Mobile Security Tools

Android & APK Analysis

APKTool

GitHub: iBotPeaches/Apktool Purpose: Decode and rebuild Android APKs

Decompile APK to Android resource, dex, and manifest files.

docker run --rm -v $(pwd):/work pentest-tools \
  apktool d app.apk -o app-decompiled

Output:

app-decompiled/
├── AndroidManifest.xml
├── res/
├── smali/  (Dalvik bytecode)
└── resources.arsc

Use Cases: - Extract API endpoints from code - Identify hardcoded secrets - Analyze permissions - Find authentication mechanisms

---

JADX (JAva Decompiler)

GitHub: skylot/jadx Purpose: Decompile Java/Android bytecode to readable source

Most accurate Java decompiler.

docker run --rm -v $(pwd):/work pentest-tools \
  jadx -d output app.apk

Features: - Human-readable Java code - Better than smali (bytecode) - GUI and CLI versions - Supports DEX, APK, OAT, JAR

Output: Java source code (readable)

---

DEX2JAR

GitHub: ThexXTURBOXx/dex2jar Purpose: Convert DEX (Dalvik Executable) to JAR

Alternative to JADX for code analysis.

docker run --rm -v $(pwd):/work pentest-tools \
  d2j-dex2jar.sh app.apk -o app.jar

Then decompile JAR using JD-GUI or CFR.

---

Androguard

GitHub: androguard/androguard Purpose: Python library for Android analysis

Programmatic APK/DEX analysis and statistics.

docker run --rm -v $(pwd):/work pentest-tools \
  /opt/pentest-venv/bin/python3 << 'PYEOF'
from androguard.misc import AnalyzAPK
a, d, dx = AnalyzAPK("app.apk")
print("Package:", a.get_package())
print("Permissions:", a.get_permissions())
print("Activities:", a.get_activities())
PYEOF

Analysis: - Package info - Permissions analysis - Activities, services, receivers - Hardcoded strings/secrets - API calls

---

Runtime Analysis

Frida

GitHub: frida/frida Purpose: Dynamic instrumentation framework

Inject code into running Android processes.

# List processes
docker run --rm -v $(pwd):/work pentest-tools \
  frida-ps -U

# Hook function
frida -U -f com.example.app -l hook.js

Script Example (hook.js):

// Hook Java method
Java.perform(function() {
  var String = Java.use('java.lang.String');
  String.$new.implementation = function(bytes) {
    console.log('String created:', this.toString());
    return this.$new(bytes);
  };
});

Use Cases: - Hook authentication functions - Monitor network requests - Bypass client-side validation - Decrypt stored data

---

Objection

GitHub: sensepost/objection Purpose: Runtime mobile security testing toolkit

Built on Frida, simpler interface for common tasks.

docker run --rm -v $(pwd):/work pentest-tools \
  objection -g com.example.app explore

Commands: - android hooking list classes — List all classes - android memory list — Dump memory - android keystore list — Dump keystores - android root bypass — Root detection bypass

---

MobSF (Mobile Security Framework)

GitHub: MobSFTeam/Mobile-Security-Framework-MobSF Purpose: Automated mobile security testing framework

Web-based framework for APK/IPA analysis.

docker run --rm -it -p 8000:8000 \
  mobsf
# Then upload APK via web UI

Features: - Static analysis - Dynamic analysis - Malware detection - Permission analysis - Code quality checks

---

iOS & IPA Analysis

Plistutil

GitHub: plist/plistutil Purpose: Extract and analyze iOS plist files

docker run --rm -v $(pwd):/work pentest-tools \
  plistutil -i app.plist -o app.json

iOS Plist Files: - Info.plist — App configuration - Entitlements.plist — App capabilities - Keychain.plist — Stored credentials - Preferences/settings

---

IDA Pro / Ghidra

Tool: IDA Pro (commercial) / Ghidra (open-source) Purpose: Disassembly and reverse engineering

Binary analysis for iOS/Android native code.

Ghidra (open-source): - NSA Ghidra - Free alternative to IDA Pro - Supports ARM (iOS native code)

---

Network Analysis

Wireshark

GitHub: wireshark/wireshark Purpose: Network packet capture and analysis

Capture mobile traffic for API analysis.

# Capture traffic
docker run --rm -v $(pwd):/work pentest-tools \
  tcpdump -i eth0 -w capture.pcap

# Analyze with Wireshark (desktop)
wireshark capture.pcap

Filters: - http — HTTP traffic - http.request.method == "POST" — POST requests - json — JSON payloads - tls — Encrypted HTTPS

---

APK Signing

Uber APK Signer

GitHub: patrickfav/uber-apk-signer Purpose: Sign and resign APKs for testing

Modified APKs must be re-signed to install.

docker run --rm -v $(pwd):/work pentest-tools \
  uber-apk-signer-linux.jar \
  --apks app-modified.apk

Output: app-modified-aligned-debugSigned.apk

---

ADB (Android Debug Bridge)

ADB Commands

Tool: Android SDK standard tool

# List connected devices
adb devices

# Install APK
adb install app.apk

# Forward port
adb forward tcp:8080 tcp:8080

# Access shell
adb shell

# Capture logcat
adb logcat > logs.txt

# Pull files
adb pull /data/app/com.example.app/files output/

---

Summary Table

Tool	Purpose	Platform
APKTool	Decode APK	Android
JADX	Decompile to Java	Android
Androguard	Programmatic analysis	Android
Frida	Dynamic instrumentation	Android/iOS
Objection	Frida wrapper	Android/iOS
MobSF	Automated testing	Android/iOS
Plistutil	Plist extraction	iOS
Wireshark	Network capture	Both
ADB	Device control	Android