Loading...
Loading...
Comprehensive Android APK security analysis with static/dynamic testing, RASP detection, Frida instrumentation, and MASVS compliance scoring
npx skill4agent add aradotso/security-skills dragonjar-android-pentesting-skillSkill by ara.so — Security Skills collection.
# APKTool (3.0.1+)
brew install apktool
# JADX (1.5.5+)
brew install jadx
# Android SDK Platform Tools
brew install --cask android-platform-tools
# Frida (17.9+)
pip3 install frida-tools
# Objection (1.12.4+)
pip3 install objection
# APKiD (3.0.0+)
pip3 install apkid
# Semgrep (optional, for SAST)
brew install semgrep# Clone into your agent's skills directory
cd ~/.agents/skills/
git clone https://github.com/DragonJAR/Android-Pentesting-Skill dragonjar-android-pentesting
# Or clone to any location and add to agent skill path
git clone https://github.com/DragonJAR/Android-Pentesting-Skill.git# Verify all dependencies are installed
cd dragonjar-android-pentesting
python3 scripts/06-setup/preflight-check.py
# Expected output:
# ✅ APKTool 3.0.1 found
# ✅ JADX 1.5.5 found
# ✅ Frida 17.9.4 found
# ✅ All dependencies satisfied# Full static analysis with Semgrep enrichment
bash scripts/auto-audit-static.sh /path/to/app.apk --semgrep
# Output includes:
# - Manifest security issues (exported components, permissions)
# - Hardcoded secrets (API keys, passwords, tokens)
# - Insecure crypto usage
# - WebView vulnerabilities
# - Intent injection risks
# - Findings report in findings-merged.json{
"findings": [
{
"id": "HARD-001",
"severity": "CRITICAL",
"title": "Hardcoded API Key in Source Code",
"owasp_mobile": "M1",
"masvs_control": "MASVS-STORAGE-1",
"cvss": "9.1 (CRITICAL)",
"location": "com/example/app/Config.java:42",
"evidence": "private static final String API_KEY = \"sk_live_...\";",
"remediation": "Store API keys in BuildConfig or secure server-side configuration"
}
]
}# Detect runtime protections with passive + active modes
bash scripts/02-rasp/runtime-defense-analyzer.sh \
/path/to/app.apk \
com.example.app \
--active-mode \
--authorized-lab \
--output findings-rda.json
# Catalog includes 18 protection categories:
# - Root detection (RootBeer, custom native)
# - Emulator detection
# - Debug detection
# - Frida/instrumentation detection
# - Screenshot/screenrecord blocking
# - SafetyNet / Play Integrity
# - Commercial RASP (Talsec, AppSealing, DexGuard, etc.){
"detectors": {
"rootbeer": {
"status": "DETECTED",
"confidence": "high",
"evidence": "RootBeer.isRooted() returns true",
"bypass_profile": "rootbeer_standard"
},
"ssl_pinning": {
"status": "DETECTED",
"implementation": "OkHttp3 CertificatePinner",
"bypass_profile": "ssl_okhttp3"
}
}
}# 1) List available bypass profiles
bash scripts/02-rasp/rasp-bypass-runner.sh --list-profiles
# Output:
# Available profiles:
# - rootbeer_standard (RootBeer library bypass)
# - ssl_okhttp3 (OkHttp3 SSL pinning)
# - ssl_trustmanager (TrustManager bypass)
# - frida_detection (Anti-Frida bypass)
# - emulator_detection (Emulator checks bypass)
# 2) Generate bypass command from RDA findings (print only)
bash scripts/02-rasp/rasp-bypass-runner.sh \
--package com.example.app \
--from-rda findings-rda.json \
--print-command
# Output:
# frida -U -f com.example.app \
# -l assets/frida-scripts/android-root-bypass-advanced.js \
# -l assets/frida-scripts/ssl-pinning-bypass.js \
# --no-pause
# 3) Execute bypass in authorized lab environment
bash scripts/02-rasp/rasp-bypass-runner.sh \
--package com.example.app \
--from-rda findings-rda.json \
--run \
--authorized-lab
# Launches Frida with combined bypass scripts# Universal SSL pinning bypass (30+ implementations)
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--script ssl-pinning-bypass
# Supports:
# - OkHttp3 CertificatePinner
# - TrustManager custom implementations
# - WebView SSL error handlers
# - React Native ssl-pinning libraries
# - Flutter BoringSSL (native hooks)
# - Cordova SSL plugins# Detect React Native and extract JavaScript bundle
bash scripts/auto-audit-static.sh /path/to/app.apk
# Automatically:
# - Detects libreactnativejni.so
# - Extracts assets/index.android.bundle
# - Scans bundle for hardcoded secrets
# - Analyzes Metro bundler output// assets/frida-scripts/react-native-bridge-hook.js
Java.perform(function() {
var CatalystInstanceImpl = Java.use('com.facebook.react.bridge.CatalystInstanceImpl');
CatalystInstanceImpl.jniCallJSFunction.implementation = function(module, method, args) {
console.log('[RN Bridge] ' + module + '.' + method);
console.log('[RN Bridge] Args: ' + JSON.stringify(args));
return this.jniCallJSFunction(module, method, args);
};
});# Flutter uses Dart AOT compilation and native BoringSSL
# Standard Java SSL hooks won't work
# Use Blutter for Dart code extraction
python3 tools/blutter/blutter.py lib/arm64-v8a/libapp.so output/
# Hook native SSL functions
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.flutter \
--script flutter-ssl-bypass
# Hooks:
# - SSL_CTX_set_custom_verify (certificate validation)
# - SSL_read / SSL_write (traffic interception)# Phase 3: Source-to-sink analysis
# Automatically runs during static audit
# Example traced flows:
# - User input → SQL query (SQL injection risk)
# - Intent extras → WebView.loadUrl (open redirect)
# - SharedPreferences → network (data leakage)
# - File paths → external storage (path traversal)CONFIRMEDLIKELYPOSSIBLE# Calculate OWASP MASVS compliance score
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
# Output:
# MASVS Score: 72.6/100 (Grade: C)
# Controls Passed: 16/23
# Controls Failed: 7
#
# Critical Failures:
# - MASVS-STORAGE-1: Hardcoded secrets in code
# - MASVS-CRYPTO-1: Weak cryptographic algorithms
#
# Recommendations:
# - Implement secure credential storage (Android Keystore)
# - Upgrade to AES-256-GCM for encryption# Decode APK
apktool d -f -o decoded/ /path/to/app.apk
# Modify smali code (example: disable root check)
# Edit decoded/smali/com/app/RootDetector.smali
# Change: const/4 v0, 0x1 (return true)
# To: const/4 v0, 0x0 (return false)
# Rebuild APK
apktool b decoded/ -o app-modified.apk
# Align and sign
zipalign -v -p 4 app-modified.apk app-aligned.apk
apksigner sign --ks ~/.android/debug.keystore \
--ks-pass pass:android \
--out app-signed.apk \
app-aligned.apk
# Verify signature
apksigner verify --verbose app-signed.apk# List all available Frida scripts
ls assets/frida-scripts/
# Key scripts:
# - ssl-pinning-bypass.js (universal SSL bypass)
# - android-root-bypass-advanced.js (30+ root detection bypasses)
# - crypto-intercept.js (monitor Cipher, MessageDigest, etc.)
# - biometric-bypass.js (BiometricPrompt, FingerprintManager)
# - keystore-inspector.js (dump Keystore entries)
# - webview-inspector.js (WebView debugging, JS injection)
# - intent-fuzzer.js (Intent injection testing)# List bundled scripts
python3 scripts/07-tools/frida-exploit-helper.py --list-scripts
# Hook memory functions
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--hook malloc,free,memcpy
# SSL pinning bypass
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--script ssl-pinning-bypass
# Memory layout analysis
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--layout
# Runtime defense detection
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--runtime-defense// Hook custom native function
Java.perform(function() {
var targetClass = Java.use('com.example.app.SecurityCheck');
targetClass.isDeviceSecure.implementation = function() {
console.log('[+] isDeviceSecure() called');
var result = this.isDeviceSecure();
console.log('[+] Original result: ' + result);
console.log('[+] Forcing return: true');
return true;
};
console.log('[+] Hooked isDeviceSecure()');
});# Android SDK path
export ANDROID_HOME="$HOME/Library/Android/sdk"
export PATH="$PATH:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/36.0.0"
# Frida server configuration
export FRIDA_SERVER_PORT=27042
# Optional: Semgrep API token for managed scanning
export SEMGREP_APP_TOKEN="your_token_here"
# Optional: Custom APKTool config
export APKTOOL_CONFIG="$HOME/.apktool/config.yml"// scripts/02-rasp/bypass-profiles.json
{
"profiles": {
"rootbeer_standard": {
"description": "RootBeer library bypass",
"scripts": [
"assets/frida-scripts/android-root-bypass-advanced.js"
],
"hooks": ["RootBeer.isRooted", "RootBeer.isRootedWithoutBusyBoxCheck"]
},
"ssl_okhttp3": {
"description": "OkHttp3 CertificatePinner bypass",
"scripts": [
"assets/frida-scripts/ssl-pinning-bypass.js"
],
"hooks": ["CertificatePinner.check"]
}
}
}# 1) Static analysis with Semgrep
bash scripts/auto-audit-static.sh app.apk --semgrep
# 2) Runtime defense detection
bash scripts/02-rasp/runtime-defense-analyzer.sh \
app.apk com.example.app \
--active-mode --authorized-lab \
--output findings-rda.json
# 3) MASVS scoring
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
# 4) Generate professional report
python3 scripts/05-reporting/report-generator.py \
findings-merged.json \
findings-rda.json \
--output report.pdf# 1) Set up proxy (Burp/ZAP)
export HTTP_PROXY=127.0.0.1:8080
export HTTPS_PROXY=127.0.0.1:8080
# 2) Install CA certificate on device
adb push burp-ca.crt /sdcard/
# Install via Settings → Security → Install from SD card
# 3) Bypass SSL pinning
frida -U -f com.example.app \
-l assets/frida-scripts/ssl-pinning-bypass.js \
--no-pause
# 4) Monitor traffic in proxy# Layer 1: Java-level root checks
frida -U -f com.example.app \
-l assets/frida-scripts/android-root-bypass-advanced.js \
--no-pause
# Layer 2: Native-level root checks (if detected)
# Edit native-root-bypass.js to target specific native libraries
frida -U -f com.example.app \
-l assets/frida-scripts/android-root-bypass-advanced.js \
-l assets/frida-scripts/native-hook.js \
--no-pause# Extract and scan all strings
bash scripts/01-decompile/extract-strings.sh app.apk > strings.txt
# Scan with patterns
grep -E '(sk_live_|ghp_|AIza[0-9A-Za-z-_]{35})' strings.txt
# Deep search in decompiled code
find decoded/smali -name "*.smali" -exec grep -H "const-string.*sk_live" {} \;
# Search in JavaScript bundles (React Native/Cordova)
find decoded/assets -name "*.bundle" -o -name "*.js" | \
xargs grep -E '(API_KEY|SECRET|PASSWORD).*=.*["\'][^"\']{20,}'# Error: "brut.androlib.AndrolibException: Could not decode arsc file"
# Solution 1: Update APKTool to 3.0.1+
brew upgrade apktool
# Solution 2: Use --only-main-classes flag
apktool d --only-main-classes -f -o decoded/ app.apk
# Solution 3: Use legacy AAPT mode (not recommended)
apktool d --use-aapt1 -f -o decoded/ app.apk# Error: "Failed to spawn: unable to find process with name 'com.example.app'"
# Solution 1: Verify Frida server is running
adb shell "su -c '/data/local/tmp/frida-server &'"
# Solution 2: Check Frida server version matches client
frida --version # Client version
adb shell "/data/local/tmp/frida-server --version" # Server version
# Solution 3: Use spawn mode instead of attach
frida -U -f com.example.app # Spawn mode
# Instead of:
frida -U com.example.app # Attach mode# Flutter apps use native BoringSSL - Java hooks won't work
# Solution: Use Flutter-specific native hooks
frida -U -f com.example.flutter \
-l assets/frida-scripts/flutter-ssl-bypass.js
# React Native apps may use custom native modules
# Solution: Hook both Java and native SSL functions
frida -U -f com.example.rn \
-l assets/frida-scripts/ssl-pinning-bypass.js \
-l assets/frida-scripts/native-hook.js# Passive mode only checks static indicators
# Solution: Use --active-mode with authorized lab
bash scripts/02-rasp/runtime-defense-analyzer.sh \
app.apk com.example.app \
--active-mode \
--authorized-lab \
--output findings-rda.json
# Ensure device/emulator is accessible
adb devices # Should show device
# Ensure app is debuggable or use root
adb shell "su -c 'pm list packages | grep example'"# Low scores indicate security gaps - this is expected behavior
# Review failed controls:
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json --verbose
# Common failure patterns:
# - MASVS-STORAGE-1: Hardcoded secrets → Use Android Keystore
# - MASVS-CRYPTO-1: Weak crypto → Upgrade to AES-256-GCM
# - MASVS-NETWORK-1: No SSL pinning → Implement certificate pinning
# - MASVS-RESILIENCE-1: No obfuscation → Apply ProGuard/R8cd dragonjar-android-pentesting
bash scripts/auto-audit-static.sh ~/Downloads/banking-app.apk --semgrep
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json# Start Frida with SSL bypass
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.banking.app \
--script ssl-pinning-bypassbash scripts/02-rasp/runtime-defense-analyzer.sh \
~/Downloads/app.apk com.protected.app \
--active-mode --authorized-lab \
--output findings-rda.json
cat findings-rda.jsonbash scripts/auto-audit-static.sh ~/Downloads/rn-app.apk
grep -r "API_KEY\|api_key\|apiKey" decoded/assets/*.bundle# Extract native libraries
unzip app.apk "lib/*" -d native/
# Analyze with Ghidra/IDA (manual)
# Or use Frida for runtime analysis:
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--hook JNI_OnLoad,RegisterNatives
# Hook specific native function by offset
frida -U -f com.example.app -l - << 'EOF'
var base = Module.findBaseAddress('libnative.so');
Interceptor.attach(base.add(0x1234), {
onEnter: function(args) {
console.log('[+] Native function called');
console.log('Arg0: ' + args[0]);
}
});
EOF**Important**: Client-side hooks cannot forge server-verified attestation:
- ❌ Play Integrity verdicts (Google server-signed)
- ❌ SafetyNet attestation responses
- ❌ Approov tokens (server-side verification)
- ❌ App Attest (Apple server validation)
**Authorized Testing Approaches**:
- ✅ Use test tenant with backend allowlist
- ✅ Configure mock verifier in staging environment
- ✅ Request official pentest exception from vendor
- ✅ Use approved lab environment with vendor cooperation# Add custom rule to scripts/03-static-analysis/semgrep-rules/
rules:
- id: custom-api-key-pattern
pattern: |
const-string $VAR, "cust_$KEY"
message: Custom API key pattern detected
severity: ERROR
languages: [smali]
metadata:
owasp_mobile: M1
masvs_control: MASVS-STORAGE-1