Android Pentesting

ADB Commands

# install adb
sudo apt install adb

# connect to a device
adb connect <ip>:5555

# check the connected devices
adb devices
adb devices -l

# get shell on the android device
adb shell

# get the list of installed applications
adb shell pm list packages | grep <appName>

# get the path of the installed application
adb shell pm path com.app.name

# obtain apk from the installed location
adb pull /data/data/*/*/base.apk <appname.apk>

Wireless ADB

| REQUIREMENTS: Android 11

Android 11 and higher supports deploying and debugging your app wirelessly from your workstation using Android Debug Bridge (adb)

• Connect the device and check for adb devices

• Once the device is shown in the adb devices output, go to developers options and enable wireless debugging

• In the shell adb tcpip 5555

• adb connect <ip> of the mobile

• Now the adb can be performed wirelessly

Tools Required

• apktool

• d2j-dex2jar

• jd-gui

• apkx

• jdax

Nice Blogs

• https://medium.com/@sarang6489/root-detection-bypass-by-manual-code-manipulation-5478858f4ad1

• https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications

• https://github.com/vaib25vicky/awesome-mobile-security

• https://mobexler.com/checklist.htm#android

• https://mobile-security.gitbook.io/mobile-security-testing-guide/overview/0x03-overview

• https://l33t-en0ugh.gitbook.io/infosec/android-pentesting

• https://manifestsecurity.com/appie/

Labs

• https://www.linkedin.com/pulse/10-vulnerable-android-applications-beginners-learn-hacking-anugrah-sr/?trackingId=2B5LsMW8RDaNPvRPfZ1RAw%3D%3D

Troubleshooting

• Gennymotion: https://support.genymotion.com/hc/en-us/articles/4415611962897#:~:text=finish%20the%20update-,c.%20Solution%203,-Open%20VirtualBox

• Custom DNS - https://devilbox.readthedocs.io/en/latest/howto/dns/add-custom-dns-server-on-android.html