Hooper Labs

Android Hacking


Unpack APK (unzip)

unzip app.apk -d /path/to/directory

External Storage

Files created on external storage such as SD cards are globally readable and writable. Don't store sensitive information here! In addition, you should not store executable or class files because it should be treated as untrusted.


Unpack APK (apktool)

apktool d app.apk

Get package name (reference) from APK

grep "package" ./application/AndroidManifest.xml

Convert smali to dex

fullpath=$(pwd); for file in $(find . -name "*.smali"); do smali a $fullpath/$file; done


List Devices

adb devices

Install App

adb install /path/to/apk

Upload File

adb push /from /to

Download File

adb pull /from /to

Uninstall Package (while specifying session)

adb -s uninstall com.app.local

List Packages

adb shell 'pm list package'

List Running Processes

adb shell 'ps | grep com'

Add a Device

adb connect

Drop Shell on System

adb shell

Drop Shell on an emulated system

adb -s shell

View Android Logs

adb logcat

Install Burp Certificate in Browser

Trusted Cert Location


Downloads Folder Location


Temporary Folder Location


Loot Directories (secrets may be stored here)

/assets, /res/raw

Push Burp Certificate to System Store

adb -s push .\9a5ba575.0 /system/etc/security/cacerts

Remount RO Disk

adb remount

Check for package update functionality



Downloaded 'for personal use'. Created an account and chose existing VirtualBox installation. Clicked the "plus" to add a new device and selected Samsung 10 (2048 MB of memory). Booted up


Jadx (Convert APK to Java)

jadx -d /path/to/output app.apk

Dex2Jar (Convert APK to Jar)

d2j-dex2jar.sh /path/to/app.apk


Java Decompiler for .JAR files

Apktool (convert source to smali)

apktool d file.apk

MARA Framework (Static Analysis)

./mara.sh -s '/path/to/app.apk'

QARK (Static Vulnerability Analysis Tool)

Decompiles/Scans for security issues

MobSF (Mobil Security Framework)

Automated analysis of Android/iOS/Windows for static and dynamic analysis.

Common API Calls

Execute Commands


Execute Commands


Execute Commands



List Symbols from (shared) object files

nm -Ca foo.o

List functions dynamically (only meaningful for dynamic objects such as SO)

nm -D foo.so

List Information about Object

objdump -f foo.so

List (dis)assembly of executable sections

objdump -d foo.so

Generate Assembly

objdump --section=.text -s -d main.o

View GOT

objdump -d -j .got /path/to/bin


adb -s reboot; adb -s install .\UnCrackable-Level1.apk



Frida is a dynamic binary instrumentation tool.

List processes

frida-ps -U -D

Function tracing (traces read and recv functions within Twitter app)

frida-trace -i "recv" -i "read" twitter

Search for Root Detection Method

strings to search: /su,superuser.apk,supersu,busybox

Use Frida to attach to process/inject code

frida -D -l .\fridademo-pinBypass.txt infosecadventures.fridademo

Change arguements of Java Function

(within JS) var ret_value = this.function(2,5); return ret_value;

frida-trace (trace calls to a library)

frida-trace -D <device> -p <pid> -i "libfoo.so!"

frida-trace (trace calls to a library)

frida-trace -D <device> -p <pid> -i "Java_*""

Attach to Frida process and enumerate exports


Repack APK with frida-gadget DLL

objection patchapk -s test_app.apk

Interact with gadget

frida -U gadget



Search for secrets in memory (objection)

memory search secretPass --string