Hooper Labs

Android Hacking

Unpack APK (unzip)

	unzip app.apk -d /path/to/directory

External Storage

	Files created on external storage such as SD cards are globally readable and writable.  Don't store sensitive information here!  In addition, you should not store executable or class files because it should be treated as untrusted.


Unpack APK (apktool)

	apktool d app.apk

Get package name (reference) from APK

	grep "package" ./application/AndroidManifest.xml

Convert smali to dex

	fullpath=$(pwd); for file in $(find . -name "*.smali"); do smali a $fullpath/$file;  done


List Devices

	adb devices

Install App

	adb install /path/to/apk

Upload File

	adb push /from /to

Download File

	adb pull /from /to

Uninstall Package (while specifying session)

	adb -s uninstall com.app.local

List Packages

	adb shell 'pm list package'

List Running Processes

	adb shell 'ps | grep com'

Add a Device

	adb connect

Drop Shell on System

	adb shell

Drop Shell on an emulated system

	adb -s shell

Install Burp Certificate in Browser

Trusted Cert Location


Downloads Folder Location


Temporary Folder Location


Loot Directories (secrets may be stored here)

	/assets, /res/raw

Push Burp Certificate to System Store

	adb -s push .\9a5ba575.0 /system/etc/security/cacerts

Remount RO Disk

	adb remount

Check for package update functionality



	Downloaded 'for personal use'.  Created an account and chose existing VirtualBox installation.  Clicked the "plus" to add a new device and selected Samsung 10 (2048 MB of memory).  Booted up


Jadx (Convert APK to Java)

	jadx -d /path/to/output app.apk

Dex2Jar (Convert APK to Jar)

	d2j-dex2jar.sh /path/to/app.apk


	Java Decompiler for .JAR files

Apktool (convert source to smali)

	apktool d file.apk

MARA Framework (Static Analysis)

	./mara.sh -s '/path/to/app.apk'

QARK (Static Vulnerability Analysis Tool)

	Decompiles/Scans for security issues

MobSF (Mobil Security Framework)

	Automated analysis of Android/iOS/Windows for static and dynamic analysis.

Common API Calls

Execute Commands


Execute Commands


Execute Commands



List Symbols from (shared) object files

	nm -Ca foo.o

List functions dynamically (only meaningful for dynamic objects such as SO)

	nm -D foo.so

List Information about Object

	objdump -f foo.so

List (dis)assembly of executable sections

	objdump -d foo.so

Generate Assembly

	objdump --section=.text -s -d main.o

View GOT

	objdump -d -j .got /path/to/bin


	adb -s reboot; adb -s install .\UnCrackable-Level1.apk



	Frida is a dynamic binary instrumentation tool.  

List processes

	frida-ps -U -D

Function tracing (traces read and recv functions within Twitter app)

	frida-trace -i "recv*" -i "read*" *twitter*

Search for Root Detection Method

	strings to search: /su,superuser.apk,supersu,busybox

Use Frida to attach to process/inject code

	frida -D -l .\fridademo-pinBypass.txt infosecadventures.fridademo  

Change arguements of Java Function

	(within JS) var ret_value = this.function(2,5); return ret_value;

frida-trace (trace calls to a library)

	frida-trace -D <device> -p <pid> -i "libfoo.so!"

frida-trace (trace calls to a library)

	frida-trace -D <device> -p <pid> -i "Java_*""


Repack APK with frida-gadget DLL

	objection patchapk -s test_app.apk

Interact with gadget

	frida -U gadget



Search for secrets in memory (objection)

	memory search secretPass --string