1. ADB (Android Debug Bridge)
Android Debug Bridge is a command line tool that allows communicating with Android devices, physical or simulated devices. This tool provides a variety of device actions related to the pen-testing process, such as:
- Installing and debugging apks
- Copy files to/from a device
- Launch a Unix shell
- Calls to activity manager (am) to interact with apps’ IPCs
Apktool is a tool for reverse engineering Android applications. It can decode the apk file and extract the source code to its nearly original form. Furthermore, it allows for to correct extracting of AndroidManifest.xml files where the penetration tester could detect relevant findings such as permissions used by the app or possible vulnerable components. In addition to this, it is possible to modify resources and rebuilt them into a new application file.
Drozer is a security testing framework for Android, and it is open-source software. It allows the penetration tester to search for security vulnerabilities in apps by assuming the role of an app and interacting with other apps’ IPC (Inter-Process Communication) endpoints and directly with the Dalvik VM. This powerful tool is an alternative to Android Debug Bridge for interacting with apps’ IPCs. In addition, it is necessary to install the Drozer Agent on Android devices.
Frida is a dynamic code instrumentation toolkit. It allows you to inject your code and to programmatically and interactively inspect and change running processes. In addition, it allows interaction with applications to inject code to bypass security techniques implemented by developers, such as certificate pinning. Furthermore, this tool is used to hook dynamically to manipulate dynamically loaded classes from the application.
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. It supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code. It has the functionality to export results and create a report in a PDF file.