Android Pentesting Checklist

Android Security Architecture

Official Android Security Documentation

Android Overview:

  • Solely based on the Linux OS

    • Commands such as ls, cd, rm, mkdir are all functional within android

    • Keep the Linux file permission in mind during testing

  • Has to support multiple CPU types such as SoC, ARM and also 32/64 bit versions of each

Android Runtime (ART)

  • Translation layer from bytecode to instructions

  • Every app is sandboxed as its own VM

  • Applications are isolated by creating a unique new user for the account

Android Identity and Access Management (IAM)

  • This also follows the UID structure as designed in Linux

  • Android must be rooted to access certain directories for testing

User Profiles

  • Primary User is created the first time the phone starts, always running and can only be removed by factory reset

  • Secondary user can be added to the device and can be deleted by the primary user

  • Guest User is only allowed one account on device

  • Kids Mode this is often found on Google Kids Spaces devices(currently tablets only)

Hardware Abstraction Layer (HAL)

  • Allows apps to access various hardware component on the device

  • HALs include technologies such as Apple Car Play, Android Auto, IoT Devices, Smart watches

Test Environment setup

Install Java for your testing OS (if not installed already)

  • Debian-Based Distro - Run command sudo apt-get install default-jdk -y

Install Dex to Java decompiler:

  • JADX-GUI for Windows .exe (Add .exe to C:\\Windows for CLI)

  • For Mac run the command brew install jadx

  • Debian-based distro - Run command sudo apt-get install jadx

ADB Install - Download SDK Platform-Tools for your host OS

  • This is the shell for accessing the Android

Install Apktool for the testing OS

  • For Mac run the command brew install apktool

  • Debian Based Distro - sudo apt-get install apktool -y

Download Android Studio, GenyMotion, or Visual Studio Emulator for Android for the testing OS

Enable Developer Mode on device

  • For physical device enable USB Debugging as well

How to start ADB with port open on host machine:

  • adb -a nodaemon server

(if you receive an error that the port is already in use, kill the adb process - this will vary per your Operating System)

  • taskkill /f /t /im adb.exe

  • then run: adb -a nodaemon server

From the networked machine, or VM run the following command to connect to the emulator via the newly opened port:

adb -H <host_machine_IP> -P 5037 shell

Android Manifest.xml

  • Present in every Android App

  • It is also where the basic of the application are defined such as permissions, Content Providers, Activities, and minSDKVersion

Information Gathering:

Find information about the company via Google Play store

  • Read app reviews and app announcements

  • Enumerate the creator of the application

  • Enumerate versions and patch notes

  • Enumerate other apps that belong to the company

TargetSdkversion OS version an app was designed for < package= com.vulnerableapp.test> Describes package/app name <uses-sdk android:minSdkVersion="17" android:minSdkVersion="21"/> App minimum and maximum supported versions(range)

APKLeaks - analyze compiled APK file

Pulling an APK

  1. Download app from google play store on the android device OR an .apk file will be provided by client

  2. Run the following commands in a terminal:

    1. abd shell (this drops you into a shell on your emulator or physical phone)

    2. pm list packages | grep <Identifier> (this will display the name of the package installed on the phone, in our case we did grep injured, copy result for step 5 below)

    3. pm path <packagename> (list the file path of the package, copy the file path for step 7 below)

    4. Exit the adb shell with: exit

    5. adb pull <PathToPackage> <NameOfNewFile>.apk (this will pull the apk from the file path on the phone and save it to whatever file name we want

APK from phone to computer: To get apk from the phone to your computer use the following commands

Testing Methodology


  1. Open android studio

  2. Plug in phone and make sure it connects to android studio

  3. Run the following to make a connection over usb to get traffic from the phone through burp. (physical phone)

  4. Pull the APK or install the APK

  5. Throw the APK in mobsf for static analysis (mobsf will look through all the files and pull out data for you)

  6. Use apktool to pull files from the phone to do a more manual static analysis

  7. Can also use jadx-gui to search files manually

  8. Open the APP on phone or emulator

  9. Make sure traffic is being proxied through burp

  10. Run objection

  11. Disable sslpinning if the app is preventing from exploring

  12. Check android keystore for any credentials

  13. Run Drozer and the following commands

  14. if there is a firebase url navigate to the url and add the following json check to see if its vulnerable

  15. In android studio check the /data/data/<>

  16. Copy db to sdcard

  17. Pull dbs to local machine

  18. View dbs in db browser sqlite

  19. Do a manual click through and generate some traffic with burp

  20. Run a burp scan

  21. Test app like it’s a web app. (XSS, SQL injection, login bypass etc)

  22. Check logs in android studio to see if any sensitive data is passed through.

Last updated