually-validating-ssl-certificates).\n\n## Important Tools\n\n- Mobile Security Framework (MobSF) [(Link)](https://github.com/MobSF/Mobile-Security-Framework-MobSF)\n- Runtime Mobile Security (RMS) [(Link)](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)\n- Pen-Andro [(Link)](https://github.com/raoshaab/Pen-Andro)\n- Burp Suite [(Link)](https://portswigger.net/burp)\n- Postman [(Link)](https://www.postman.com) `for API's`\n- Yaazhini [(Link)](https://www.vegabird.com/yaazhini/)\n- House [(Link)](https://github.com/nccgroup/house/)\n- Apktool [(Link)](https://ibotpeaches.github.io/Apktool/)\n- Easyapktool [(Link)](https://forum.xda-developers.com/t/discontinued-windows-apk-easy-tool-v1-60-2022-06-23.3333960/) `Discontinued`\n- APKToolGUI(New) [(Link)](https://github.com/AndnixSH/APKToolGUI) `Easyapktool Alternative`\n- Genymotion [(Link)](https://www.genymotion.com)\n- Frida [(Link)](https://frida.re)\n- Magisk [(Link)](https://github.com/topjohnwu/Magisk)\n- Magisk-Frida [(Link)](https://github.com/ViRb3/magisk-frida)\n- Frida-tools [(Link)](https://pypi.org/project/frida-tools/)\n- Drozer [(Link)](https://github.com/WithSecureLabs/drozer)\n- Objection [(Link)](https://github.com/sensepost/objection)\n- JD-GUI [(Link)](http://java-decompiler.github.io)\n- JADX [(Link)](https://github.com/skylot/jadx)\n- Dex2Jar [(Link)](https://github.com/pxb1988/dex2jar)\n- ApkLeaks [(Link)](https://github.com/dwisiswant0/apkleaks)\n- Fridump [(Link)](https://github.com/Nightbringer21/fridump)\n- Sqlite Browser [(Link)](https://sqlitebrowser.org)\n- Radare2 [(Link)](https://github.com/radareorg/radare2)\n- Nuclei [(Link)](https://github.com/projectdiscovery/nuclei)\n- XMLStarlet [(Link)](https://xmlstar.sourceforge.net)\n- ADB [(Link)](https://developer.android.com/tools/adb)\n- zipalign [(Link)](https://developer.android.com/tools/zipalign)\n\n## Tools Installation/Setup\n\n\u003e [!WARNING]\n\u003e As you explore this repository further, please be aware that certain actions, such as bootloader unlocking, Magisk installation, and rooting techniques, come with inherent risks. Your device's warranty may be voided, and there's a potential for data loss, instability, or even \"bricking\" your device.\\\n\u003e Rooting exposes your device to security risks, and it may no longer receive official updates, leaving it vulnerable. This information is shared for educational purposes only, and I take no responsibility for any damage, data loss, or malfunctions that may occur.\\\n\u003e By proceeding, you acknowledge and accept all risks involved, and it is advisable to fully understand the consequences before implementing any changes.\n\n### Prerequisites\n\n#### Hardware requirements\n\n- Windows/Linux (preferred Kali-Linux).\n- USB Cable\n- An android device with Bootloader unlocked\n - How to unlock Bootloader ? [(Link)](https://xdaforums.com/t/how-to-unlock-bootloader.4244757/)\n- A pen-drive and OTG cable or SD card\n\n#### Software/Tools prerequisites\n\nBefore you start testing Android apps, make sure to install the necessary tools on both your computer (Linux/Windows) and the Android device itself.\n\n##### 1. Java (Jdk) [(Link)](https://www.genymotion.com)\n\n- Download Java JDK version 17 or up according to your system[(Download Link)](https://www.oracle.com/java/technologies/downloads/)\n- Install JDK to your system\n\n##### 2. Python/Python3 [(Link)](https://www.genymotion.com)\n\n**Python3 installation for Debian or Ubuntu based linux distributions:**\n\n```bash\nsudo apt-get update\n```\n\n```bash\nsudo apt-get -y install python3 python3-pip\n```\n\n**Python installation for Windows:**\n\n- Download Windows installer of Python from official website [(Link)](https://www.python.org/downloads/windows)\n- Double click the installer\n- Check 'Add python.exe to PATH' checkbox\n- Click on 'Customize installation'\n- Check 'pip' checkbox\n- Check 'Python test suite' checkbox\n- Check 'py launcher' checkbox\n- Check 'for all users (requires admin privileges)' checkbox\n- Click next to install python\n\n##### 3. Genymotion [(Link)](https://www.genymotion.com)\n\n- Create a free account on Genymotion website\n- Follow this official instruction to install Genymotion on Linux. [Instruction](https://docs.genymotion.com/desktop/Get_started/013_Linux_install/)\n- Follow this official instruction to install Genymotion on Windows. [Instruction](https://docs.genymotion.com/desktop/Get_started/011_Windows_install/)\n\n##### 4. Docker [(Link)](https://www.docker.com)\n\n**Docker installation for Debian or Ubuntu based linux distributions:**\n\n```bash\nsudo apt-get update\n```\n\n```bash\nsudo apt-get -y install docker.io\n```\n\n```bash\nsystemctl start docker\n```\n\n**NB:** If you are using other than Debian or Ubuntu based Linux, read this [instruction](https://docs.docker.com/get-docker) to install docker according to your operating system.\n\n**Docker installation for Windows:**\n\n- Download Docker Desktop [(Link)](https://www.docker.com/products/docker-desktop/)\n- Double click to install\n\n##### 5. Android Debug Bridge (adb) [(Link)](https://developer.android.com/tools/adb)\n\n**adb installation for Debian or Ubuntu based linux distributions:**\n\n```bash\nsudo apt install adb\n```\n\n```bash\nwget -c https://dl.google.com/android/repository/platform-tools-latest-linux.zip\n```\n\n```bash\nunzip platform-tools-latest-linux.zip\n```\n\n```bash\ncd platform-tools\n```\n\ngive executable permission\n\n```bash\nchmod +x ./adb\nchmod +x ./fastboot\n```\n\nCheck adb working or not\n\n```bash\n./adb version\n```\n\n**adb installation for Windows:**\n\n- Download [adb-setup.zip](https://androidfilehost.com/?fid=24686681827312411)\n- Extract the downloaded zip\n- Double click on adb-setup-1.4.3.exe\n- In CMD window select Y for all options\\\n \u003cimg src=\"https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/blob/extras/Fastboot.png?raw=true\" width=\"850\" height=\"auto\" alt=\"Fastboot\"\u003e\n- Install the Google USB driver. (The installer will automatically run once the fastboot setup is complete)\\\n \u003cimg src=\"https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/blob/extras/Google%20Driver.png?raw=true\" alt=\"Google Driver\"\u003e\n\n##### 6. Magisk [(Link)](github.com/topjohnwu/Magisk)\n\n**Pre-requirement:**\n\n- An android device with Bootloader unlocked\n- USB Cable\n- A pen-drive and OTG cable or SD card\n\n**Magisk installation for unlocked bootloader devices:**\n\n- **Install custom recovery**\\\n We need to install a custom recovery before installing magisk\n - Download a custom recovery for your Android device, such as [TWRP](https://twrp.me) / [OrangeFox](https://orangefox.download) / [PitchBlack](https://pitchblackrecovery.com) onto your desktop.\n - Rename the downloaded recovery (.img) filename to \"recovery.img\" (without quote)\n - Enable usb debugging on your android device\n - Run this command to check your device is connected or not with proper access\n\n ```cmd\n adb devices\n ```\n\n Allow usb debugging authorization prompt on android\\\n \u003cimg src=\"https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/blob/extras/adb%20authorization%20popup.jpg?raw=true\" width=\"400\" height=\"auto\" alt=\"USB Debugging Authorization Dialog\"\u003e\n \n The output will look like this\\\n ![adb devices command output](https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/blob/extras/Adb%20Devices.png?raw=true)\\\n **N.B:** If you encounter an 'unauthorized' message after seeing your device number, follow the steps below. Ensure you perform these commands. Allow usb debugging authorization on your Android device when prompted also check Always allow from this computer checkbox. Select 'File Transfer' in USB mode.\n\n ```cmd\n adb kill-server\n ```\n\n ```cmd\n adb start-server\n ```\n\n ```cmd\n adb devices\n ```\n\n - Run the command to initiate a reboot into fastboot mode\n\n ```cmd\n adb reboot bootloader\n ```\n\n - Run command to check your device is properly connected in fastboot mode or not\n\n ```cmd\n adb reboot bootloader\n ```\n\n - Flash the recovery image\n\n ```cmd\n fastboot flash recovery recovery.img\n ```\n\n - Boot to Recovery from Fastboot via Commands\n\n ```cmd\n fastboot boot recovery.img\n ```\n\n- **Install Magisk**\n - Download Magisk version 24 or up apk in your desktop [(Link)](https://github.com/topjohnwu/Magisk/releases)\n - Copy apk file into your pen-drive or SD card\n - Connect your pen-drive or insert SD card\n - Reboot your recovery once\n - Flash your Magisk.apk\\\n \u003cimg src=\"https://droidwin.com/wp-content/uploads/2020/06/download-magisk-apk-twrp.jpg\" width=\"850\" height=\"auto\" alt=\"TWRP- Flash Magisk.apk\"\u003e\n - Reboot your device\n - Open Magisk Manager from app menu\n - Follow on screen instruction to compleat the magisk setup\\\n \u003cimg src=\"https://support.genymotion.com/hc/article_attachments/8957897593501\" width=\"450\" height=\"auto\" alt=\"Magisk Additional Steps\"\u003e\n\n### Mobile Security Framework (MobSF)\n\n\u003e [!IMPORTANT]\n\u003e ~~*MobSF's Docker installation does not currently support dynamic analysis.*~~ If you only require static analysis, the Docker installation is straightforward. However, for dynamic analysis, it is recommended to install MobSF on a physical device.\\\n\u003e In case of Windows installation MobSF requires some additional external dependencies. Please make your installation choice accordingly.\n\n\u003e ***Update as on 17.10.2024:*** \\\n\u003e I previously misunderstood the capabilities of the MobSF Docker. I wasn't aware that it supports dynamic analysis using the `MOBSF_ANALYZER_IDENTIFIER` flag. I recently discovered this feature and have been successfully using it in several application testing projects. [Click Here](https://github.com/MobSF/docs/blob/master/dynamic_analyzer.md) to Read More about MobSF Dynamic Analyzer.\n\n#### MobSF Installation on Docker\n\n**Pre-requirement:**\n\n- Docker [(Link)](#4-docker-link)\n\nlet's assume your docker engine up and running let's continue with MobSF installation\n\n**Install MobSF:**\n\n```docker\ndocker pull opensecurity/mobile-security-framework-mobsf\n```\n\n**Run MobSF:**\n\n```docker\ndocker run -it --rm --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf\n```\n\n\u003e [!NOTE]\n\u003e You can enable Wi-Fi debugging or use Genymotion for dynamic analysis with MobSF in Docker. `-e MOBSF_ANALYZER_IDENTIFIER=\u003cremote_device_IP\u003e:\u003cadb_port\u003e`\n\u003e \n\u003e **Example:**\n\u003e ```docker\n\u003e docker run -it --rm --name mobsf -p 8000:8000 -e MOBSF_ANALYZER_IDENTIFIER=192.168.255.101:5555 opensecurity/mobile-security-framework-mobsf\n\u003e```\n\n\u003e [!TIP]\n\u003e You can bypass or disable the MobSF login feature in Docker by using: `-e MOBSF_DISABLE_AUTHENTICATION=1`\n\n#### MobSF Installation on Physical Machine\n\n**Pre-requirement:**\n\n- Python/Python3[(Link)](#2-pythonpython3-link)\n\nlet's assume you have installed Python/Python3 let's continue with MobSF installation on your desktop\n\n**Install MobSF (linux):**\n\n- Download latest release of MobSF from Mobile-Security-Framework-MobSF Github repository [(Link)](https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases)\n- Extract the zip file and rename the extracted folder to MobSF and place the folder to your suitable location\n- Open terminal inside the MobSF folder\n\n```bash\n# Give executable permission to setup.sh and run.sh file\nchmod +x ./setup.sh \u0026\u0026 chmod +x ./run.sh\n# run setup.sh\nsudo ./setup.sh\n```\n\n**Run MobSF (linux):**\n\n```bash\n# run MobSF\n./run.sh\n```\n\n**Install MobSF (Windows):**\n\n- Download and install .NET Framework 4.6 (or Latest)[(Link)](https://www.microsoft.com/en-in/download/confirmation.aspx?id=48130)\n- Download Visual Studio Community Edition [(Link)](https://visualstudio.microsoft.com/downloads/)\n - Double click and run the Visual Studio installer\n - Select Visual C++ Build Tools\n - On right panel uncheck optionals (as it takes more space and its not required in this case)\n - Click on install at bottom right\n- Download and install non-light version of OpenSSL [(Link)](https://slproweb.com/products/Win32OpenSSL.html)\n- Download and install wkhtmltopdf [(Link)](https://wkhtmltopdf.org/downloads.html)\n- Download latest release of MobSF from Mobile-Security-Framework-MobSF Github repository [(Link)](https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases)\n- Extract the zip file and rename the extracted folder to MobSF and place the folder to your suitable location\n- Run powershell with Administrator privilege\n- Navigate powershell to MobSF directory\n\n```powershell\n# run setup.bat\nsetup.bat\n```\n\n**Run MobSF (Windows):**\n\n```powershell\n# run MobSF\nrun.bat\n```\n\nCongratulation your MobSF is installed and running navigate to [localhost:8000](http://localhost:8000) using your preferred web browser.\n\n### Drozer (on desktop)\n\n**Pre-requirement:**\n\n- Docker [(Link)](#4-docker-link)\n\nlet's assume your docker engine up and running let's continue with Drozer installation on your desktop\n\n**Install Drozer:**\n\n```docker\ndocker pull fsecurelabs/drozer\n```\n\n**Run Drozer:**\n\n```docker\ndocker run -it --rm --name drozer fsecurelabs/drozer\n```\n\nCongratulation your Drozer is installed on your desktop now we need to install Drozer Agent Apk [agent-debug.apk](https://github.com/WithSecureLabs/drozer-agent/releases)\n\n### APKLeaks\n\n**Pre-requirement:**\n\n- Docker [(Link)](#4-docker-link)\n\nlet's assume your docker engine up and running let's continue with APKLeaks installation\n\n**Install APKLeaks:**\n\n```docker\ndocker pull dwisiswant0/apkleaks:latest\n```\n\n**Run APKLeaks:**\n\n```docker\ndocker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk\n```\n\n### Apktool\n\n**Pre-requirement:**\n\n- Java [(Link)](#1-java-jdk-link)\n\nlet's assume you have installed Java JDK let's continue with Apktool installation on your desktop\n\n**Install Apktool (linux):**\n\n```bash\n# Clone apktool script\nwget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O apktool\n# Give executable permission to apktool script\nchmod +x apktool \u0026\u0026 cp apktool /usr/local/bin/apktool\n```\n\n- Check latest release of apktool from their Bitbucket repository [(Link)](https://bitbucket.org/iBotPeaches/apktool)\n\n```bash\n# Clone latest version of apktool\nwget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.1.jar -O apktool.jar\n# Give executable permission to apktool and move to bin file\nchmod +x apktool.jar \u0026\u0026 cp apktool.jar /usr/local/bin/apktool.jar\n```\n\n**Install Apktool (Windows):**\n\n- Open the link on your browser right click and save the file as 'apktool.bat' [(Link)](https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/windows/apktool.bat)\n- Download latest version of apktool [(Link)](https://bitbucket.org/iBotPeaches/apktool/downloads/)\n- Move both `apktool.jar` and `apktool.bat` to your Windows directory. (Usually C://Windows)\n\n**Run Apktool:**\n\n```bash\napktool\n```\n\n### APKToolGUI\n\n**Pre-requirement:**\n\n- Java [(Link)](#1-java-jdk-link)\n\nlet's assume you have installed Java JDK let's continue with APKToolGUI installation on your desktop\n\n**Install APKToolGUI (Windows):**\n\n- Download latest release of APKToolGUI from APKToolGUI Github repository [(Link)](https://github.com/AndnixSH/APKToolGUI/releases)\n- Extract the zip file and rename the extracted folder to APKToolGUI\n\n**Run APKToolGUI (Windows):**\n\n- Double click `APKToolGUI.exe` inside extracted APKToolGUI folder\n\n****N.B:**** Please note that APKToolGUI is currently only available for Windows OS.\n\n### JADX\n\n**Pre-requirement:**\n\n- Java [(Link)](#1-java-jdk-link)\n\nlet's assume you have installed Java JDK let's continue with JADX installation on your desktop\n\n**Install JADX (linux):**\n\n- Download latest release of JADX from JADX Github repository [(Link)](https://github.com/skylot/jadx/releases)\n- Extract the zip file and rename the extracted folder to JADX\n\n```bash\ncd ./JADX/bin\n# Give executable permission to jadx and jadx-gui script\nchmod +x jadx \u0026\u0026 chmod +x jadx-gui\n```\n\n**Run JADX (linux):**\n\n```bash\n# run jadx cli\n./jadx\n# run jadx gui\n./jadx-gui\n```\n\n**Install JADX (Windows):**\n\n- Download latest release of JADX from JADX Github repository [(Link)](https://github.com/skylot/jadx/releases)\n- Extract the zip file and rename the extracted folder to JADX\n\n**Run JADX (Windows):**\n\n- Navigate to bin folder inside the JADX folder\n- Double click `jdax.bat` to run jadx cli\n- Double click `jdax-gui.bat` to run jadx gui\n\n### JD-GUI\n\n**Pre-requirement:**\n\n- Java [(Link)](#1-java-jdk-link)\n\nlet's assume you have installed Java JDK let's continue with JD-GUI installation on your desktop\n\n**Install JD-GUI (linux):**\n\n- Download latest release of jd-gui-x.x.x.deb from java-decompiler/jd-gui Github repository [(Link)](https://github.com/java-decompiler/jd-gui/releases)\n\n```bash\n# Give executable permission to jd-gui-x.x.x.deb file\nchmod +x ./jd-gui-x.x.x.deb\n# Install jd-gui\nsudo apt install ./jd-gui-x.x.x.deb\n```\n\n**Run JD-GUI (linux):**\n\n```bash\n# Run jd-gui\njd-gui\n```\n\n**Install JD-GUI (Windows):**\n\n- Download latest release of jd-gui-windows-x.x.x.deb from java-decompiler/jd-gui Github repository [(Link)](https://github.com/java-decompiler/jd-gui/releases)\n- Extract the zip file and rename the extracted folder to jd-gui\n\n**Run JD-GUI (Windows):**\n\n- Double click `jd-gui.exe` to run jd-gui\n\n### Dex2Jar\n\n**Pre-requirement:**\n\n- Java [(Link)](#1-java-jdk-link)\n\nlet's assume you have installed Java JDK let's continue with Dex2Jar installation on your desktop\n\n**Install Dex2Jar (linux):**\n\n```bash\nsudo apt install -y dex2jar\n```\n\n**Install Dex2Jar (Windows):**\n\n- Download latest release of Dex2Jar from pxb1988/dex2jar Github repository [(Link)](https://github.com/pxb1988/dex2jar/releases)\n- Extract the zip file and rename the extracted folder to dex2jar\n\n### Objection\n\n**Pre-requirement:**\n\n- Python/Python3 [(Link)](#2-pythonpython3-link)\n\nlet's assume Python/Python3 is installed let's continue with objection installation on your desktop\n\n**Install Objection (Linux):**\n\n```bash\npip3 install objection\n```\n\n**Install Objection (Windows):**\n\n```cmd\npip install objection\n```\n\n### Burp Suite\n\n**Pre-requirement:**\n\n- Java [(Link)](#1-java-jdk-link)\n\nlet's assume you have installed Java JDK let's continue with Burp Suite installation on your desktop\n\n- Go to the Burp Suite official website, pick either Burp Suite Professional or Burp Suite Community, and download the JAR file[(Link)](https://portswigger.net/burp/releases)\n\n**Run Burp Suite:**\n\n```cmd\njava \"--add-opens=java.desktop/javax.swing=ALL-UNNAMED\" \"--add-opens=java.base/java.lang=ALL-UNNAMED\" \"--add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED\" \"--add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED\" \"--add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED\" \"-noverify\" \"-jar\" .\\burpsuite.jar\n```\n\n### Postman\n\n- Go to the Postman official website, and download the `tar.gz` file for linux \u0026 the `exe` for the windows [(Link)](https://www.postman.com/downloads)\n\n**Install Postman (Linux):**\n\n```bash\n# Install dependencies\nsudo apt-get -y install libgconf-2-4 openssl\n# Extract the archive\ntar zxf /path/to/downloaded/archive/Postman-linux-xXX-X.XX.X.tar.gz\n# Move postman to apps\nsudo mv Postman /opt/apps/\n# Create shortcut\nsudo ln -s /opt/apps/Postman/Postman /usr/local/bin/postman\n```\n\n**Run Postman (Linux):**\n\n```bash\npostman\n```\n\n**Install \u0026 Run Postman (Windows):**\n\n- Double click downloaded installer\n\n### Radare2\n\n**Install Radare2 (Linux):**\n\n```bash\nsudo apt-get -y install radare2\n```\n\n**Install Radare2 (Windows):**\n\n- Download `radare2-x.x.x-wxx.zip` from official release [(Link)](https://github.com/radareorg/radare2/releases)\n- Extract the zip in your preferred location\n\n**Run Radare2 (Linux):**\n\n```bash\nradare2 -h\n```\n\n**Run Radare2 (Windows):**\n\n```powershell\n.\\radare2\\bin\\r2.bat\n```\n\n### Nuclei\n\n**Pre-requirement:**\n\n- Docker [(Link)](#4-docker-link)\n\nlet's assume your docker engine up and running let's continue with Nuclei installation\n\n**Install Nuclei:**\n\n```docker\ndocker pull projectdiscovery/nuclei:latest\n```\n\n**Run Nuclei:**\n\n```docker\nnuclei -h\n```\n\n### Zipalign\n\n**Install Zipalign (Linux):**\n\n```bash\nsudo apt-get -y install zipalign\n```\n\n**Run Zipalign (Linux):**\n\n```bash\nzipalign\n```\n\n**Install Zipalign (Windows):**\n\n- Download Android SDK Build-Tools latest release for window [(Link)](https://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html)\n- Extract the zip in your preferred location\n\n**Run Zipalign (Windows):**\n\n- Navigate to extracted zip file location\n\n```powershell\nzipalign.exe\n```\n\n### DB Browser for SQLite\n\n**Install DB Browser on Debian based linux distros:**\n\n```bash\nsudo apt-get install sqlitebrowser\n```\n\n**Install DB Browser on Ubuntu and Ubuntu based linux distros:**\n\n```bash\n# Add PPA to repo list\nsudo add-apt-repository -y ppa:linuxgndu/sqlitebrowser\n# Update the repo list\nsudo apt-get update\n# Install sqlitebrowser\nsudo apt-get install sqlitebrowser\n```\n\n**Install DB Browser on Windows:**\n\n- Download windows installer [(Link)](https://sqlitebrowser.org/dl)\n- Double click the Executable installer and install DB Browser\n\n**Run DB Browser (Linux):**\n\n```bash\nsqlitebrowser\n```\n\n### Frida Tools\n\n**Pre-requirement:**\n\n- Python/Python3 [(Link)](#2-pythonpython3-link)\n\nlet's assume Python/Python3 is installed let's continue with Frida Tools installation on your desktop\n\n**Install Frida Tools (Linux):**\n\n```bash\npip3 install frida\npip3 install frida-tools\n```\n\n**Install Frida Tools (Windows):**\n\n```cmd\npip install frida\npip install frida-tools\n```\n\n### Frida Server (Magisk-Frida)\n\n**Pre-requirement:**\n\n- Magisk [(Link)](#6-magisk-link)\n\nlet's assume Magisk is installed on your Android device let's continue with Frida Server installation\n\n- Download MagiskFrida Latest version zip [(Link)](https://github.com/ViRb3/magisk-frida/releases)\n- Place the zip on your Android\n- Open your Magisk Manager App, go to module section, Click on 'Install from storage'\n- Select the downloaded zip\n- Reboot the device\n\n [Refer to Picture](https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/blob/extras/Magisk%20Modules.jpg?raw=true)\n\n### Always Trust User Certs \u0026 Burp-cert Magisk Modules\n\n**Pre-requirement:**\n\n- Magisk [(Link)](#6-magisk-link)\n\nlet's assume Magisk is installed on your Android device let's continue with Always Trust User Certs \u0026 Burp-cert Magisk Modules installation\n\n- Download Always Trust User Certs Magisk Module zip [(Link)](https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/raw/extras/AlwaysTrustUserCerts.zip)\n- Download Burp-cert Magisk Module zip [(Link)](https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/raw/extras/burpcert-magisk-module-v0.9.zip)\n- Place the zip on your Android\n- Open your Magisk Manager App, go to module section, Click on 'Install from storage'\n- Select the downloaded zip one by one\n- Reboot the device\n\n [Refer to Picture](https://github.com/Hrishikesh7665/Android-Pentesting-Checklist/blob/extras/Magisk%20Modules.jpg?raw=true)\n\n### Fridump\n\n**Pre-requirement:**\n\n- Python/Python3 [(Link)](#2-pythonpython3-link)\n- Frida [(Link)](#frida-tools)\n- Frida Server [(Link)](#frida-server-magisk-frida)\n\nlet's assume Python/Python3, Frida is installed on your desktop and Frida Server is installed on your android device let's continue with Fridump installation\n\n**Install Fridump (Linux):**\n\n```bash\ngit clone https://github.com/Nightbringer21/fridump.git\n```\n\n**Run Fridump (Linux):**\n\n- Open terminal and navigate to fridump folder\n\n```bash\npython3 fridump.py -h\n```\n\n**Install Fridump (Windows):**\n\n- Download the Fridump zip [(Link)](https://codeload.github.com/Nightbringer21/fridump/zip/refs/heads/master )\n- Rename the filename `fridump-master.zip` to `fridump.zip`\n- Extract the `fridump.zip`\n\n**Run Fridump (Windows):**\n\n- Open powershell and navigate to fridump folder\n\n```powershell\npython fridump.py -h\n```\n\n## Useful Commands \u0026 Tools Usage\n\n### ADB Commands\n\n**Start the adb server:**\n\n```bash\nadb start-server\n```\n\n**Stop the adb server:**\n\n```bash\nadb kill-server\n```\n\n**List attached adb devices:**\n\n```bash\nadb devices\n```\n\n**Reboot the device using adb:**\n\n```bash\nadb reboot\n```\n\n**Backup device using adb:**\n\n```bash\n# Basic backup of the device\nadb backup -f \u003csome_file_name\u003e.ab\n\n# Take backup of a specific app\nadb backup -nosystem -noapk -noshared -f \u003csome_file_name\u003e.ab \u003cpackage_name_of_the_apk\u003e\n\n# For a full device backup, including certain apps, system data, and files\nadb backup -apk -obb -shared -all -system -f \u003csome_file_name\u003e.ab\n\n# e.g.:\n# adb backup -f testbackup.ab\n# adb backup -nosystem -noapk -noshared -f diva_backup.ab jakhar.aseem.diva\n# adb backup -apk -obb -shared -all -system -f testbackup_full.ab\n\n# Other Options\n# -f \u003cfilename\u003e specify filename default: creates backup.ab in the current directory\n# -apk|noapk enable/disable backup of .apks themself default: -noapk\n# -obb|noobb enable/disable backup of additional files default: -noobb\n# -shared|noshared backup device's shared storage / SD card contents default: -noshared\n# -all backup all installed applications\n# -system|nosystem include system applications default: -system\n# \u003cpackages\u003e a list of packages to be backed up (e.g. jakhar.aseem.diva) (not needed if -all is specified)\n```\n\n**Restore device backup using adb:**\n\n```bash\nadb restore \u003csome_file_name\u003e.ab\n\n# e.g.:\n# adb restore testbackup_full.ab\n```\n\n\u003e [!NOTE]\n\u003e Keep in mind that, restoring sensitive information or user logged-in sessions after restoring a backup taken via ADB could be considered a potential vulnerability.\n\n**Use adb over tcp:**\n\n```bash\n# Use this command when you already connected to a device using USB\nadb tcpip \u003cdesired_port_number\u003e\n\n# Disconnect the USB and run\nadb connect \u003candroid_device_ip\u003e:\u003cdesired_port_number\u003e\n\n# e.g.:\n# adb tcpip 5555\n# adb connect 192.168.50.23:5555\n```\n\n**Entering android shell as user:**\n\n```bash\nadb shell\n```\n\n**Entering android shell as root:**\n\n```bash\nadb shell su\n```\n\n**List android packages:**\n\n```bash\n# List all installed packages\nadb shell pm list packages\n\n# List only user installed packages:\nadb shell pm list packages -3 | cut -f 2 -d \":\"\n\n# Other options:\n# -f: see their associated file\n# -d: filter to only show disabled packages\n# -e: filter to only show enabled packages\n# -s: filter to only show system packages\n# -3: filter to only show third party packages\n# -i: see the installer for the packages\n# -U: also show the package UID\n```\n\n**Find an android package:**\n\n```bash\n# Lists packages containing the specified keyword\nadb shell pm list packages 'keyword' | cut -d ':' -f2\n\n# e.g.:\n# adb shell pm list packages 'diva' | cut -d ':' -f2\n```\n\n**Get Process ID (pid) of Apps:**\n\n```bash\n# List all running apps pid:\nadb shell ps\n\n# List a particular app pid:\nadb shell ps | \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# adb shell ps | jakhar.aseem.diva\n```\n\n**Install an apk using adb:**\n\n```bash\nadb install \u003cname_of_apk_file\u003e\n\n# Install the apk to removable storage (-s)\nadb install -s \u003cname_of_apk_file\u003e\n\n# e.g.:\n# adb install diva.apk\n# adb install -s diva.apk\n```\n\n**Launch an apk using adb:**\n\n```bash\n# Method 1: Launch using Monkey tool\nadb shell monkey -p \u003cpackage_name_of_the_apk\u003e -c 1\n\n# Method 2: Launch using dumpsys tool\nadb shell dumpsys package \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# adb shell monkey -p jakhar.aseem.diva -c 1\n# adb shell dumpsys package jakhar.aseem.diva\n```\n\n\u003e **N.B:**\\\n\u003e Monkey tool method means pretending to be a user and starting the app by clicking on its icon.\\\n\u003e Monkey tool method will only worked when Main activity is exported in the AndroidManifest.xml.\n\n**Launch an apk activity directly using adb:**\n\n```bash\nadb shell am start -n \u003cpackage_name_of_the_apk\u003e/.\u003cactivity_name\u003e\n\n# e.g.:\n# adb shell am start -n jakhar.aseem.diva/.MainActivity\n```\n\n**Uninstall an apk using adb:**\n\n```bash\nadb uninstall \u003cpackage_name_of_the_apk\u003e\n\n# Keep data and cache directories of the apk (-k)\nadb uninstall -k \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# adb uninstall jakhar.aseem.diva\n# adb uninstall -k jakhar.aseem.diva\n```\n\n\u003c!-- \n**Extract an android package:**\n\n```bash\n# Pull an apk to current location by specified keyword\napp_name=\"keyword\"; local_location=\"./\"; pkg=$(adb shell pm list packages \"${app_name}\" | head -n 1 | cut -d ':' -f2); apk_path=$(adb shell pm path \"${pkg}\" | cut -d ':' -f2 | grep 'base.apk'); adb shell cp \"${apk_path}\" /storage/emulated/0/ \u0026\u0026 adb pull \"/storage/emulated/0/$(basename \"${apk_path}\")\" \"${local_location}/\" \u0026\u0026 adb shell rm \"/storage/emulated/0/$(basename \"${apk_path}\")\"\n\n# e.g.:\n# Extract diva app in the current directory\n# app_name=\"diva\"; local_location=\"./\"; pkg=$(adb shell pm list packages \"${app_name}\" | head -n 1 | cut -d ':' -f2); apk_path=$(adb shell pm path \"${pkg}\" | cut -d ':' -f2 | grep 'base.apk'); adb shell cp \"${apk_path}\" /storage/emulated/0/ \u0026\u0026 adb pull \"/storage/emulated/0/$(basename \"${apk_path}\")\" \"${local_location}/\" \u0026\u0026 adb shell rm \"/storage/emulated/0/$(basename \"${apk_path}\")\"\n```\n--\u003e\n\n**Copy/Push a File/Directory to an Android device using ADB:**\n\n```bash\n# Copy a file to android device\nadb push \u003cfile_path_and_name\u003e \u003clocation_on_device\u003e\n\n# Copy a directory to android device\nadb push \u003cdirectory_path_and_name\u003e \u003clocation_on_device\u003e\n\n# e.g.:\n# adb push Demo.txt /storage/emulated/0/\n# adb push DemoFolder /storage/emulated/0/\n```\n\u003c!-- \n\n***Bypassing permission denied issue while Copy/Push a File/Directory to an Android device using ADB:***\n\n```bash\n# Copy a file to android device\nsrc=\"somefile.txt\"; dst=\"/data/data/com.someapp.dev/\"; tmp=\"/data/local/tmp/\"; base=$(basename \"${src}\"); adb push \"${src}\" \"${tmp}\"; adb shell su -c \"cp -r \\\"${tmp}${base}\\\" \\\"${dst}\\\" \u0026\u0026 rm -rf \\\"${tmp}${base}\\\"\"\n\n# adb push \u003cfile_path_and_name\u003e \u003clocation_on_device\u003e\n\n# Copy a directory to android device\nadb push \u003cdirectory_path_and_name\u003e \u003clocation_on_device\u003e\n\n# e.g.:\n# adb push Demo.txt /storage/emulated/0/\n```\n--\u003e\n\n**Get/Pull a File/Directory from an Android device using ADB:**\n\n```bash\n# Get a file from android device\nadb pull \u003cfile_path_and_name\u003e \u003clocation_on_computer\u003e\n\n# Get a directory to android device\nadb pull \u003cdirectory_path_and_name\u003e \u003clocation_on_computer\u003e\n\n# e.g.:\n# adb pull /storage/emulated/0/Demo.txt ./\n# adb pull /storage/emulated/0/DemoFolder ./\n```\n\n***Bypassing permission denied issue while Get/Pull a File from an Android device using ADB:***\n\n```bash\n# Solution 1:\nadb shell su -c 'cat \u003cfile_path_and_name\u003e' \u003e \u003clocation_on_computer\u003e\n\n# Solution 2: Useful when to check, SharedPreferences is accessible as non-root (low-privileged) user or not\nadb exec-out run-as \u003cpackage_name_of_the_apk\u003e cat /data/user/0/\u003cpackage_name_of_the_apk\u003e/shared_prefs/\u003cfile_name\u003e \u003e \u003clocation_on_computer\u003e\n\n# Solution 3: Useful when you need to access a apps internal files or a file that owned by the particular app (root required)\nadb shell su -c 'run-as \u003cpackage_name_of_the_apk\u003e cat \u003cfile_path_and_name\u003e' \u003e \u003clocation_on_computer\u003e\n\n# e.g.:\n# adb shell su -c 'cat /data/user/0/jakhar.aseem.diva/files/Test.txt' \u003e Test.txt\n# adb exec-out run-as jakhar.aseem.diva cat /data/user/0/jakhar.aseem.diva/shared_prefs/settings.xml \u003e settings.xml\n# adb shell su -c 'run-as jakhar.aseem.diva cat /data/user/0/jakhar.aseem.diva/files/Test.txt' \u003e Test.txt\n```\n\n\u003e [!TIP]\n\u003e `run-as` is a command that facilitates the execution of other commands with the permissions of a specific app on an Android device. This is essential for accessing app-specific data and resources that are normally restricted.\n\u003e\n\u003e Syntax: `adb shell run-as \u003cpackage-name\u003e \u003ccommand\u003e \u003cargs\u003e` \\\n\u003e Example: `adb shell run-as com.example.myapp cat /data/data/com.example.myapp/databases/mydatabase.db`\n\n***Bypassing permission denied issue while Get/Pull a Directory from an Android device using ADB:***\n\n```bash\n# Get a Directory from android device\ndir=\"\u003cdirectory_path_and_name\u003e\"; IFS=$'\\n'; for subdir in $(adb shell su -c \"find \\\"${dir}\\\" -type d\"); do mkdir -p \".${subdir}\"; done; for file in $(adb shell su -c \"find \\\"${dir}\\\" -type f\"); do adb shell su -c \"cat \\\"${file// /\\\\\\ }\\\"\" \u003e \".${file}\"; done;\n\n# e.g.:\n# dir=\"somedir\"; IFS=$'\\n'; for subdir in $(adb shell su -c \"find \\\"${dir}\\\" -type d\"); do mkdir -p \".${subdir}\"; done; for file in $(adb shell su -c \"find \\\"${dir}\\\" -type f\"); do adb shell su -c \"cat \\\"${file// /\\\\\\ }\\\"\" \u003e \".${file}\"; done;\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eBreakdown of the command: \u003ci\u003e(Click to expand)\u003c/i\u003e\u003c/summary\u003e\n\n\u003e **Set Directory:** `dir=\"\u003cdirectory_path_and_name\u003e\"` assigns user provided value to the variable `dir`.\n\u003e\n\u003e **Set Separator:** `IFS=$'\\n'` sets the Internal Field Separator (IFS) to a newline for proper handling of filenames.\n\u003e\n\u003e **Create Directories:** For `subdir` in `$(adb shell su -c \"find \\\"${dir}\\\" -type d\")` Iterates over subdirectories found by find on the Android device, creating corresponding directories (with dot prefix) in the current directory.\n\u003e\n\u003e **Copy Files:** For `file` in `$(adb shell su -c \"find \\\"${dir}\\\" -type f\")` Iterates over files found by find, reads their contents using cat, and writes them to files with dot prefixes in the current directory.\n\u003c/details\u003e\n\u003c!-- end of the Breakdown --\u003e\n\n\u003e [!NOTE]\n\u003e Keep in mind that, when using ADB, empty directories will not be copied from or to an Android device.\n\n### Frida Commands\n\n**List android packages using Frida:**\n\n```bash\n# List all packages with PID, Names \u0026 Identifiers\nfrida-ps -Uai\n\n# List PID, Name, Identifiers that match the input string\nfrida-ps -Uai | grep -i '\u003cpart_of_the_package_name\u003e'\n\n# e.g.:\n# frida-ps -Uai | grep -i 'diva'\n```\n\n\u003e [!TIP]\n\u003e -D : Use this flag Connect Frida to the specific device (the device identifier you gate by running `adb devices` command)\n\u003e\n\u003e Syntax: `frida-ps -D \u003cdevice_identifier\u003e` \\\n\u003e Example: `frida-ps -Uai -D 27d1d6d3a03 | grep -i 'diva'`\n\n**Discover an app internal methods/calls using frida:**\n\n```bash\n# Discover internal methods/calls of an app and save the output in a file\nfrida-discover -U -f \u003cpackage_name_of_the_apk\u003e | tee \u003cfile_path_and_name\u003e\n\n# e.g.:\n# frida-discover -U -f jakhar.aseem.diva | tee frida_discover.txt\n```\n\n\u003e **N.B:** Here tee command part is optional, I recommended this for display and also save the output in a file which may required letter.\n\n**Trace an app internal methods/calls using frida:**\n\n```bash\n# Trace all internal methods/calls of an app\nfrida-trace -p \u003cpid_of_an_app\u003e\n\n# Trace specific(s) internal methods/calls of an app\nfrida-trace -p \u003cpid_of_an_app\u003e -i '\u003cfunction_name\u003e*'\n\n# e.g.:\n# frida-trace -p 852\n# frida-trace -p 852 -i 'log*'\n```\n\n\u003e [!TIP]\n\u003e You can use -i flag multiple times as per your needs. \\\n\u003e For example: `frida-trace -p 852 -i 'log*' -i 'recv*' -i 'send*'`\n\u003e\n\u003e For more frida-trace commands please read the [official documentation](https://frida.re/docs/frida-trace/).\n\n**Run Frida Scripts:**\n\n- Bypass root detection using Frida and [dzonerzy/fridantiroot](https://codeshare.frida.re/@dzonerzy/fridantiroot/) script\n\n ```bash\n frida --codeshare dzonerzy/fridantiroot -f \u003cpackage_name_of_the_apk\u003e\n\n # e.g.:\n # frida --codeshare dzonerzy/fridantiroot -f jakhar.aseem.diva\n ```\n\n- Bypass SSL Pinning\u003csup\u003e[[?]](#ssl-pinning)\u003c/sup\u003e using Frida and [pcipolloni/universal-android-ssl-pinning-bypass-with-frida](https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/) script\n\n ```bash\n frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f \u003cpackage_name_of_the_apk\u003e\n\n # e.g.:\n # frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f jakhar.aseem.diva\n ```\n\n- Bypass Emulator detection using Frida and [m0bilesecurity/emulator_detection_bypass.js](https://github.com/m0bilesecurity/Frida-Mobile-Scripts/blob/master/Android/emulator_detection_bypass.js) script\n\n - Download the `emulator_detection_bypass.js` script [(Link)](https://git-link.vercel.app/api/download?url=https%3A%2F%2Fgithub.com%2Fm0bilesecurity%2FFrida-Mobile-Scripts%2Fblob%2Fmaster%2FAndroid%2Femulator_detection_bypass.js)\n\n ```bash\n frida -l emulator_detection_bypass.js -f \u003cpackage_name_of_the_apk\u003e\n\n # e.g.:\n # frida -l emulator_detection_bypass.js -f jakhar.aseem.diva\n ```\n\n- Combine two or more script in Frida\n\n ```bash\n frida --codeshare dzonerzy/fridantiroot --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -l emulator_detection_bypass.js -f \u003cpackage_name_of_the_apk\u003e\n\n # e.g.:\n # frida --codeshare dzonerzy/fridantiroot --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -l emulator_detection_bypass.js -f jakhar.aseem.diva\n ```\n\n- (Bonus) A Script for All\n\n ```bash\n frida --codeshare fdciabdul/frida-multiple-bypass -f \u003cpackage_name_of_the_apk\u003e\n\n # e.g.:\n # frida --codeshare fdciabdul/frida-multiple-bypass -f jakhar.aseem.diva\n ```\n\n\u003e [!TIP]\n\u003e Sometime frida will give error like `Failed to spawn` or `Failed to attach` in that case use `-D`, `-f`, and `-n` together\n\u003e ```bash\n\u003e frida -D \u003cdevice_id\u003e \u003cscript\u003e -f \u003cpackage_name_of_the_apk\u003e -n \u003capp_name\u003e\n\u003e\n\u003e # e.g:\n\u003e # frida -D ede147ef --codeshare fdciabdul/frida-multiple-bypass -f jakhar.aseem.diva -n Diva\n\u003e```\n\n\u003e **N.B:** Frida automatically paused the target app when attaching. Using \\\n`--no-pause` to prevent this, allowing the app to start normally while Frida injected the scripts.\n\u003e\n\u003e For more Frida commands please read the [official documentation](https://learnfrida.info).\n\u003e\n\u003e For more Frida please visit [Codeshare](https://codeshare.frida.re/browse).\n\n### Objection Commands\n\n**Connect an app to Objection:**\n\n```bash\nobjection --gadget \u003cpackage_name_of_the_apk\u003e explore\n\n# e.g.:\n# objection --gadget jakhar.aseem.diva explore\n```\n\n**Connect an app to Objection and load Frida script:**\n\n```bash\nimport \u003csome_frida_script_file\u003e\nobjection --gadget \u003cpackage_name_of_the_apk\u003e explore --startup-script \u003csome_frida_script_file\u003e\n\n# e.g.:\n# import emulator_detection_bypass.js\n# objection --gadget jakhar.aseem.diva explore --startup-script emulator_detection_bypass.js\n```\n\n**Re-attach to an app, if in case Objection detaches from the app:**\n\n```bash\n# Get the pid by using `frida-ps -Uai` command\nobjection --gadget \u003cpid_of_app\u003e explore\n\n# e.g.:\n# objection --gadget 7814 explore\n```\n\n**Extract useful information from an app using Objection:**\n\n```bash\n# Some interesting information like passwords, paths could be find inside the environment.\nenv\n```\n\n**Bypass SSL Pinning\u003csup\u003e[[?]](#ssl-pinning)\u003c/sup\u003e using Objection:**\n\n```bash\n# Method 1: Run after connect an app to Objection\nandroid sslpinning disable --quiet\n\n# Method 2: Connect an app to Objection with SSL pinning disabled\nobjection --gadget \u003cpackage_name_of_the_apk\u003e explore --startup-command 'android sslpinning disable --quiet'\n\n#e.g.:\n# objection --gadget jakhar.aseem.diva explore --startup-command 'android sslpinning disable --quiet'\n```\n\n**Bypass Root detection using Objection:**\n\n```bash\n# Method 1: Run after connect an app to Objection\nandroid root disable --quiet\n\n# Method 2: Connect an app to Objection with Root detection disabled\nobjection --gadget \u003cpackage_name_of_the_apk\u003e explore --startup-command 'android root disable --quiet'\n\n#e.g.:\n# objection --gadget jakhar.aseem.diva explore --startup-command 'android root disable --quiet'\n```\n\n**List KeyStore\u003csup\u003e[[?]](#keystore)\u003c/sup\u003e using Objection:**\n\n```bash\nandroid keystore list\n```\n\n**List Memory modules using Objection:**\n\n**List activities, receivers and services using Objection:**\n\n```bash\n\n# List activities\nandroid hooking list activities \u003cpackage_name_of_the_apk\u003e\n\n# List services\nandroid hooking list services \u003cpackage_name_of_the_apk\u003e\n\n# List receivers\nandroid hooking list receivers \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# android hooking list activities jakhar.aseem.diva\n# android hooking list services jakhar.aseem.diva\n# android hooking list receivers jakhar.aseem.diva\n```\n\n**Get current activity name using Objection:**\n\n```bash\nandroid hooking get current_activity\n```\n\n```bash\n# List all memory modules\nmemory list modules\n\n# Grab particular module\nmemory list modules | grep '\u003capp_name_or_part_of_app_name\u003e'\n\n# e.g.:\n# memory list modules | grep 'diva'\n```\n\n**Take Memory Dump\u003csup\u003e[[?]](#memory-dump)\u003c/sup\u003e using Objection:**\n\n```bash\n# Dump all memory\nmemory dump all '\u003clocal_file_name_and_path\u003e'\n\n# Dump a part of memory\nmemory dump from_base \u003cbase_address\u003e \u003csize_to_dump\u003e '\u003clocal_file_name_and_path\u003e'\n\n# e.g.:\n# memory dump all 'all_memory.dmp'\n#memory dump from_base 0x77bbc000 4096 'all_memory.dmp'\n```\n\n**Search inside Memory using Objection:**\n\n```bash\nmemory search '\u003ckeyword_to_search\u003e' --string\n\n# e.g.:\n# memory search 'api' --string\n```\n\n\u003e [!TIP]\n\u003e Base address can be obtain by running `memory list modules` command.\n\u003e\n\u003e The `size_to_dump` is the amount of memory to extract, in bytes (e.g., 4096 for 4 KB).\n\n**Monitor user clipboard using Objection:**\n\n```bash\nandroid clipboard monitor\n```\n\n**List classes that were loaded inside the current application:**\n\n```bash\nandroid hooking list classes\n```\n\n**Search classes inside the current application:**\n\n```bash\nandroid hooking search classes '\u003ckeyword_to_search\u003e'\n\n# e.g.:\n# android hooking search classes 'jakhar.aseem.diva'\n```\n\n**List declared Methods of a class with their parameters in the current application:**\n\n```bash\nandroid hooking list class_methods \u003cpackage_name_of_the_apk\u003e.\u003cactivity_or_class_name\u003e\n\n# e.g.:\n# android hooking list class_methods jakhar.aseem.diva.MainActivity\n```\n\n**List methods inside classes:**\n\n```bash\nmethods inside the class \u003cpackage_name_of_the_apk\u003e \u003cactivity_or_class_name\u003e\n\n# e.g.:\n# android hooking search classes jakhar.aseem.diva MainActivity\n```\n\n**Hooking (watching) a method:**\n\n```bash\n# Read source code in static analysis face to aware about function names\nandroid hooking watch class_method \u003cpackage_name_of_the_apk\u003e.\u003cactivity_or_class_name\u003e.\u003cfunction_or_method_name\u003e --dump-args --dump-backtrace --dump-return\n\n# e.g.:\n# android hooking watch class_method jakhar.aseem.diva.MainActivity.xyz --dump-args --dump-backtrace --dump-return\n```\n\n**Hooking (watching) an entire class:**\n\n```bash\nandroid hooking watch class \u003cpackage_name_of_the_apk\u003e.\u003cactivity_or_class_name\u003e --dump-args --dump-return\n\n# e.g.:\n# android hooking watch class jakhar.aseem.diva.MainActivity --dump-args --dump-args --dump-return\n```\n\n**Alter boolean return value of a function:**\n\n```bash\n# From the source code you can determine which function returns a boolean, and make the function always return true or false:\nandroid hooking set return_value \u003cpackage_name_of_the_apk\u003e.\u003cactivity_or_class_name\u003e.\u003cfunction_or_method_name\u003e \u003cbool\u003e\n\n# e.g.:\n# android hooking set return_value jakhar.aseem.diva.MainActivity.xyz false\n```\n\n**List instances of a specific Java class inside current app using Objection:**\n\n```bash\nandroid heap print_instances \u003cclass_name\u003e\n\n# e.g.:\n# android heap print_instances MainActivity\n```\n\n**Screenshots protection bypass in current app using Objection:**\n\n```bash\n# Enable screenshot with hardware key\nandroid ui FLAG_SECURE false\n```\n\n**Connect/execute/sync/disconnect SQLite command with current app database(s) using Objection:**\n\n```bash\n# First identify current app database(s) location, then go to the location and connect to the database:\nsqlite connect \u003csqlite_database_location_and_file_name\u003e\n\n# Check the status of the SQLite connection\nsqlite status\n\n# Get the database schema for the currently connected SQLite database\nsqlite execute schema\n\n# Execute sql query\nsqlite execute query \u003csql query\u003e\n\n# Sync the locally cached SQLite database with remote database\nsqlite sync\n\n# Disconnect from the currently connected SQLite database file\nsqlite disconnect\n\n# e.g.:\n# sqlite connect credentials.db\n# sqlite execute query select * from data\n```\n\n\u003e [!NOTE]\n\u003e The `sqlite` command utility in Objection allows you to connect to a SQLite database. On connecting to a remote device database Objection copy the remote database file to a local temporary directory. When a user executes any SQL query, it is initially performed on the cached database file locally. If the user employs the `sqlite sync` command, the file is then validated. Once the local cached SQLite database is validated, it is synchronized with the remote database.\n\n### Drozer Commands\n\n**Connect to Drozer:**\n\n- Download Drozer Agent Apk [agent-debug.apk](https://github.com/WithSecureLabs/drozer-agent/releases)\n\n- Install the apk to device\n\n ```bash\n # Install drozer apk using ADB\n adb install agent-debug.apk\n ```\n\n- Launch the drozer app\n\n ```bash\n adb shell monkey -p com.mwr.dz -c 1\n ```\n\n- Starting the ADB Server\n\n ```bash\n adb forward tcp:31415 tcp:31415\n ```\n\n- Connect to Drozer Desktop Server\n\n ```bash\n drozer console connect --server \u003cdesktop_ip\u003e\n\n # e.g.:\n drozer console connect --server 192.168.100.5\n ```\n\n**Find an android package:**\n\n```bash\n# Lists all packages using Drozer\nrun app.package.list\n\n# Lists packages containing the specified keyword using Drozer\nrun app.package.list -f adb shell pm list packages 'keyword'\n\n# e.g.:\n# run app.package.list -f adb shell pm list packages 'diva'\n```\n\n**List basic information about an android package:**\n\n```bash\nrun app.package.info -a \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run app.package.info -a jakhar.aseem.diva\n```\n\n**Show AndroidManifest.xml of an android package:**\n\n```bash\nrun app.package.manifest \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run app.package.manifest jakhar.aseem.diva\n```\n\n**Show Attack surface (common weakness) of an android package:**\n\n```bash\nrun app.package.attacksurface \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run app.package.attacksurface jakhar.aseem.diva\n```\n\n**Lists packages which the Backup flag is enabled:**\n\n```bash\nrun app.package.backup\n```\n\n**Lists packages which the Debuggable flag is enabled:**\n\n```bash\nrun app.package.debuggable\n```\n\n**List activities and intent filters of an android package using Drozer:**\n\n```bash\n# List activities\nrun app.activity.info -a \u003cpackage_name_of_the_apk\u003e\n\n# List intent filters\nrun app.activity.info -i \u003cpackage_name_of_the_apk\u003e\n\n# List booth\nrun app.activity.info -i -a \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run app.activity.info -a jakhar.aseem.diva\n# run app.activity.info -i jakhar.aseem.diva\n# run app.activity.info -i -a jakhar.aseem.diva\n```\n\n**Launch an activity of an android package using Drozer:**\n\n```bash\n# List activities\nrun app.activity.start --component \u003cpackage_name_of_the_apk\u003e \u003cactivity_name\u003e\n\n# e.g.:\n# run app.activity.start --component jakhar.aseem.diva jakhar.aseem.diva.MainActivity\n```\n\n**List exported and unexported content providers of an android package using Drozer:**\n\n```bash\n# List exported content providers\nrun app.provider.info -a \u003cpackage_name_of_the_apk\u003e\n\n# List unexported content providers\nrun app.provider.info -u -a \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run app.provider.info -a jakhar.aseem.diva\n# run app.provider.info -u -a jakhar.aseem.diva\n```\n\n**Investigate Android package content providers for potential vulnerabilities using Drozer:**\n\n```bash\nrun scanner.provider.finduris \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run scanner.provider.finduris jakhar.aseem.diva\n```\n\n**Investigate Android package content providers for potential SQL Injections vulnerabilities using Drozer:**\n\n```bash\nrun scanner.provider.injection \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run scanner.provider.injection jakhar.aseem.diva\n```\n\n**Find tables accessible through SQL injection in a Android package using Drozer:**\n\n```bash\nrun scanner.provider.sqltables \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run scanner.provider.sqltables jakhar.aseem.diva\n```\n\n**Investigate Android package content providers for basic directory traversal vulnerabilities using Drozer:**\n\n```bash\nrun scanner.provider.traversal \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run scanner.provider.traversal jakhar.aseem.diva\n```\n\n**Investigate Android package for browsable activities that can be invoked from the web browser using Drozer:**\n\n```bash\nrun scanner.activity.browsable \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run scanner.activity.browsable jakhar.aseem.diva\n```\n\n**Investigate Android package native components for potential vulnerabilities using Drozer:**\n\n```bash\nrun scanner.misc.native \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run scanner.misc.native jakhar.aseem.diva\n```\n\n**Investigate Android package for secret codes that can be used from the dialer using Drozer:**\n\n```bash\nrun scanner.misc.secretcodes \u003cpackage_name_of_the_apk\u003e\n\n# e.g.:\n# run scanner.misc.secretcodes jakhar.aseem.diva\n```\n\n## Terminology's\n\n### KeyStore\n\nIn Android, a keystore is a secure storage system used to store and manage cryptographic keys and certificates. It provides a secure environment for tasks like SSL/TLS pinning, app authentication, and data encryption, enhancing the overall security of Android applications.\n\n### Memory Dump\n\nIn Android, a memory dump is a snapshot of the device's current system memory. It captures the contents of RAM, including running processes and their data. Check memory dump for any sensitive information stored in memory.\n\n\n## Important Links\n\n- [https://book.hacktricks.xyz/mobile-pentesting/android-checklist](https://book.hacktricks.xyz/mobile-pentesting/android-checklist)\n- [learnfrida.info](https://learnfrida.info)\n- [codeshare.frida.re](https://codeshare.frida.re)\n- [https://github.com/dweinstein/awesome-frida](https://github.com/dweinstein/awesome-frida)\n- [https://github.com/interference-security/frida-scripts](https://github.com/interference-security/frida-scripts)\n- [https://github.com/m0bilesecurity/Frida-Mobile-Scripts](https://github.com/m0bilesecurity/Frida-Mobile-Scripts)\n- [https://github.com/WithSecureLabs/android-keystore-audit](https://github.com/WithSecureLabs/android-keystore-audit)\n- [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/)\n- [https://github.com/B3nac/Android-Reports-and-Resources](https://github.com/B3nac/Android-Reports-and-Resources)\n- [https://github.com/wtsxDev/android-security-list](https://github.com/wtsxDev/android-security-list)\n- [https://mobile-security.gitbook.io/mobile-security-testing-guide/](https://mobile-security.gitbook.io/mobile-security-testing-guide/)\n- [https://github.com/ashishb/android-security-awesome](https://github.com/ashishb/android-security-awesome)\n- [https://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html](https://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html)\n\n## Intentionally Vulnerable Applications For Practice\n\n- Damn Insecure and vulnerable App for Android (DIVA) [(Link)](https://github.com/payatu/diva-android)\n- InsecureBankv2 [(Link)](https://github.com/dineshshetty/Android-InsecureBankv2)\n- VyAPI [(Link)](https://github.com/appsecco/VyAPI/) `Hybrid (Cloud + Android)`\n- Damn Vulnerable Hybrid Mobile App (DVHMA) [(Link)](https://github.com/logicalhacking/DVHMA)\n- What a Terrible Failure (WaTF Bank) [(Link)](https://github.com/WaTF-Team/WaTF-Bank)\n- Vuldroid [(Link)](https://github.com/jaiswalakshansh/Vuldroid)\n- Oversecured Vulnerable Android App (OVAA) [(Link)](ht","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHrishikesh7665%2FAndroid-Pentesting-Checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FHrishikesh7665%2FAndroid-Pentesting-Checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHrishikesh7665%2FAndroid-Pentesting-Checklist/lists"}