Android Mobile Application Penetration Testing

Thin router for full MASTG-aligned Android assessments via ADB + Frida + Mobile MCP. Load workflow / methodology / reference files on demand; do not attempt to memorise the whole skill up front.

When to Use

• Start a new Android app security assessment
• Bypass SSL pinning, root detection, anti-tamper, or biometric checks
• Extract/triage local storage (SharedPreferences, DBs, files, logs)
• Test exported activities, services, providers, receivers, deep links
• Hook crypto / auth / session / keystore at runtime
• Map a build to OWASP MASVS / MASTG for compliance evidence
• Produce structured findings + remediation guidance

Trigger Phrases

"pentest this Android app" • "security test the APK" • "bypass SSL pinning on " • "extract data from " • "test Android authentication" • "fuzz Android intents" • "MASTG testing for " • "mobile app security assessment"

When NOT to Use This Skill

• iOS apps → use ios-pentest (if available) or generic mobile skill
• Server-side API fuzzing of mobile backends → use api-security / web-pentest
• Decompiling Android malware for IR → use malware-analysis, not this pentest-focused skill
• Supply-chain / SCA on third-party SDKs → use sca / dependency-audit
• Cloud backend of the mobile app → use cloud-pentest

Decision Tree

Do you have the APK or only package name?
├─ package only → get_app_info + pull_apk (parallel), then branch on protections
└─ APK on disk  → static analysis first (jadx, apktool), then dynamic
                 └─ App runs? → frida_spawn → bypass_ssl → bypass_root → proxy
                 └─ App crashes on root? → see references/troubleshooting.md (Root detection)
                 └─ TLS still not decrypted? → workflows/ssl_pinning_bypass.md Methods 2→3

What's the objective?
├─ Full assessment          → workflows/complete_assessment.md
├─ SSL pinning only         → workflows/ssl_pinning_bypass.md
├─ Auth / session           → workflows/auth_testing.md
├─ Deep links / IPC / fuzz  → workflows/deeplink_intent_testing.md
├─ Crypto audit             → workflows/crypto_analysis.md
└─ Data storage / exfil     → workflows/data_exfiltration.md

Parallelism Hints

Run concurrently (independent, same device):

• get_app_info + pull_apk + list_exported_components
• dump_databases + dump_shared_prefs + dump_internal_storage + dump_external_storage + get_logcat
• Multiple frida_run_script calls against the same PID (crypto_hooks.js ∥ credential_hooks.js ∥ intent_monitor.js)
• Static APK analysis (decompile, secrets scan) ∥ dynamic runtime hooks

Must be sequential:

• frida_spawn → frida_bypass_ssl → frida_bypass_root (scripts need the PID and must attach before the app finishes its protection init)
• setup_proxy before any traffic-capture or network workflow
• install_ca_cert before setup_proxy on a fresh device
• capture_traffic_start → drive app → capture_traffic_stop

Sub-Agent Delegation

• Spawn a static-analysis sub-agent on the pulled APK (jadx decompile → secrets grep → manifest review → native-lib inventory) while the main agent runs dynamic Frida hooks. Rejoin before reporting.
• Spawn a per-component sub-agent when fuzzing many exported components: one agent per activity/provider/service batch; each owns its own Frida PID and logcat filter. Avoids cross-contamination of hook state.
• Spawn a reporting sub-agent to normalise findings into schemas/finding.json and render templates once the main testing pass completes.

Reasoning Budget

• Extended thinking (high): triaging findings across evidence, classifying severity, writing CWE/MASTG mappings, designing custom Frida hooks for obfuscated classes, reverse-engineering native SSL-pinning paths.
• Low / no extended thinking: repetitive Frida hook runs, standard dumps, canned payload fuzzing, applying the universal SSL bypass, invoking known MCP tool sequences.
• Don't burn tokens reasoning about which universal bypass to try first — just run frida_bypass_ssl(pid) and escalate on failure.

Multimodal Hooks

• Use Mobile MCP get_screen_state + screenshot for UI-driven auth flows (biometric prompts, OAuth redirects, MFA steps). Attach screenshots as evidence.screenshot on the finding.
• Capture a screenshot at the point of bypass (e.g., authenticated home screen after biometric spoof) — visual evidence strengthens severity justification.
• For deep-link repros, screenshot the resulting activity to prove the unintended state is reachable.

Structured Output

All findings MUST validate against schemas/finding.json. Android-specific required/common fields: package_name, app_version, target_sdk, device_id, frida_pid, mastg_id, masvs_control, component.{type,class_name,exported}, evidence.{logcat,frida_output,screenshot,pcap}.

Workflow Index

Workflow	When
workflows/complete_assessment.md	End-to-end MASTG pass
workflows/ssl_pinning_bypass.md	Enable TLS interception
workflows/auth_testing.md	Login, session, biometric, JWT
workflows/deeplink_intent_testing.md	IPC fuzz, deep links, providers
workflows/crypto_analysis.md	Weak algos, hardcoded keys, keystore
workflows/data_exfiltration.md	Local storage + logcat leakage

Methodology Index

Document	Coverage
methodology/recon.md	Info gathering, attack-surface map
methodology/static_analysis.md	APK/smali/secrets review
methodology/dynamic_analysis.md	Runtime hooking, instrumentation
methodology/network_testing.md	Traffic, API, TLS verification
methodology/data_storage.md	Local storage, DBs, file perms
methodology/crypto_testing.md	Encryption and key management
methodology/auth_testing.md	Auth, session, biometric
methodology/client_side_injection.md	WebViews, deep links, providers

Payloads Index

File	Use
payloads/intent_injection.txt	Intent/IPC fuzz inputs
payloads/path_traversal.txt	File/provider path escapes
payloads/sql_injection.txt	Content provider SQLi
payloads/xss_payloads.txt	WebView XSS
payloads/xxe_payloads.txt	XML parsers in-app

Examples Index

Example	Scenario
examples/new_assessment.md	Kickoff blueprint for a new target
examples/data_storage_investigation.md	Enumerating local sensitive data
examples/auth_bypass.md	Biometric / session / JWT bypass

References Index

Document	Coverage
references/owasp_mobile_top10.md	OWASP Mobile Top 10 mapping
references/android_security_checklist.md	Testing checklist
references/frida_snippets.md	Reusable Frida one-liners
references/troubleshooting.md	Frida / SSL / root / ADB / SQLCipher fixes
references/bounty_patterns_2024_2026.md	Post-2023 bounty TTPs (deep-link hijack / App-Links bypass, WebView deep-link XSS, unprotected broadcast-receiver leakage)

Checklists

File	Purpose
checklists/owasp_mastg_full.md	Full MASTG compliance
checklists/quick_wins.md	Fast-vuln sweep
checklists/pre_engagement.md	Setup verification
checklists/report_items.md	Report completeness

Templates

Template	Purpose
templates/finding_template.md	Per-finding doc
templates/executive_summary.md	Management summary
templates/technical_report.md	Full technical report
templates/remediation_guide.md	Developer-facing fixes

MCP Tool Reference

Device interaction

Tool	Purpose
get_screen_state()	Current screen / UI tree
tap_element(x,y) / long_press(x,y)	Tap / long-press
input_text(text)	Type into focused field
press_key(keycode)	BACK=4 HOME=3 ENTER=66
swipe(x1,y1,x2,y2)	Scroll, pattern unlock

Frida instrumentation

Tool	Purpose
frida_spawn(pkg) / frida_attach(pkg)	Start or attach
frida_run_script(pid, script)	Load JS hooks
frida_bypass_ssl(pid) / frida_bypass_root(pid)	Universal bypasses
frida_hook_method(pid, class, method)	Trace a single method
frida_trace_crypto(pid) / frida_dump_credentials(pid)	Canned traces
frida_enumerate_classes(pid, pattern)	Class discovery under obfuscation
frida_memory_search(pid, pattern)	Find secrets / keys in process memory

Network

Tool	Purpose
setup_proxy(device, host, port) / clear_proxy(device)	Proxy wiring
install_ca_cert(device, path)	Trust Burp CA (system store)
capture_traffic_start(pkg) / capture_traffic_stop()	PCAP

Data extraction

Tool	Purpose
dump_databases(pkg) / dump_shared_prefs(pkg)	SQLite + prefs
dump_internal_storage(pkg) / dump_external_storage(pkg)	Files
get_logcat(pkg)	Package-filtered logs

Components

Tool	Purpose
list_exported_components(pkg)	Attack surface
launch_activity(pkg, activity, extras, data_uri)	Deep link / intent
send_broadcast(action, extras)	Broadcast injection
start_service(pkg, service, extras)	Service abuse
query_content_provider(uri)	Provider SQLi / leakage
fuzz_intent_extra(pkg, comp, key, payloads)	Automated fuzz

App management

Tool	Purpose
install_apk(path) / uninstall_app(pkg)	Deploy / remove
clear_app_data(pkg)	Fresh state
get_app_info(pkg)	Metadata, permissions, SDK
list_installed_apps() / pull_apk(pkg)	Discovery / extraction

Frida Script Library (scripts/)

ssl_pinning_bypass.js, root_bypass.js, crypto_hooks.js, credential_hooks.js, network_hooks.js, biometric_bypass.js, anti_tampering_bypass.js, intent_monitor.js, webview_hooks.js, dynamic_dex_hooks.js, keystore_hooks.js, method_tracer.js.

Tools

Tool	Purpose	Install
ADB	Device comms	apt install adb (Android SDK platform-tools)
Frida / frida-tools	Dynamic instrumentation	pip install frida-tools (≥16.4)
Objection	Mobile exploration	pip install objection
apktool	APK decompile	apt install apktool (≥2.9)
jadx	Java decompile	github.com/skylot/jadx releases (≥1.5)
Burp Suite	Traffic interception	portswigger.net
Android Studio	Emulator, SDK	developer.android.com

Setup scripts: setup/setup_pentest_env.sh, setup/setup_physical_device.sh, setup/setup_emulator.py, setup/frida_server_manager.py, setup/burp_cert_installer.sh, setup/check_environment.py.

MCP servers expected: android-pentest (Android Dynamic MCP), mobile-mcp (mobile-next for UI). Configure in ~/.claude/mcp.json.

Related Resources

• OWASP MASTG • OWASP MASVS • Frida docs • Android Security Bulletin

Last Validated

2026-04 — minimum versions: Frida ≥16.4, apktool ≥2.9, jadx ≥1.5, Android platform-tools ≥35.