| name | android-pentest |
| description | Comprehensive Android mobile application penetration testing with rooted-device ADB and Frida-based MCP tooling. Covers OWASP MASTG full methodology: recon, static + dynamic analysis, SSL/root bypass, IPC fuzzing, data exfiltration, crypto audit, and reporting. Triggers on requests to pentest Android apps, analyze APKs, bypass mobile security controls, or run MASVS/MASTG assessments. |
Android Mobile Application Penetration Testing
Thin router for full MASTG-aligned Android assessments via ADB + Frida + Mobile MCP. Load workflow / methodology / reference files on demand; do not attempt to memorise the whole skill up front.
When to Use
- Start a new Android app security assessment
- Bypass SSL pinning, root detection, anti-tamper, or biometric checks
- Extract/triage local storage (SharedPreferences, DBs, files, logs)
- Test exported activities, services, providers, receivers, deep links
- Hook crypto / auth / session / keystore at runtime
- Map a build to OWASP MASVS / MASTG for compliance evidence
- Produce structured findings + remediation guidance
Trigger Phrases
"pentest this Android app" • "security test the APK" • "bypass SSL pinning on " • "extract data from " • "test Android authentication" • "fuzz Android intents" • "MASTG testing for " • "mobile app security assessment"
When NOT to Use This Skill
- iOS apps → use
ios-pentest (if available) or generic mobile skill
- Server-side API fuzzing of mobile backends → use
api-security / web-pentest
- Decompiling Android malware for IR → use
malware-analysis, not this pentest-focused skill
- Supply-chain / SCA on third-party SDKs → use
sca / dependency-audit
- Cloud backend of the mobile app → use
cloud-pentest
Decision Tree
Do you have the APK or only package name?
├─ package only → get_app_info + pull_apk (parallel), then branch on protections
└─ APK on disk → static analysis first (jadx, apktool), then dynamic
└─ App runs? → frida_spawn → bypass_ssl → bypass_root → proxy
└─ App crashes on root? → see references/troubleshooting.md (Root detection)
└─ TLS still not decrypted? → workflows/ssl_pinning_bypass.md Methods 2→3
What's the objective?
├─ Full assessment → workflows/complete_assessment.md
├─ SSL pinning only → workflows/ssl_pinning_bypass.md
├─ Auth / session → workflows/auth_testing.md
├─ Deep links / IPC / fuzz → workflows/deeplink_intent_testing.md
├─ Crypto audit → workflows/crypto_analysis.md
└─ Data storage / exfil → workflows/data_exfiltration.md
Parallelism Hints
Run concurrently (independent, same device):
get_app_info + pull_apk + list_exported_componentsdump_databases + dump_shared_prefs + dump_internal_storage + dump_external_storage + get_logcat- Multiple
frida_run_script calls against the same PID (crypto_hooks.js ∥ credential_hooks.js ∥ intent_monitor.js)
- Static APK analysis (decompile, secrets scan) ∥ dynamic runtime hooks
Must be sequential:
frida_spawn → frida_bypass_ssl → frida_bypass_root (scripts need the PID and must attach before the app finishes its protection init)setup_proxy before any traffic-capture or network workflowinstall_ca_cert before setup_proxy on a fresh devicecapture_traffic_start → drive app → capture_traffic_stop
Sub-Agent Delegation
- Spawn a static-analysis sub-agent on the pulled APK (jadx decompile → secrets grep → manifest review → native-lib inventory) while the main agent runs dynamic Frida hooks. Rejoin before reporting.
- Spawn a per-component sub-agent when fuzzing many exported components: one agent per activity/provider/service batch; each owns its own Frida PID and logcat filter. Avoids cross-contamination of hook state.
- Spawn a reporting sub-agent to normalise findings into
schemas/finding.json and render templates once the main testing pass completes.
Reasoning Budget
- Extended thinking (high): triaging findings across evidence, classifying severity, writing CWE/MASTG mappings, designing custom Frida hooks for obfuscated classes, reverse-engineering native SSL-pinning paths.
- Low / no extended thinking: repetitive Frida hook runs, standard dumps, canned payload fuzzing, applying the universal SSL bypass, invoking known MCP tool sequences.
- Don't burn tokens reasoning about which universal bypass to try first — just run
frida_bypass_ssl(pid) and escalate on failure.
Multimodal Hooks
- Use Mobile MCP
get_screen_state + screenshot for UI-driven auth flows (biometric prompts, OAuth redirects, MFA steps). Attach screenshots as evidence.screenshot on the finding.
- Capture a screenshot at the point of bypass (e.g., authenticated home screen after biometric spoof) — visual evidence strengthens severity justification.
- For deep-link repros, screenshot the resulting activity to prove the unintended state is reachable.
Structured Output
All findings MUST validate against schemas/finding.json. Android-specific required/common fields:
package_name, app_version, target_sdk, device_id, frida_pid, mastg_id, masvs_control, component.{type,class_name,exported}, evidence.{logcat,frida_output,screenshot,pcap}.
Workflow Index
Methodology Index
| Document | Coverage |
|---|
| methodology/recon.md | Info gathering, attack-surface map |
| methodology/static_analysis.md | APK/smali/secrets review |
| methodology/dynamic_analysis.md | Runtime hooking, instrumentation |
| methodology/network_testing.md | Traffic, API, TLS verification |
| methodology/data_storage.md | Local storage, DBs, file perms |
| methodology/crypto_testing.md | Encryption and key management |
| methodology/auth_testing.md | Auth, session, biometric |
| methodology/client_side_injection.md | WebViews, deep links, providers |
Payloads Index
Examples Index
References Index
Checklists
Templates
MCP Tool Reference
Device interaction
| Tool | Purpose |
|---|
get_screen_state() | Current screen / UI tree |
tap_element(x,y) / long_press(x,y) | Tap / long-press |
input_text(text) | Type into focused field |
press_key(keycode) | BACK=4 HOME=3 ENTER=66 |
swipe(x1,y1,x2,y2) | Scroll, pattern unlock |
Frida instrumentation
| Tool | Purpose |
|---|
frida_spawn(pkg) / frida_attach(pkg) | Start or attach |
frida_run_script(pid, script) | Load JS hooks |
frida_bypass_ssl(pid) / frida_bypass_root(pid) | Universal bypasses |
frida_hook_method(pid, class, method) | Trace a single method |
frida_trace_crypto(pid) / frida_dump_credentials(pid) | Canned traces |
frida_enumerate_classes(pid, pattern) | Class discovery under obfuscation |
frida_memory_search(pid, pattern) | Find secrets / keys in process memory |
Network
| Tool | Purpose |
|---|
setup_proxy(device, host, port) / clear_proxy(device) | Proxy wiring |
install_ca_cert(device, path) | Trust Burp CA (system store) |
capture_traffic_start(pkg) / capture_traffic_stop() | PCAP |
Data extraction
| Tool | Purpose |
|---|
dump_databases(pkg) / dump_shared_prefs(pkg) | SQLite + prefs |
dump_internal_storage(pkg) / dump_external_storage(pkg) | Files |
get_logcat(pkg) | Package-filtered logs |
Components
| Tool | Purpose |
|---|
list_exported_components(pkg) | Attack surface |
launch_activity(pkg, activity, extras, data_uri) | Deep link / intent |
send_broadcast(action, extras) | Broadcast injection |
start_service(pkg, service, extras) | Service abuse |
query_content_provider(uri) | Provider SQLi / leakage |
fuzz_intent_extra(pkg, comp, key, payloads) | Automated fuzz |
App management
| Tool | Purpose |
|---|
install_apk(path) / uninstall_app(pkg) | Deploy / remove |
clear_app_data(pkg) | Fresh state |
get_app_info(pkg) | Metadata, permissions, SDK |
list_installed_apps() / pull_apk(pkg) | Discovery / extraction |
Frida Script Library (scripts/)
ssl_pinning_bypass.js, root_bypass.js, crypto_hooks.js, credential_hooks.js, network_hooks.js, biometric_bypass.js, anti_tampering_bypass.js, intent_monitor.js, webview_hooks.js, dynamic_dex_hooks.js, keystore_hooks.js, method_tracer.js.
Tools
| Tool | Purpose | Install |
|---|
| ADB | Device comms | apt install adb (Android SDK platform-tools) |
| Frida / frida-tools | Dynamic instrumentation | pip install frida-tools (≥16.4) |
| Objection | Mobile exploration | pip install objection |
| apktool | APK decompile | apt install apktool (≥2.9) |
| jadx | Java decompile | github.com/skylot/jadx releases (≥1.5) |
| Burp Suite | Traffic interception | portswigger.net |
| Android Studio | Emulator, SDK | developer.android.com |
Setup scripts: setup/setup_pentest_env.sh, setup/setup_physical_device.sh, setup/setup_emulator.py, setup/frida_server_manager.py, setup/burp_cert_installer.sh, setup/check_environment.py.
MCP servers expected: android-pentest (Android Dynamic MCP), mobile-mcp (mobile-next for UI). Configure in ~/.claude/mcp.json.
Related Resources
Last Validated
2026-04 — minimum versions: Frida ≥16.4, apktool ≥2.9, jadx ≥1.5, Android platform-tools ≥35.
