├── Android-Pentest-PDF-Books
    ├── Android Security Internals.pdf
    ├── Android_Security_Attacks_and_Defenses[1].pdf
    └── Learning Pentesting for Android Devices.pdf
├── Android-SSL-Pinning-Bypass
    └── PDFs-Books
    │   ├── Android - SSL-Pinning.pdf
    │   └── read.txt
├── README.md
└── Vulnerable-Android-Apps
    ├── Crackme03.apk
    ├── DIVA
        └── read.txt
    ├── InsecureBankv2.apk
    ├── InsecureShop.apk
    ├── UnCrackable-Level1.apk
    ├── dvba_v1.1.0.apk
    └── sieve.apk


/Android-Pentest-PDF-Books/Android Security Internals.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Android-Pentest-PDF-Books/Android Security Internals.pdf


--------------------------------------------------------------------------------
/Android-Pentest-PDF-Books/Android_Security_Attacks_and_Defenses[1].pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Android-Pentest-PDF-Books/Android_Security_Attacks_and_Defenses[1].pdf


--------------------------------------------------------------------------------
/Android-Pentest-PDF-Books/Learning Pentesting for Android Devices.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Android-Pentest-PDF-Books/Learning Pentesting for Android Devices.pdf


--------------------------------------------------------------------------------
/Android-SSL-Pinning-Bypass/PDFs-Books/Android - SSL-Pinning.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Android-SSL-Pinning-Bypass/PDFs-Books/Android - SSL-Pinning.pdf


--------------------------------------------------------------------------------
/Android-SSL-Pinning-Bypass/PDFs-Books/read.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Android-Application-Pentesting
  2 | 
  3 | >
  4 | ![android-g30bff2539_640](https://user-images.githubusercontent.com/59237881/222998869-6d1866de-3796-4744-bcd4-806fa016ab6f.png)
  5 | 
  6 | # Android Development
  7 | 
  8 | # For Beginners
  9 | 
 10 | * [Android-Architecture](https://www.tutorialspoint.com/android/android_architecture.html)
 11 | * [Intro-To-Mobile-Pentesting](https://www.hackthebox.com/blog/intro-to-mobile-pentesting)
 12 | 
 13 |  Youtube Videos In English :
 14 |  * [BitsPlease](https://www.youtube.com/watch?v=si1LhLHhmzk&list=PLgnrksnL_Rn09gGTTLgi-FL7HxPOoDk3R&index=12)
 15 |  * [Insider Learners](https://www.youtube.com/playlist?list=PLbytsNUpQrWG8bKy4wC4A8806mnGPfRhf)
 16 |  * [Hacking Simplified](https://www.youtube.com/watch?v=6-M_7O3A8AI&list=PLGJe0xGh7cH2lszCZ7qwsqouEK23XCMGp)
 17 | 
 18 |  Youtube Videos In Hindi :
 19 |  * [Fortify Solutions](https://www.youtube.com/watch?v=6DIeR8CtVww)
 20 |  * [Ubaid Ahmed](https://www.youtube.com/watch?v=0I6ciwP8190&list=PLseJXX1OcscKnhj-mUdqFu4VRZzZFH2Ex)
 21 | 
 22 | # PDF Books 
 23 | * [Android Security Internals An In-Depth Guide to Android's Security Architecture](https://www.pdfdrive.com/android-security-internals-an-in-depth-guide-to-androids-security-architecture-e178419522.html)
 24 | * [Learning Pentesting for Android Devices A practical guide](https://github.com/Dev-Hacks/Android-Pentesting/files/10893592/Learning.Pentesting.for.Android.Devices.A.practical.guide.to.learning.penetration.testing.for.Android.devices.and.applications.pdf)
 25 | * [Android Security Attacks and Defenses](https://github.com/Dev-Hacks/Android-Pentesting/files/10893633/Android.Security.Attacks.and.Defenses.pdf)
 26 | 
 27 | 
 28 | # Android SSL Pinning Bypass
 29 | * [Android SSL Pinning Bypass](https://github.com/DevHackz/android-ssl-pinning-bypass)
 30 | 
 31 | # How to find bug on android application
 32 | 
 33 | 
 34 |  1) [Testing-Frida](https://www.hackingarticles.in/android-penetration-testing-frida/) 
 35 |  2) [Testing-Drozer](https://www.hackingarticles.in/android-penetration-testing-drozer/)
 36 |  3) [ADB-Command-Cheatsheet](https://www.hackingarticles.in/android-pentest-lab-setup-adb-command-cheatsheet/)
 37 |  4) [Automated-Analysis-Using-MobSF](https://www.hackingarticles.in/android-pentest-automated-analysis-using-mobsf/)
 38 |  5) [Testing-Webview-Attacks](https://www.hackingarticles.in/android-penetration-testing-webview-attacks/)
 39 |  6) [Deep-Link-Exploitation](https://www.hackingarticles.in/android-pentest-deep-link-exploitation/)
 40 | 
 41 | 
 42 | # APK Download 
 43 | 1) https://apk-dl.com/
 44 | 2) https://en.uptodown.com/
 45 | 3) https://en.aptoide.com/
 46 | 4) https://www.apkmirror.com/
 47 | 5) https://f-droid.org/en/
 48 | 6) https://en.softonic.com/
 49 | 7) https://androidapksfree.com/
 50 | 
 51 | # Tool For Windows 
 52 | 
 53 | 
 54 | 1) [Appie](https://manifestsecurity.com/appie/)
 55 |     * Appie Framework is a popular open-source framework used for Android application penetration testing. It provides a comprehensive, self-contained environment specifically designed to facilitate testing of Android applications
 56 |  
 57 | ---
 58 | 
 59 | # Objection Tool Usage Guide
 60 | 
 61 | This repository provides a comprehensive guide on how to use the Objection tool for mobile security testing. Objection is a runtime mobile exploration toolkit, powered by Frida, designed to help penetration testers assess the security of mobile applications without requiring a jailbreak or root access.
 62 | 
 63 | ## Table of Contents
 64 | 
 65 | - [Introduction](#introduction)
 66 | - [Features](#features)
 67 | - [Installation](#installation)
 68 |   - [Prerequisites](#prerequisites)
 69 |   - [Installing Objection](#installing-objection)
 70 | - [Basic Usage](#basic-usage)
 71 |   - [Starting Objection](#starting-objection)
 72 |   - [Common Commands](#common-commands)
 73 | - [Advanced Usage](#advanced-usage)
 74 |   - [Bypassing SSL Pinning](#bypassing-ssl-pinning)
 75 |   - [Interacting with the File System](#interacting-with-the-file-system)
 76 |   - [Manipulating Application Data](#manipulating-application-data)
 77 | - [Troubleshooting](#troubleshooting)
 78 | - [Contributing](#contributing)
 79 | - [License](#license)
 80 | 
 81 | ## Introduction
 82 | 
 83 | Objection is a powerful tool that allows security researchers to explore and test the security of mobile applications at runtime. It provides an easy-to-use interface for tasks like bypassing SSL pinning, manipulating application data, exploring the file system, and much more. Objection is particularly useful because it works on both Android and iOS devices without the need for root or jailbreak.
 84 | 
 85 | ## Features
 86 | 
 87 | - **Bypass SSL Pinning**: Easily disable SSL pinning in mobile apps to intercept network traffic.
 88 | - **File System Exploration**: Access and manipulate the file system of the mobile app at runtime.
 89 | - **Runtime Manipulation**: Modify application behavior and data while the app is running.
 90 | - **Cross-Platform**: Supports both Android and iOS devices.
 91 | 
 92 | ## Installation
 93 | 
 94 | ### Prerequisites
 95 | 
 96 | Before installing Objection, ensure that you have the following installed on your system:
 97 | 
 98 | - **Python 3.x**: Objection is a Python-based tool and requires Python 3.x to run.
 99 | - **Frida**: Objection uses Frida under the hood. You can install Frida using pip:
100 |   ```bash
101 |   pip install frida-tools
102 |   ```
103 | - **ADB (Android Debug Bridge)**: Required for interacting with Android devices.
104 | 
105 | ### Installing Objection
106 | 
107 | You can install Objection using pip:
108 | 
109 | ```bash
110 | pip install objection
111 | ```
112 | 
113 | After installation, verify that Objection is installed correctly by running:
114 | 
115 | ```bash
116 | objection --help
117 | ```
118 | 
119 | ## Basic Usage
120 | 
121 | ### Starting Objection
122 | 
123 | To start using Objection with a mobile application, first ensure that the app is running on the device. Then, launch Objection using the following command:
124 | 
125 | ```bash
126 | objection -g <app_package_name> explore
127 | ```
128 | 
129 | Replace `<app_package_name>` with the actual package name of the mobile app (e.g., `com.example.app`).
130 | 
131 | ### Common Commands
132 | 
133 | - **Bypass SSL Pinning**:
134 |   ```bash
135 |   android sslpinning disable
136 |   ```
137 |   This command disables SSL pinning, allowing you to intercept HTTPS traffic.
138 | 
139 | - **Explore the File System**:
140 |   ```bash
141 |   android fs ls /
142 |   ```
143 |   Lists the files and directories in the root directory of the app's file system.
144 | 
145 | - **Dumping SQLite Databases**:
146 |   ```bash
147 |   android sqlite list
148 |   android sqlite dump <database_name>
149 |   ```
150 |   Lists and dumps the contents of SQLite databases used by the app.
151 | 
152 | - **Inspecting Keychain/Shared Preferences**:
153 |   ```bash
154 |   android prefs list
155 |   ios keychain dump
156 |   ```
157 |   Lists and dumps shared preferences on Android or keychain data on iOS.
158 | 
159 | ## Advanced Usage
160 | 
161 | ### Bypassing SSL Pinning
162 | 
163 | Objection makes it easy to bypass SSL pinning in mobile applications, which is useful for intercepting and analyzing HTTPS traffic during security assessments. Simply use the following command:
164 | 
165 | ```bash
166 | android sslpinning disable
167 | ```
168 | 
169 | ### Interacting with the File System
170 | 
171 | You can explore and manipulate the file system of the app directly from the Objection command line:
172 | 
173 | - **List Files**:
174 |   ```bash
175 |   android fs ls /data/data/com.example.app/files/
176 |   ```
177 | - **Download a File**:
178 |   ```bash
179 |   android fs download /data/data/com.example.app/files/secret.txt
180 |   ```
181 | 
182 | ### Manipulating Application Data
183 | 
184 | Objection allows you to modify the data used by the app at runtime:
185 | 
186 | - **Change the Value of a Variable**:
187 |   ```bash
188 |   android hooking set class_variable com.example.app.ClassName variableName newValue
189 |   ```
190 | 
191 | - **Trigger a Function**:
192 |   ```bash
193 |   android hooking call com.example.app.ClassName methodName arg1,arg2
194 |   ```
195 | 
196 | ## Troubleshooting
197 | 
198 | - **Objection Not Connecting**: Ensure that your device is properly connected via USB and that ADB is running for Android devices. For iOS, ensure that Frida is correctly installed on the device.
199 | - **SSL Pinning Not Disabled**: Some apps may implement SSL pinning in ways that are resistant to Objection's default bypass method. In such cases, you may need to use custom Frida scripts.
200 | 
201 | 
202 | ---
203 | 
204 | # Bug Find Checklist For Android
205 | * [workbook.securityboat.in](https://workbook.securityboat.in/bug-bounty/bug-bounty-checklist/bug-bounty-checklist-for-android)
206 | * [book.hacktricks.xyz](https://book.hacktricks.xyz/mobile-pentesting/android-checklist)
207 | * [blog.softwaroid.com](https://blog.softwaroid.com/2020/05/02/android-application-penetration-testing-bug-bounty-checklist/)
208 | * [xmind.app](https://xmind.app/m/GkgaYH/)
209 | * [hackinarticles](https://twitter.com/hackinarticles/status/1627571685187788800?t=fddGmsHKUxGbWL3C_vqyrQ&s=35)
210 |  
211 | # CTF & Chalenges 
212 | 1) InsecureShopApp : https://www.insecureshopapp.com
213 |    GitHub : https://github.com/hax0rgb/InsecureShop
214 | 2) [Allsafe](https://github.com/t0thkr1s/allsafe) 
215 | 3) [InjuredAndroid](https://github.com/B3nac/InjuredAndroid)
216 | 4) [HpAndro1337](https://github.com/RavikumarRamesh/hpAndro1337)
217 | 5) [KGB_Messenger](https://github.com/tlamb96/kgb_messenger)
218 | 
219 | * More about android mobile CTF chalenges : [Awesome-Mobile-CTF](https://github.com/xtiankisutsa/awesome-mobile-CTF) 
220 | 
221 | # Telegram Channels 
222 | * [Android-Security & Malware](https://t.me/androidMalware)
223 | 
224 | # Android Security Crash Course
225 |  [Youtube](https://youtube.com/playlist?list=PLH5GW4W70qp_B2eptq1Qo7KM2S66M77hi)
226 | 
227 | # Root Detection Bypass Using Frida 
228 |   https://codeshare.frida.re/@dzonerzy/fridantiroot/
229 |   
230 |   frida --codeshare dzonerzy/fridantiroot -U -f YOUR_BINARY
231 |   
232 |    Demo video :
233 |    
234 |    [Screencast.webm](https://github.com/Rupeesh-Patil/Android-Pentesting/assets/59237881/4a083ddc-aa44-45b3-995c-a8c9d094fe74)
235 | 
236 | 


--------------------------------------------------------------------------------
/Vulnerable-Android-Apps/Crackme03.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Vulnerable-Android-Apps/Crackme03.apk


--------------------------------------------------------------------------------
/Vulnerable-Android-Apps/DIVA/read.txt:
--------------------------------------------------------------------------------
1 | DIVA Damn Insecure and vulnerable App for Android.
2 | https://github.com/payatu/diva-android
3 | 


--------------------------------------------------------------------------------
/Vulnerable-Android-Apps/InsecureBankv2.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Vulnerable-Android-Apps/InsecureBankv2.apk


--------------------------------------------------------------------------------
/Vulnerable-Android-Apps/InsecureShop.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Vulnerable-Android-Apps/InsecureShop.apk


--------------------------------------------------------------------------------
/Vulnerable-Android-Apps/UnCrackable-Level1.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Vulnerable-Android-Apps/UnCrackable-Level1.apk


--------------------------------------------------------------------------------
/Vulnerable-Android-Apps/dvba_v1.1.0.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Vulnerable-Android-Apps/dvba_v1.1.0.apk


--------------------------------------------------------------------------------
/Vulnerable-Android-Apps/sieve.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DevHackz/Android-Pentesting/915c1c15840c586ab252f54b48ee3e1eee19588a/Vulnerable-Android-Apps/sieve.apk


--------------------------------------------------------------------------------