Most common utilities used in Android mobile application pentest

Apr 17, 2023

As technology continues to advance and mobile devices become more prevalent, mobile applications security is becoming increasingly important. Mobile application penetration testing is a critical process in ensuring the security of mobile applications. In this article, we will discuss the most common tools that a penetration tester must use to execute a mobile application pentest in Android.

These tools are essential for identifying vulnerabilities and potential security threats within the Android operating system and can help ensure that mobile applications are secure and resilient against attacks. By using these tools, penetration testers can gain a deeper understanding of how attackers might attempt to compromise a mobile application and take proactive steps to prevent such attacks from occurring.

1. ADB (Android Debug Bridge)

Android Debug Bridge is a command line tool that allows communicating with Android devices, physical or simulated devices. This tool provides a variety of device actions related to the pen-testing process, such as:
  • Installing and debugging apks
  • Copy files to/from a device
  • Launch a Unix shell
  • Calls to activity manager (am) to interact with apps’ IPCs

2. Apktool

Apktool is a tool for reverse engineering Android applications. It can decode the apk file and extract the source code to its nearly original form. Furthermore, it allows for to correct extracting of AndroidManifest.xml files where the penetration tester could detect relevant findings such as permissions used by the app or possible vulnerable components. In addition to this, it is possible to modify resources and rebuilt them into a new application file.

3. Drozer

Drozer is a security testing framework for Android, and it is open-source software. It allows the penetration tester to search for security vulnerabilities in apps by assuming the role of an app and interacting with other apps’ IPC (Inter-Process Communication) endpoints and directly with the Dalvik VM. This powerful tool is an alternative to Android Debug Bridge for interacting with apps’ IPCs. In addition, it is necessary to install the Drozer Agent on Android devices.

4. Frida

Frida is a dynamic code instrumentation toolkit. It allows you to inject your code and to programmatically and interactively inspect and change running processes. In addition, it allows interaction with applications to inject code to bypass security techniques implemented by developers, such as certificate pinning. Furthermore, this tool is used to hook dynamically to manipulate dynamically loaded classes from the application.

5. MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. It supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code. It has the functionality to export results and create a report in a PDF file.
The tools shown in this article are essential for any Android mobile pen-testing. Therefore, anyone involved in Android mobile pen-testing should be thoroughly familiar with them. Finally, it is important to mention that Mobile app security assessments are essential for any enterprise with publicly available apps. In addition to this, Google has launched its Mobile Application Security Assessment which includes several categories to evaluate, in this way, pen-testers can assess the strength of an application against known and potential threats to protect not only users but also the enterprise from potential disaster. Proper assessments can give more confidence to users when using an app. Adopting standard like this, reduce risks, save time, and implement actionable security measures to not only improve safety but meet mandatory compliance.