Skip to content

AndroHunter #1971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
carlospolop wants to merge 1 commit into from
Closed

AndroHunter #1971

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,23 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
- Endpoints: `http://<device-ip>:8080/` (UI), `http://<device-ip>:8080/api/json` (API listing), `http://<device-ip>:8080/api/swagger` (Swagger).
- Emulator port-forward to reach UI/API from the host: `adb forward tcp:8080 tcp:8080` then browse `http://localhost:8080`.


## On-device Android pentest toolchains (AndroHunter)

- Android on-device toolkit focused on **exported component abuse**, **ContentProvider exposure/SQLi**, **FileProvider path misconfigurations**, **SSL pinning bypass**, and **runtime instrumentation**. Designed to work **without root** for most features.
- Static mapping: **Manifest** parsing (exported components, deep links, permissions) and **DEX string scanning** for hardcoded secrets to pivot into dynamic tests.
- Dynamic modules: **Intent/Activity/Broadcast fuzzers**, **ContentProvider SQLi probes**, **FileProvider path analysis + traversal tester** (real reads via ContentResolver), and a **shared preferences reader** (`run-as` when debuggable, `dumpsys` fallback).
- Runtime helpers: **Frida script generator** (SSL pinning, root checks, crypto/SQL/HTTP monitoring) and a multi‑method SSL pinning bypass guide.
- Built‑in HTTP proxy on `127.0.0.1:8877` with request capture and **curl** replay generation.

Examples of generated reproduction commands:

```bash
adb shell am start -n com.target/.ExportedActivity --es data "payload"
adb shell content read --uri "content://com.target.provider/path"
frida -U -f com.target.app -l script.js --no-pause
```

## Android Enterprise & Work Profile Attacks

{{#ref}}
Expand Down Expand Up @@ -900,5 +917,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
- [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail)
- [AndroHunter](https://github.com/ynsmroztas/AndroHunter)

{{#include ../../banners/hacktricks-training.md}}