Must have Tools for Your Android Pentesting Toolkit
6 Must-have Tools for Your Android Pentesting Toolkit
Hello, and Welcome everyone! When performing pentesting, either it is the web, network, mobile, or IoT, the most crucial thing the pentester should have is the tool. In the last blog, I wrote about the iOS pentesting toolkit. In this blog, I am going to share the tools I use to perform pentesting of Android applications.
Android Debug Bridge (ADB) is a command-line tool that is used to communicate with devices. It has multiple device actions, such as installing the application, debugging, backup, and push or pull data from the device.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pentesting framework capable of performing static, dynamic, and malware analysis. It can be used for effective and fast security analysis of Android, iOS, and Windows mobile applications and support both binaries (APK, IPA, APPX) and zipped source code. MobSF can also perform dynamic testing of the application. You can download MobSF from here.
Drozer is a comprehensive security and attack framework for Android developed by MWR Labs. It allows you to interact with the Dalvik VM, other apps IPC endpoints, and the underlying OS. You can download Drozer from here.
It is a tool to work with Android .dex and .jar files. This helps convert the .dex file to .class file (zipped jar files). You can download d2j-dex2jar from here.
JD-GUI is a standalone graphical utility that displays the Java source code from the class files. You can download JD-GUI from here.
Objection is a runtime mobile exploration toolkit, powered by Frida. It was built to help assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. This tool has features like: * Root detection bypass * SSL pinning bypass * Dump Keystore. * Dump Android Heap. * Monitors Android copy/paste buffer cache. * Hook a method(s) of a class in runtime. * Execute custom Frida scripts. * Work with the Android intents. You can download it from here.