Android Pentesting

Last modified: 2025-03-19

The Android Package with the file extension apk is the file format used by the Android operating system, and a number of other Android-based operating systems for distribution and installation of mobile apps, mobile games and middleware.

APK Analysis

If we have a .apk file, we can investigate the file using some tools.

Using JADX

The most easiest way to analyze a .apk file, use jadx-gui.

jadx-gui ./example.apk

Using JD

Extract APK File to DEX File

You can retrieve "classes.dex".
```
unzip example.apk -d ./Example
```
Now you can observe files.
For React Native, it may contain the sensitive information in the bundle file.
```
strings assets/index.android.bundle
```
Convert DEX to JAR

You can retrieve JAR file.
```
d2j-dex2jar classes.dex
```
Observation

JD-GUI is a JAVA decompiler tool. It reveals class in the JAR file.
Open JD-GUI.
```
jd-gui
```

Static Analysis

# Decode APK file
apktool d example.apk -o ./example

ghidra

Pithus

An open-source mobile threat intelligence platform.
MobSF

MobSF (Mobile Security Framework) is an automated all-in-one mobile application pentesting, malware analysis framework capable of static and dynamic analysis.

Dynamic Analysis

If you pentest on virtual devices, you need to install some emulator as below.

Android Backup (.ab)

Extract

(printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -n +5 sample.ab) | tar -xvz

Android