Mobile Android


Windows VM with Genymotion (make personal use account) & Android studio

In Android Studio install command line tools under Tools -> SDK Manager

setx PATH "%PATH%;C:\Users\xct\AppData\Local\Android\Sdk\platform-tools"


adb connect <ip>
adb devices
adb shell (get shell on device)
adb push/pull <filename> <targetpath>
adb install <name of app>
am start -a android.intent.action.VIEW (start action via activity manager)
adb shell ps
adb logcat | grep -I <psid from above>

Handling APKs


unzip -d
apktool d <apk>
dexdump to dump .dex files or 010 Editor with templates


  • bytecode-viewer


apktool b folder -o name.apk


jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my_release_key.keystore name.apk alias_name


Set Proxy

Androidwifi (long press), Modify -> Proxy

Import Burp Certificate

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1
mv cacert.pem <hash>.0
adb push path /sdcard/
adb remount
mv /sdcard/9a5ba575.0 /system/etc/security/cacerts
chmod 644 on that file
adb reboot

ARM in Genymotion


adb push frida-server /data/local/tmp/frida-server
adb shell chmod 777 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

Bypassing SSL-Pinning

Use Genymotion & Setup Burp + Proxy as usual (save burp ca-cert locally as well).

pip install Frida objection frida-tools

Download the appropriate Frida server release (probably x86). Also download this script: pcipolloni/universal-android-ssl-pinning-bypass-with-frida and store it as fridascript.js, then:

adb push frida-server /data/local/tmp
adb shell chmod 777 /data/local/tmp/frida-server
adb push cacert.der /data/local/tmp/cert-der.crt
adb push fridascript.js /data/local/tmp
adb shell /data/local/tmp/frida-server &

Run ps and note the app name you want to bypass it for:

frida-ps -U


frida -U -f --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida --no-pause


  • unzip -d and apktool -d both (different outputs at time)

  • check for /assets and /res/raw (api keys, encryption keys)

  • sensitive files and external storage (world readable & writeable)

  • executables & log files on external storage

  • look at manifest (WRITE_EXTERNAL_STORAGE)., grep for "getExternal"

  • check for installed package "" (they want to install something)

  • hidden directories (.folder)

  • api keys saved as bytearray to obfuscate

  • identify crypto & understand it

  • webSettings.setJavaScriptEnabled(True); means we might be able to XSS

  • interesting options: "setAllowContent", "setAllowFileAccess", "setAllowFileAccessFromFileURILS", "setAllowUniversalAccessFromFileURLs", "setJavaScriptEnabled", "setPluginState", "setSavePassword"

  • overwriting ssl errors :facepalm:

  • xss might allow to call Runtime.getRuntime().exec() (CVE-2012-6636) <= Api17

  • use Mitm Proxy ( has the cert)

Last updated