Android Pentesting

The Android Package with the file extension apk is the file format used by the Android operating system, and a number of other Android-based operating systems for distribution and installation of mobile apps, mobile games and middleware.

APK Analysis

1. Extract APK File to DEX File

You can retrieve "classes.dex".

unzip example.apk -d ./Example

Now you can observe files.
For React Native, it may contain the sensitive information in the bundle file.

strings assets/index.android.bundle

2. Convert DEX to JAR

You can retrieve JAR file.

d2j-dex2jar classes.dex

3. Observation

JD-GUI is a JAVA decompiler tool. It reveals class in the JAR file.
Open JD-GUI.

jd-gui

Static Analysis

# Decode APK file
apktool d example.apk -o ./example

ghidra

• Pithus

  An open-source mobile threat intelligence platform.

• MobSF

  MobSF (Mobile Security Framework) is an automated all-in-one mobile application pentesting, malware analysis framework capable of static and dynamic analysis.

Dynamic Analysis

If you pentest on virtual devices, you need to install some emulator as below.

• Android Studio
• Genymotion
• Nox

Android Backup (.ab)

Extract

(printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -n +5 sample.ab) | tar -xvz