Must have Tools for Your Android Pentesting Toolkit

akansha

8-January-2020

6 Must-have Tools for Your Android Pentesting Toolkit

Hello, and Welcome everyone! When performing pentesting, either it is the web, network, mobile, or IoT, the most crucial thing the pentester should have is the tool. In the last blog, I wrote about the iOS pentesting toolkit. In this blog, I am going to share the tools I use to perform pentesting of Android applications.

1. ADB

Android Debug Bridge (ADB) is a command-line tool that is used to communicate with devices. It has multiple device actions, such as installing the application, debugging, backup, and push or pull data from the device. ADB

2. MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pentesting framework capable of performing static, dynamic, and malware analysis. It can be used for effective and fast security analysis of Android, iOS, and Windows mobile applications and support both binaries (APK, IPA, APPX) and zipped source code. MobSF can also perform dynamic testing of the application. You can download MobSF from here. MobSF

3. Drozer

Drozer is a comprehensive security and attack framework for Android developed by MWR Labs. It allows you to interact with the Dalvik VM, other apps IPC endpoints, and the underlying OS. You can download Drozer from here. Drozer

4. d2j-dex2jar

It is a tool to work with Android .dex and .jar files. This helps convert the .dex file to .class file (zipped jar files). You can download d2j-dex2jar from here. d2j-dex2jar

5. JD-GUI

JD-GUI is a standalone graphical utility that displays the Java source code from the class files. You can download JD-GUI from here.

JD-GUI

6. Objection

Objection is a runtime mobile exploration toolkit, powered by Frida. It was built to help assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. This tool has features like: * Root detection bypass * SSL pinning bypass * Dump Keystore. * Dump Android Heap. * Monitors Android copy/paste buffer cache. * Hook a method(s) of a class in runtime. * Execute custom Frida scripts. * Work with the Android intents. You can download it from here. Objection

References:
  1. https://github.com/sensepost/objection

  2. https://github.com/frida/frida

  3. https://www.frida.re/docs/android/

  4. https://github.com/pxb1988/dex2jar

  5. https://labs.mwrinfosecurity.com/tools/drozer/

  6. https://github.com/MobSF/Mobile-Security-Framework-MobSF

  7. https://github.com/java-decompiler/jd-gui

Latest news See all news

16-March-2020
Heidelberg, Germany

Visit

Nikhil Joshi will be delivering training titled “ML for security and security for ML” at troppers2020

14-March-2020
Vancouver, Canada

Visit

Ashfaq Ansari, will be delivering a training on “Windows Kernel Exploitation Foundation & Advanced” at CanSecWest, Canada 2020.

03-March-2020
Goa, India

Visit

Aseem Jakhar and Munawwar Hussain Shelia will be delivering a training on “Practical IoT Hacking (3 days)” at nullcon, Goa, India 2020.