Must have Tools for Your Android Pentesting Toolkit

    akansha
    8-January-2020

6 Must-have Tools for Your Android Pentesting Toolkit

Hello, and Welcome everyone! When performing pentesting, either it is the web, network, mobile, or IoT, the most crucial thing the pentester should have is the tool. In the last blog, I wrote about the iOS pentesting toolkit. In this blog, I am going to share the tools I use to perform pentesting of Android applications.

1. ADB

Android Debug Bridge (ADB) is a command-line tool that is used to communicate with devices. It has multiple device actions, such as installing the application, debugging, backup, and push or pull data from the device. ADB

2. MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pentesting framework capable of performing static, dynamic, and malware analysis. It can be used for effective and fast security analysis of Android, iOS, and Windows mobile applications and support both binaries (APK, IPA, APPX) and zipped source code. MobSF can also perform dynamic testing of the application. You can download MobSF from here. MobSF

3. Drozer

Drozer is a comprehensive security and attack framework for Android developed by MWR Labs. It allows you to interact with the Dalvik VM, other apps IPC endpoints, and the underlying OS. You can download Drozer from here. Drozer

4. d2j-dex2jar

It is a tool to work with Android .dex and .jar files. This helps convert the .dex file to .class file (zipped jar files). You can download d2j-dex2jar from here. d2j-dex2jar

5. JD-GUI

JD-GUI is a standalone graphical utility that displays the Java source code from the class files. You can download JD-GUI from here.

JD-GUI

6. Objection

Objection is a runtime mobile exploration toolkit, powered by Frida. It was built to help assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. This tool has features like: * Root detection bypass * SSL pinning bypass * Dump Keystore. * Dump Android Heap. * Monitors Android copy/paste buffer cache. * Hook a method(s) of a class in runtime. * Execute custom Frida scripts. * Work with the Android intents. You can download it from here. Objection

References:
  1. https://github.com/sensepost/objection

  2. https://github.com/frida/frida

  3. https://www.frida.re/docs/android/

  4. https://github.com/pxb1988/dex2jar

  5. https://labs.mwrinfosecurity.com/tools/drozer/

  6. https://github.com/MobSF/Mobile-Security-Framework-MobSF

  7. https://github.com/java-decompiler/jd-gui

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!

Latest news See all news

11-July-2020
Webinar, Online

Visit

Munawwar will give security professionals a comprehensive understanding of the ARM Architecture, reversing ARM binaries, exploiting vulnerabilities and the nuances of ARM shellcoding.

21-May-2020
Webinar, Online

Visit

Arun Magesh will be delivering a webinar on <em>Introduction to IoT Reversing Firmware</em> and discussing how to get started with IoT pentesting with hands-on.

25-April-2020
Workshop, Online

Visit

Ashfaq Ansari is conducting a workshop to get you started with kernel vulnerability analysis and exploitation in the Android platform.