Mobile App Pentesting: From APK to Shell

by

Android has over 3 billion active devices. Every one of them runs apps that store credentials, process payments, access cameras and microphones, and communicate with backend APIs. Mobile application penetration testing is a discipline that combines web security, binary reversing, and platform-specific knowledge to find vulnerabilities before attackers do. This guide focuses on Android — the most commonly tested mobile platform — using free tools that work on any Linux system.

Setting Up Your Mobile Pentest Lab

You need three things: a way to run Android apps, a way to intercept their traffic, and tools to inspect the APK itself.

# Option 1: Android emulator (no physical device needed)
# Install Android Studio, create AVD (Android Virtual Device)
# Or use Genymotion for faster emulation

# Option 2: Physical Android device
# Enable Developer Options: Settings > About Phone > tap Build Number 7x
# Enable USB Debugging in Developer Options

# Install ADB (Android Debug Bridge)
sudo apt-get install adb

# Verify device connected
adb devices
# Output: List of devices attached
# emulator-5554   device

Traffic Interception with Burp Suite

# Configure Burp proxy on your machine (listen on all interfaces, port 8080)
# On the Android device/emulator:
# Settings > WiFi > Long press network > Modify > Manual proxy
# Set proxy: your-machine-IP:8080

# Install Burp CA certificate on device
# In browser on device: http://burpsuite (or burp.cert)
# Download and install as trusted CA

# For apps with certificate pinning (bypass with Frida):
pip install frida-tools
# Download frida-server for Android:
wget https://github.com/frida/frida/releases/latest/download/frida-server-android-arm64.xz
unxz frida-server-android-arm64.xz
adb push frida-server-android-arm64 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"

# Run SSL pinning bypass script
frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause

Static Analysis: Reverse Engineering the APK

An APK is just a ZIP file. Inside it is compiled Java bytecode (DEX format), resources, and configuration files. Static analysis lets you find hardcoded secrets, insecure configurations, and vulnerable code without running the app at all.

# APKTool: decompile APK to smali (bytecode) and resources
apktool d target_app.apk -o target_app/

# JADX: decompile APK to readable Java source code
jadx target_app.apk -d target_app_java/

# Now grep for interesting patterns in decompiled source:
# Hardcoded API keys
grep -r "api_key|apiKey|API_KEY|secret|password|token" target_app_java/ --include="*.java"

# Hardcoded URLs and endpoints
grep -r "http://|https://" target_app_java/ --include="*.java" | grep -v "test|example"

# Insecure random number generation (weak crypto)
grep -r "new Random()|Math.random()" target_app_java/

# Check AndroidManifest.xml for dangerous permissions and exported components
cat target_app/AndroidManifest.xml | grep -E "exported="true"|android.permission"

Finding Secrets in APKs

# MobSF (Mobile Security Framework) - automated APK analysis
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
# Upload APK at http://localhost:8000
# Gets you: hardcoded secrets, permissions analysis, vulnerability list, network calls

# Manual string extraction from DEX files
strings classes.dex | grep -E "AIza|sk_live|AKIA|ghp_"
# These patterns match Google API keys, Stripe live keys, AWS keys, GitHub tokens

Dynamic Analysis: Testing the Running App

# Frida: hook functions and modify behavior at runtime
# List running apps
frida-ps -U

# Hook all network calls made by the app
frida -U -f com.target.app -l monitor_network.js

# Example Frida script: log all SharedPreferences reads (where apps store creds)
Java.perform(function() {
  var SharedPreferences = Java.use('android.app.SharedPreferencesImpl');
  SharedPreferences.getString.overload('java.lang.String', 'java.lang.String').implementation = function(key, defValue) {
    var result = this.getString(key, defValue);
    console.log('[SharedPreferences] Key: ' + key + ' Value: ' + result);
    return result;
  };
});

# Drozer: test exported components (activities, services, content providers)
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -f target  # find package name
run app.activity.info -a com.target.app  # list exported activities
run app.activity.start --component com.target.app com.target.app.AdminActivity  # launch admin UI directly!

Common Mobile Vulnerabilities with Examples

  • Insecure Data Storage: Credentials stored in SharedPreferences in plaintext, found in /data/data/com.target.app/shared_prefs/
  • Weak Cryptography: Using ECB mode AES (produces patterns), MD5 for password hashing, hardcoded IV values
  • Insecure Communication: HTTP endpoints, disabled certificate validation (TrustAllCerts or ALLOW_ALL_HOSTNAME_VERIFIER)
  • Improper Session Handling: JWT tokens with no expiry stored in external storage (readable by other apps)
  • Client-Side Business Logic: Price calculations, authorization checks, feature flags done in the app code rather than server-side

Checking Local Storage for Secrets

# Access app's data directory (requires rooted device or emulator)
adb shell
su
cd /data/data/com.target.app/

# Check all storage locations
ls -la databases/      # SQLite databases
ls -la shared_prefs/   # XML preferences (often has tokens/passwords)
ls -la files/          # General file storage
ls -la cache/          # Cached network responses

# Read SharedPreferences
cat shared_prefs/*.xml | grep -E "password|token|key|secret|auth"

# Dump SQLite database
sqlite3 databases/app.db .dump | grep -E "pass|token|secret"

The Mobile Pentesting Checklist

  1. Extract and decompile APK with JADX
  2. Search for hardcoded secrets, API keys, and URLs
  3. Review AndroidManifest.xml for exported components and dangerous permissions
  4. Run MobSF for automated static analysis
  5. Set up Burp proxy, intercept all API traffic
  6. Test for certificate pinning — bypass with Frida if present
  7. Test all API endpoints for auth bypasses and BOLA
  8. Check local storage on device for sensitive data
  9. Test exported activities and content providers with Drozer
  10. Look for client-side authorization or business logic flaws

Mobile app security is a field where even experienced developers consistently make the same mistakes: storing tokens in SharedPreferences, trusting client-side validation, and shipping with debug flags enabled. With the tools above, you can systematically find and document these issues in any Android application.