Mobile penetration testing android & iOS command cheatsheet
The things what you should know about android :) For iOS application please check iOS Pentest Cheatsheet.
Download adb http://adbdriver.com/downloads/ or you can using adb as default from Android Studio.
# Check Android Architecture $ adb shell getprop | grep abi # Try to use this command to get simple output :) $ adb shell getprop ro.product.cpu.abiList all application already installed
$ adb shell pm list packages -f | grep -i 'testing'
Tracing log on android
$ adb logcat | grep com.app.testing
Install application to device
$ adb install app.testing.apk
Get the full path of an application
$ adb shell pm path com.example.someapp
Download the apk to development machine
$ adb pull /data/app/com.example.someapp-2.apk
Dump activity on app
$ adb shell dumpsys activity top | grep ACTIVITY
Create new file in adb shell
$ cat > filename.xml You can add lines to a text files using: $ cat >> filename.xml Both commands can be terminated using ctrl-D.
Dump Memory
$ adb shell dumpsys meminfo com.package.name
Disable verification adb
$ adb shell settings put global verifier_verify_adb_installs 0
Disable verification package
$ adb shell settings put global package_verifier_enable 0
Install Frida Server on android, download frida server : https://github.com/frida/frida/releases
$ adb root # might be required $ adb push frida-server /data/local/tmp/ $ adb shell "chmod 755 /data/local/tmp/frida-server" $ adb shell "/data/local/tmp/frida-server &"
# Connect Frida to an iPad over USB and list running processes $ frida-ps -UList running applications
$ frida-ps -Ua
List installed applications
$ frida-ps -Uai
Connect Frida to the specific device
$ frida-ps -D 0216027d1d6d3a03
Trace recv* and send* APIs in Safari
$ frida-trace -i "recv*" -i "send*" Safari
Trace ObjC method calls in Safari
$ frida-trace -m "-[NSView drawRect:]" Safari
Launch SnapChat on your iPhone and trace crypto API calls
$ frida-trace -U -f com.app.testing -I "libcommonCrypto*"
#Frida trace every open function while program start $ frida-trace -U -i open com.app.testing
Download : https://github.com/Piasy/FridaAndroidTracer Usage :
$ java -jar FridaAndroidTracer.jar -a,--expand-array expand array values -c,--classes classes to be hooked -j,--jars jar files to be included -o,--output output script path -p,--include-private include private methods -s,--skip methods to be skipped
Bypass Root Detection: Bypass anti-root detection in android application try to using different data type to break the logic flaws.
Install from https://github.com/sensepost/objection
pip3 install objectionUsage: Default Running Objection
objection --gadget "com.application.id" exploreRunning Objection with command
objection --gadget "com.application.id" explore --startup-command "ios jailbreak disable"Running Objection with script
objection --gadget "com.application.id" explore --startup-script antiroot.jsInject Frida Gadget into APK with Objection
objection patchapk --source apkname.apkAfter run application, the application will be paused and show the white screen at this moment you should run
objection exploreto resume the application.
Download https://github.com/swdunlop/AndBug Usage: ```
$ andbug classes -p [PID application / com.app.testing] > class.txt
$ andbug methods -p [PID application / com.app.testing] [class name] ```
Using PIDCAT : https://github.com/JakeWharton/pidcat Usage:
$ ./pidcat.py [com.app.testing]
Download https://github.com/b-mueller/apkx Usage :
$ apkx -c enjarify -d procyon app.testing.apk
Download https://github.com/Konloch/bytecode-viewer/releases To read source code of dex or jar file. how to run : Just double click on jar file
Download https://github.com/1N3/ReverseAPK Install :
$ git clone https://github.com/1N3/ReverseAPK.git $ cd ReverseAPK $ ./installUsage :
$ reverse-apk app.testing.apk
Convert burp certificate from DER to PEM . If you lazy, you can download PEM file on this repository. ``` $ openssl x509 -inform DER -in cacert.der -out cacert.pem
$ openssl x509 -inform PEM -subjecthashold -in cacert.pem |head -1 $ mv cacert.pem 9a5ba575.0
Install PEM file to the System Trusted Credentials on device.$ adb root $ adb remount
If your /system cant mounting, You must mounting first.$ adb root $ adb shell
$ cat /proc/mounts
$ mount -o rw,remount -t rfs /dev/block/bootdevice/by-name/system /system
$ adb push 9a5ba575.0 /system/etc/security/cacerts/
$ adb shell "chmod 644 /system/etc/security/cacerts/9a5ba575.0"
$ adb shell "reboot"
```
Download : https://opengapps.org Extract :
$ unzip open_gapps-x86_64******.zip 'Core/*' $ rm Core/setup* $ lzip -d Core/*.lz $ for f in $(ls Core/*.tar); do tar -x --strip-components 2 -f $f doneInstall to Emulator :
$ adb root $ adb remount $ adb push etc /system $ adb push framework /system $ adb push app /system $ adb push priv-app /system $ adb shell stop $ adb shell start
This command for run emulator from android studio, make you have already install android studio before. if you want to root android emulator, please using system without (Google API's) or (Google Play) ```
$ emulator.exe -list-avds
$ emulator.exe -avd [EmulatorName] ```
Download https://www.genymotion.com/
Download https://www.ldplayer.net/
Download https://github.com/linkedin/qark For quick analyze application on android with scanning the apk or java file and create Proof Of Concept of vulnerability. Install QARK:
$ git clone https://github.com/linkedin/qark $ cd qark $ pip install -r requirements.txt $ pip install . --user # --user is only needed if not using a virtualenv $ qark --helpUsage to scan APK:
$ qark --apk path/to/my.apkUsage to scan Java source code files:
$ qark --java path/to/parent/java/folder $ qark --java path/to/specific/java/file.java
I believe you want to mirroring android screen to your laptop or computer, you can buy a software to do that or you can use this tool SCRCPY for free :D
Mac :
brew install scrcpy
Run with window borderless :
scrcpy -t --window-title 'My Research' --always-on-top
Step to repackaging apk.
Extrack apk with apktool
apktool d vantagepoint.apk -o vantagepoint
Modify the apk
Repackage apk with apktool
apktool b vantagepoint -o vantagepoint_bank_1.apk
Align and Signing the APK with uber-apk-signer.
java -jar uber-apk-signer-1.1.0.jar -a vantagepoint_bank.apk --ks vantagepoint.jks --ksAlias vantagepoint-pass --ksKeyPass 1234567 --ksPass 1234567 -o vantagepoint_bank_release
Cek signed APK to verify the apk was sign with our certificate(optional)
keytool -list -printcert -jarfile "vantagepoint_bank-aligned-signed.apk"
if you have know about more command or a new trick to do something with Mobile Pentest, please let me know :) email : [email protected]