{"id":16264990,"url":"https://github.com/shosta/androsectest","last_synced_at":"2026-02-22T13:02:33.858Z","repository":{"id":56662468,"uuid":"141302388","full_name":"Shosta/androSecTest","owner":"Shosta","description":"From this app, Connect a Phone, Extract any app from It, Decompile, Deobfuscate, Remove Certificate Pinning and Repackage it. Meanwhile, Perform some Static and Dynamic Analysis on It.","archived":false,"fork":false,"pushed_at":"2024-06-06T00:32:44.000Z","size":246,"stargazers_count":27,"open_issues_count":15,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-16T02:39:44.274Z","etag":null,"topics":["android","android-security-audit","apk","docker-container","go","golang","pentest-scripts","pentest-tool","pentesting"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Shosta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-17T14:37:13.000Z","updated_at":"2025-03-04T19:42:29.000Z","dependencies_parsed_at":"2022-08-15T22:50:35.173Z","dependency_job_id":"22fc2aa1-9968-4b61-bbc3-64b4ace1318f","html_url":"https://github.com/Shosta/androSecTest","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shosta%2FandroSecTest","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shosta%2FandroSecTest/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shosta%2FandroSecTest/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Shosta%2FandroSecTest/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Shosta","download_url":"https://codeload.github.com/Shosta/androSecTest/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243875097,"owners_count":20361943,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","android-security-audit","apk","docker-container","go","golang","pentest-scripts","pentest-tool","pentesting"],"created_at":"2024-10-10T17:05:07.890Z","updated_at":"2026-02-22T13:02:28.810Z","avatar_url":"https://github.com/Shosta.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\u003ca href=\"https://github.com/Shosta/androSecTest/stargazers\"\u003e\u003cimg alt=\"Ask me anything\" src=\"https://img.shields.io/static/v1.svg?label=Ask%20me\u0026message=anything\u0026color=green\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/Shosta/androSecTest/stargazers\"\u003e\u003cimg alt=\"Maintained\" src=\"https://img.shields.io/static/v1.svg?label=Maintained?\u0026message=Yes\u0026color=Blue\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/Shosta/androSecTest/stargazers\"\u003e\u003cimg alt=\"GitHub stars\" src=\"https://img.shields.io/github/stars/Shosta/androSecTest.svg?style=social\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/Shosta/androSecTest/network\"\u003e\u003cimg alt=\"GitHub forks\" src=\"https://img.shields.io/github/forks/Shosta/androSecTest.svg?style=social\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/Shosta/androSecTest/blob/master/LICENSE.md\"\u003e\u003cimg alt=\"GitHub license\" src=\"https://img.shields.io/github/license/Shosta/androSecTest.svg?color=green\u0026style=flat-square\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/Shosta/androSecTest/stargazers\"\u003e\u003cimg alt=\"Pentest\" src=\"https://img.shields.io/static/v1.svg?label=Pentest\u0026message=Your%20App\u0026color=green\u0026logo=Android\"\u003e\u003c/a\u003e\n\n \n # Android-Static-Security-Audit\n\nHere is a quick Cheat Sheet to test the security of an Android app that AndroSecTest is doing.\n\nYou can have a quick look at how the application is pentesting an Android app on Youtube : https://youtu.be/zzyTFjnwolo\n\n## Easiest Way to Try It \n\n### Use the docker Container\n\n1. Build the Docker Container that has all the dependencies and tools already installed.\n    \u003e `docker build .`\n\n2. Connect your Android Device\n\n    2.1. Be sure that the \"adb server\" is **not** running on the host machine as an android phone can only be connected to one adb server at a given time.\n    \n    2.2. USB connection is not working from host device to Container on MacOS, so it is only working on a Linux host for the time being.\n\n3. Run the Docker Container\n    \u003e `docker run -it --privileged -v /dev/bus/usb:/dev/bus/usb \"The Container ID\"`\n\n    3.1 `-it` is here so that we can have an iteractive session.\n\n    3.2. `--privileged` is required to use a USB device.\n\n    3.3. `-v /dev/bus/usb:/dev/bus/usb` defines a shared volume between the host machine and the Container in order to share the USB device (*the android phone*) information\n\n⚠️ The results from the SAST is not persisted outside of the Docker Container at the moment.\nI am planning to add a shared volume to persist it in the near future.\n\n## The first part of the Security testing is to :\n1. Get the application from the Store,\n1. Pull it from the device,\n1. Unpackaged it,\n1. Look for some unsecure behavior,\n1. Make it debuggable,\n1. Repackage it and reinstall it on the device.\n\n### 1. Get the application from your device, using the `adb` command\n#### 1.1. List the applications' package names on your device :\n\u003e `adb shell pm list packages | grep “hint from the app you are looking for”`\n\n#### 1.2. Get the path of the desired application on the device : \n\u003e `adb shell pm path app.package.name.apk`\n\n#### 1.3. Pull it from your device to your computer :\n\u003e `adb pull app.path`\n\n\n#### 1.4. Change the file name from \".apk\" to \".zip\".\nUnzip the file.\nYou now have access to the application's file system.\n\n### 2. Look for interesting strings or files in the application \n#### 2.1. Locate interesting files or strings\nRun the following commands at the root of the application file system.\n* `find . -name \"*key\"`\n* `find . -name \"*cer*\"`\n* `find . -name \"*pass*\"'''`\n\nIf you find some files whose name contains 'key' try these commands :\n* `hexdump ./path/to/.appkey  -vC`\n* `more ./path/to/.appkey `\n\n\n#### 2.2. Check the application signature.\n\nVerify the signature : \n\u003e `apksigner verify --verbose Application.apk`\n\nor\n\u003e `jarsigner -verify -certs -verbose app.apk`\n\nand\n\nMove to the META.INF folder and check the signature with openssl : \n\u003e `openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text`\n\nExtract CERT.RSA from the package and display the certificate with keytool. \n\u003e `keytool -printcert -file CERT.RSA `\n\nYou can then check the type of encryption used (hint, [SHA-1 is no more secure](https://shattered.io)).\n\n\n### 2. Make the application debuggable and ready for penetration testing\n\nNow that you have the apk file from the application you want, you must disassemble the app to make it debuggable.\n\n#### 1. To disassemble the application, you can use the tool 'apktool'.\n\n\u003e`apktool d -o localAppFolder/ app.package.name.apk`\n\n#### 2. Make the application debuggable and allow backup\n\nIn the `\"\u003capplication”`, in the manifest file, add a `android:debuggable=\"true”` value to make the app debuggable.\n\nIn the `\"\u003capplication”`, in the manifest file, add a `android:allowBackup=\"true”` value to allow backup from the app.\n\n#### 3. Intercept and decrypt network requests\n\nEdit the app Manifest to be able to intercept and decrypt encrypted requests from the app later on:\nIn the `\"\u003capplication”` node, in the manifest file, add a `android:networkSecurityConfig=\"@xml/network_security_config\"` value to be sure that the user added certificate are going to be trusted on a debug configuration.\n\nAdd a “network_security_config.xml” file in the “xml” folder with the following content or append the content to the existing file:\n```xml\n\u003c!-- The \"network_security_config.xml\" --\u003e\n\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n    \u003cnetwork-security-config\u003e\n        \u003cdebug-overrides\u003e\n            \u003ctrust-anchors\u003e\n                \u003c!-- Trust user added CAs while debuggable only --\u003e\n                \u003ccertificates src=\"user\" /\u003e\n            \u003c/trust-anchors\u003e\n        \u003c/debug-overrides\u003e\n    ...\n```\n\n#### 4. Add the certificate to the device.\nDownload it from Burp, Charles, etc… and add it to your device following your preferred method (add push to the sdcard is the method I use).\nYou can use Bettercap to monitor the UDP traffic.\n\n\n#### 5. Repackage and sign the app:\n1. Repackage the app:\n```\napk tool b -o app.package.name.apk localAppFolder/\n```\n\n2. Generate a signing key :\n```\nkeytool -genkey -v -keystore resign.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000\n```\n3. then sign the app with it : \n```\njarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore resign.keystore app.package.name.apk alias_name\n```\nor\n```\napksigner sign -ks resign.keystore app.package.name.apk\n```\n\n#### 6. Install the app on the device : \n\nRun the following command to install the repackage app to the device: \n```\nadb install app.package.name.apk\n```\n\n## The next steps of the security testing areto use some static test tool\n\nI want to use some Man in the Middle attack while the user is using the application. It will jsute intercept all the requests/responses for later analysis.\nI plan to use Bettercap or mitmproxy to do it.\n\nWe are going to use [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) (MobSF stands for Mobile Security Framework) to test some part of the security of the app. \n\nAs described in the Github page of the Project :\n\u003e Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA \u0026 APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless.\n\nI personnaly use the Docker container to use MobSF for Android security audit.\nSo you could just launch that command `docker run -it -p 8000:8000 -v \u003cyour_local_dir\u003e:/root/.MobSF opensecurity/mobile-security-framework-mobsf:latest`\n\nMobSF is going to automate a lot of the process of static security analysis and deliver a report that will make it easier to start the dynamic security audit.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshosta%2Fandrosectest","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshosta%2Fandrosectest","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshosta%2Fandrosectest/lists"}