BIPI
BIPI

Android Pentesting Methodology: APK Decompile, Frida Hooks, SSL Pinning Bypass

Cybersecurity

A pragmatic Android pentest workflow covering APK unpacking with apktool and jadx, Frida-based runtime instrumentation, and bypassing modern SSL pinning implementations.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 18, 2024 · 11 min read

#android#mobile-pentest#frida#ssl-pinning#reverse-engineering

Android pentests start before the device. You pull the APK with adb shell pm path com.target, copy it via adb pull, and immediately drop it into apktool d for resources and AndroidManifest.xml, then into jadx-gui for decompiled Smali to Java. Most assessment leads live in AndroidManifest exported components, hardcoded API keys in strings.xml, and Firebase URLs left in BuildConfig.

Static Triage of the APK

  • apktool d target.apk reveals exported activities, broadcast receivers, and content providers that often skip permission checks
  • jadx-gui produces readable Java from DEX, fast-search for keywords like password, token, secret, debug, BuildConfig
  • MobSF automates manifest parsing, hardcoded secret scanning, and CVSS-style risk reporting in under 3 minutes
  • Look for android:debuggable=true, android:allowBackup=true, and network_security_config.xml that trusts user CAs
  • Search for setJavaScriptEnabled(true) plus addJavascriptInterface for classic WebView RCE chains

Setting Up the Intercept Lab

Rooted Pixel or a Genymotion image is the path of least resistance. Install Magisk, then Magisk modules MagiskTrustUserCerts so Burp or mitmproxy CA lands in the system store. On Android 7 and above, app traffic ignores user CAs unless network_security_config explicitly trusts them, which is why pushing the CA into /system/etc/security/cacerts is mandatory for blackbox testing.

Frida Runtime Instrumentation

Push frida-server matching the device arch to /data/local/tmp, chmod 755, run it as root. From the host, frida-ps -U enumerates processes, then frida -U -n com.target -l hook.js attaches your script. The killer move is Java.perform with Java.use to overwrite class methods at runtime, no recompile required.

  • Java.perform(function(){ var X = Java.use('okhttp3.CertificatePinner'); X.check.overload('java.lang.String','java.util.List').implementation = function(){}; })
  • Universal SSL pinning bypass scripts from frida-codeshare cover OkHttp, TrustManagerImpl, Conscrypt, and Cronet in one shot
  • Hook root detection: Java.use('com.example.RootCheck').isRooted.implementation = function(){ return false; }
  • Dump WebView calls: hook android.webkit.WebView.loadUrl to leak deeplink and OAuth redirect flows

Bypassing Modern Pinning

OkHttp CertificatePinner is the easy case. Harder targets bundle their own pinning in native code via BoringSSL, or use Google Cronet which routes through quic_transport. For native pinning, use objection android sslpinning disable which patches in memory, or fall back to frida-gum Interceptor.attach on SSL_CTX_set_custom_verify. Some banking apps add anti-Frida checks scanning /proc/self/maps for frida-agent: rename the library or use frida gadget injection.

Pinning is a speed bump, not a wall. Every commercial mobile app I have tested in the last two years fell to either a frida-codeshare one-liner or a 30-line custom hook against the native TLS stack.

Exported Component Abuse

  1. drozer run app.activity.info -a com.target lists exported activities, many launch with attacker-controlled extras
  2. Content providers without grantUriPermissions leak SQLite rows via adb shell content query --uri content://com.target.provider/users
  3. Intent redirection in receivers lets you bridge from a malicious app to a privileged internal activity, classic CVE-2024-0044 style
  4. Deep links with javascript: or file:// schemes hitting WebView remain a top finding in 2024 bug bounty reports

Real CVEs Worth Studying

  • CVE-2024-0044 (Android 12/13 'Dirty Stream' in WorkSource) enabled privilege escalation via app-defined permissions
  • CVE-2024-31320 in Android Framework allowed cross-user permission elevation, patched April 2024 bulletin
  • Samsung CVE-2024-20832 in DSP firmware was reachable from unprivileged apps via a media codec

Defense Recommendations

  • Use Play Integrity API server-side, not just client-side, and reject failed verdicts at the API gateway
  • Ship native pinning via TrustKit or BoringSSL with no Java fallback path
  • Strip debug symbols and apply R8 with aggressive obfuscation, then verify with apktool that strings.xml has no secrets
  • Detect Frida by scanning loaded libraries and checking TracerPid in /proc/self/status, refuse to run if tampered

Toolchain Summary

  1. apktool, jadx-gui, MobSF for static triage
  2. Magisk + MagiskTrustUserCerts for CA installation
  3. Burp Suite or mitmproxy with invisible proxy for traffic capture
  4. Frida + objection for runtime hooks and method dumping
  5. drozer for component fuzzing and IPC enumeration

If you can decompile, instrument, and intercept, you can audit any Android target. The mitigations have grown more sophisticated, but the methodology has not changed in five years.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.