Comprehensive Android APK security analysis with static/dynamic testing, RASP detection, Frida instrumentation, and MASVS compliance scoring
---
name: dragonjar-android-pentesting-skill
description: Comprehensive Android APK security analysis with static/dynamic testing, RASP detection, Frida instrumentation, and MASVS compliance scoring
triggers:
- audit this Android APK for security vulnerabilities
- analyze this APK with MASVS scoring and runtime defense analysis
- bypass SSL pinning and root detection in this Android app
- detect RASP protections and generate Frida bypass scripts
- decompile this APK and find hardcoded secrets
- run static and dynamic analysis on this Android application
- trace data flows and validate security controls in this APK
- generate a pentesting report for this Android app
---
# DragonJAR Android Pentesting Skill
> Skill by [ara.so](https://ara.so) — Security Skills collection.
This skill provides comprehensive Android APK security analysis capabilities for AI agents, combining static analysis, dynamic instrumentation with Frida, RASP detection, authorized bypass validation, source-to-sink tracing, MASVS scoring, and professional reporting in a unified workflow.
## What This Skill Does
Transforms an AI agent into an expert Android security auditor capable of:
- **APK Analysis**: Decode APKs with APKTool, decompile with JADX, detect frameworks with APKiD
- **Static Security Analysis**: 50+ manifest checks, 70+ Semgrep MASTG rules, secret detection, obfuscation analysis
- **Dynamic Instrumentation**: 37 Frida scripts for SSL pinning bypass, root detection bypass, crypto interception
- **Runtime Defense Analysis (RDA)**: Detect 18 protection categories (RootBeer, SafetyNet, Frida detection, RASP, etc.)
- **RASP Bypass**: Authorized bypass runner with reusable profiles, DRY workflow
- **Data Flow Tracing**: Source-to-sink methodology with confidence levels
- **MASVS Compliance**: Automated scoring against OWASP MASVS controls with CVSS 4.0
- **APK Modification**: Smali patching, repackaging, signing, validation
## Installation
### Prerequisites
Install required tools (Linux/macOS):
```bash
# APKTool (3.0.1+)
brew install apktool
# JADX (1.5.5+)
brew install jadx
# Android SDK Platform Tools
brew install --cask android-platform-tools
# Frida (17.9+)
pip3 install frida-tools
# Objection (1.12.4+)
pip3 install objection
# APKiD (3.0.0+)
pip3 install apkid
# Semgrep (optional, for SAST)
brew install semgrep
```
### Skill Installation
```bash
# Clone into your agent's skills directory
cd ~/.agents/skills/
git clone https://github.com/DragonJAR/Android-Pentesting-Skill dragonjar-android-pentesting
# Or clone to any location and add to agent skill path
git clone https://github.com/DragonJAR/Android-Pentesting-Skill.git
```
### Verification
```bash
# Verify all dependencies are installed
cd dragonjar-android-pentesting
python3 scripts/06-setup/preflight-check.py
# Expected output:
# ✅ APKTool 3.0.1 found
# ✅ JADX 1.5.5 found
# ✅ Frida 17.9.4 found
# ✅ All dependencies satisfied
```
## Core Workflows
### 1. Basic APK Security Audit
```bash
# Full static analysis with Semgrep enrichment
bash scripts/auto-audit-static.sh /path/to/app.apk --semgrep
# Output includes:
# - Manifest security issues (exported components, permissions)
# - Hardcoded secrets (API keys, passwords, tokens)
# - Insecure crypto usage
# - WebView vulnerabilities
# - Intent injection risks
# - Findings report in findings-merged.json
```
**Example findings output:**
```json
{
"findings": [
{
"id": "HARD-001",
"severity": "CRITICAL",
"title": "Hardcoded API Key in Source Code",
"owasp_mobile": "M1",
"masvs_control": "MASVS-STORAGE-1",
"cvss": "9.1 (CRITICAL)",
"location": "com/example/app/Config.java:42",
"evidence": "private static final String API_KEY = \"sk_live_...\";",
"remediation": "Store API keys in BuildConfig or secure server-side configuration"
}
]
}
```
### 2. Runtime Defense Analysis (RASP Detection)
```bash
# Detect runtime protections with passive + active modes
bash scripts/02-rasp/runtime-defense-analyzer.sh \
/path/to/app.apk \
com.example.app \
--active-mode \
--authorized-lab \
--output findings-rda.json
# Catalog includes 18 protection categories:
# - Root detection (RootBeer, custom native)
# - Emulator detection
# - Debug detection
# - Frida/instrumentation detection
# - Screenshot/screenrecord blocking
# - SafetyNet / Play Integrity
# - Commercial RASP (Talsec, AppSealing, DexGuard, etc.)
```
**RDA output structure:**
```json
{
"detectors": {
"rootbeer": {
"status": "DETECTED",
"confidence": "high",
"evidence": "RootBeer.isRooted() returns true",
"bypass_profile": "rootbeer_standard"
},
"ssl_pinning": {
"status": "DETECTED",
"implementation": "OkHttp3 CertificatePinner",
"bypass_profile": "ssl_okhttp3"
}
}
}
```
### 3. RASP Bypass Workflow (DRY Pattern)
```bash
# 1) List available bypass profiles
bash scripts/02-rasp/rasp-bypass-runner.sh --list-profiles
# Output:
# Available profiles:
# - rootbeer_standard (RootBeer library bypass)
# - ssl_okhttp3 (OkHttp3 SSL pinning)
# - ssl_trustmanager (TrustManager bypass)
# - frida_detection (Anti-Frida bypass)
# - emulator_detection (Emulator checks bypass)
# 2) Generate bypass command from RDA findings (print only)
bash scripts/02-rasp/rasp-bypass-runner.sh \
--package com.example.app \
--from-rda findings-rda.json \
--print-command
# Output:
# frida -U -f com.example.app \
# -l assets/frida-scripts/android-root-bypass-advanced.js \
# -l assets/frida-scripts/ssl-pinning-bypass.js \
# --no-pause
# 3) Execute bypass in authorized lab environment
bash scripts/02-rasp/rasp-bypass-runner.sh \
--package com.example.app \
--from-rda findings-rda.json \
--run \
--authorized-lab
# Launches Frida with combined bypass scripts
```
**Important**: Client-side bypasses do NOT forge server-side attestation. For Play Integrity, SafetyNet, Approov, or similar backend-enforced controls, use an authorized test tenant, backend allowlist, or approved lab configuration.
### 4. SSL Pinning Bypass
```bash
# Universal SSL pinning bypass (30+ implementations)
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--script ssl-pinning-bypass
# Supports:
# - OkHttp3 CertificatePinner
# - TrustManager custom implementations
# - WebView SSL error handlers
# - React Native ssl-pinning libraries
# - Flutter BoringSSL (native hooks)
# - Cordova SSL plugins
```
### 5. Framework-Specific Analysis
#### React Native
```bash
# Detect React Native and extract JavaScript bundle
bash scripts/auto-audit-static.sh /path/to/app.apk
# Automatically:
# - Detects libreactnativejni.so
# - Extracts assets/index.android.bundle
# - Scans bundle for hardcoded secrets
# - Analyzes Metro bundler output
```
**Hook React Native bridge:**
```javascript
// assets/frida-scripts/react-native-bridge-hook.js
Java.perform(function() {
var CatalystInstanceImpl = Java.use('com.facebook.react.bridge.CatalystInstanceImpl');
CatalystInstanceImpl.jniCallJSFunction.implementation = function(module, method, args) {
console.log('[RN Bridge] ' + module + '.' + method);
console.log('[RN Bridge] Args: ' + JSON.stringify(args));
return this.jniCallJSFunction(module, method, args);
};
});
```
#### Flutter
```bash
# Flutter uses Dart AOT compilation and native BoringSSL
# Standard Java SSL hooks won't work
# Use Blutter for Dart code extraction
python3 tools/blutter/blutter.py lib/arm64-v8a/libapp.so output/
# Hook native SSL functions
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.flutter \
--script flutter-ssl-bypass
# Hooks:
# - SSL_CTX_set_custom_verify (certificate validation)
# - SSL_read / SSL_write (traffic interception)
```
### 6. Data Flow Tracing
```bash
# Phase 3: Source-to-sink analysis
# Automatically runs during static audit
# Example traced flows:
# - User input → SQL query (SQL injection risk)
# - Intent extras → WebView.loadUrl (open redirect)
# - SharedPreferences → network (data leakage)
# - File paths → external storage (path traversal)
```
**Flow confidence levels:**
- `CONFIRMED`: Direct observable flow without conditions
- `LIKELY`: Flow with minimal conditional branches
- `POSSIBLE`: Flow through complex logic, needs dynamic validation
### 7. MASVS Compliance Scoring
```bash
# Calculate OWASP MASVS compliance score
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
# Output:
# MASVS Score: 72.6/100 (Grade: C)
# Controls Passed: 16/23
# Controls Failed: 7
#
# Critical Failures:
# - MASVS-STORAGE-1: Hardcoded secrets in code
# - MASVS-CRYPTO-1: Weak cryptographic algorithms
#
# Recommendations:
# - Implement secure credential storage (Android Keystore)
# - Upgrade to AES-256-GCM for encryption
```
### 8. APK Modification Workflow
```bash
# Decode APK
apktool d -f -o decoded/ /path/to/app.apk
# Modify smali code (example: disable root check)
# Edit decoded/smali/com/app/RootDetector.smali
# Change: const/4 v0, 0x1 (return true)
# To: const/4 v0, 0x0 (return false)
# Rebuild APK
apktool b decoded/ -o app-modified.apk
# Align and sign
zipalign -v -p 4 app-modified.apk app-aligned.apk
apksigner sign --ks ~/.android/debug.keystore \
--ks-pass pass:android \
--out app-signed.apk \
app-aligned.apk
# Verify signature
apksigner verify --verbose app-signed.apk
```
## Frida Script Library
### Common Frida Operations
```bash
# List all available Frida scripts
ls assets/frida-scripts/
# Key scripts:
# - ssl-pinning-bypass.js (universal SSL bypass)
# - android-root-bypass-advanced.js (30+ root detection bypasses)
# - crypto-intercept.js (monitor Cipher, MessageDigest, etc.)
# - biometric-bypass.js (BiometricPrompt, FingerprintManager)
# - keystore-inspector.js (dump Keystore entries)
# - webview-inspector.js (WebView debugging, JS injection)
# - intent-fuzzer.js (Intent injection testing)
```
### Frida Exploit Helper
```bash
# List bundled scripts
python3 scripts/07-tools/frida-exploit-helper.py --list-scripts
# Hook memory functions
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--hook malloc,free,memcpy
# SSL pinning bypass
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--script ssl-pinning-bypass
# Memory layout analysis
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--layout
# Runtime defense detection
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--runtime-defense
```
### Custom Frida Script Example
```javascript
// Hook custom native function
Java.perform(function() {
var targetClass = Java.use('com.example.app.SecurityCheck');
targetClass.isDeviceSecure.implementation = function() {
console.log('[+] isDeviceSecure() called');
var result = this.isDeviceSecure();
console.log('[+] Original result: ' + result);
console.log('[+] Forcing return: true');
return true;
};
console.log('[+] Hooked isDeviceSecure()');
});
```
## Configuration
### Environment Variables
```bash
# Android SDK path
export ANDROID_HOME="$HOME/Library/Android/sdk"
export PATH="$PATH:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/36.0.0"
# Frida server configuration
export FRIDA_SERVER_PORT=27042
# Optional: Semgrep API token for managed scanning
export SEMGREP_APP_TOKEN="your_token_here"
# Optional: Custom APKTool config
export APKTOOL_CONFIG="$HOME/.apktool/config.yml"
```
### Bypass Profiles Configuration
```json
// scripts/02-rasp/bypass-profiles.json
{
"profiles": {
"rootbeer_standard": {
"description": "RootBeer library bypass",
"scripts": [
"assets/frida-scripts/android-root-bypass-advanced.js"
],
"hooks": ["RootBeer.isRooted", "RootBeer.isRootedWithoutBusyBoxCheck"]
},
"ssl_okhttp3": {
"description": "OkHttp3 CertificatePinner bypass",
"scripts": [
"assets/frida-scripts/ssl-pinning-bypass.js"
],
"hooks": ["CertificatePinner.check"]
}
}
}
```
## Common Patterns
### Pattern 1: Full Security Assessment
```bash
# 1) Static analysis with Semgrep
bash scripts/auto-audit-static.sh app.apk --semgrep
# 2) Runtime defense detection
bash scripts/02-rasp/runtime-defense-analyzer.sh \
app.apk com.example.app \
--active-mode --authorized-lab \
--output findings-rda.json
# 3) MASVS scoring
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
# 4) Generate professional report
python3 scripts/05-reporting/report-generator.py \
findings-merged.json \
findings-rda.json \
--output report.pdf
```
### Pattern 2: Traffic Interception
```bash
# 1) Set up proxy (Burp/ZAP)
export HTTP_PROXY=127.0.0.1:8080
export HTTPS_PROXY=127.0.0.1:8080
# 2) Install CA certificate on device
adb push burp-ca.crt /sdcard/
# Install via Settings → Security → Install from SD card
# 3) Bypass SSL pinning
frida -U -f com.example.app \
-l assets/frida-scripts/ssl-pinning-bypass.js \
--no-pause
# 4) Monitor traffic in proxy
```
### Pattern 3: Root Detection Bypass Stack
```bash
# Layer 1: Java-level root checks
frida -U -f com.example.app \
-l assets/frida-scripts/android-root-bypass-advanced.js \
--no-pause
# Layer 2: Native-level root checks (if detected)
# Edit native-root-bypass.js to target specific native libraries
frida -U -f com.example.app \
-l assets/frida-scripts/android-root-bypass-advanced.js \
-l assets/frida-scripts/native-hook.js \
--no-pause
```
### Pattern 4: Automated Secret Extraction
```bash
# Extract and scan all strings
bash scripts/01-decompile/extract-strings.sh app.apk > strings.txt
# Scan with patterns
grep -E '(sk_live_|ghp_|AIza[0-9A-Za-z-_]{35})' strings.txt
# Deep search in decompiled code
find decoded/smali -name "*.smali" -exec grep -H "const-string.*sk_live" {} \;
# Search in JavaScript bundles (React Native/Cordova)
find decoded/assets -name "*.bundle" -o -name "*.js" | \
xargs grep -E '(API_KEY|SECRET|PASSWORD).*=.*["\'][^"\']{20,}'
```
## Troubleshooting
### Issue: APKTool Decode Fails
```bash
# Error: "brut.androlib.AndrolibException: Could not decode arsc file"
# Solution 1: Update APKTool to 3.0.1+
brew upgrade apktool
# Solution 2: Use --only-main-classes flag
apktool d --only-main-classes -f -o decoded/ app.apk
# Solution 3: Use legacy AAPT mode (not recommended)
apktool d --use-aapt1 -f -o decoded/ app.apk
```
### Issue: Frida Server Connection Failed
```bash
# Error: "Failed to spawn: unable to find process with name 'com.example.app'"
# Solution 1: Verify Frida server is running
adb shell "su -c '/data/local/tmp/frida-server &'"
# Solution 2: Check Frida server version matches client
frida --version # Client version
adb shell "/data/local/tmp/frida-server --version" # Server version
# Solution 3: Use spawn mode instead of attach
frida -U -f com.example.app # Spawn mode
# Instead of:
frida -U com.example.app # Attach mode
```
### Issue: SSL Pinning Bypass Not Working
```bash
# Flutter apps use native BoringSSL - Java hooks won't work
# Solution: Use Flutter-specific native hooks
frida -U -f com.example.flutter \
-l assets/frida-scripts/flutter-ssl-bypass.js
# React Native apps may use custom native modules
# Solution: Hook both Java and native SSL functions
frida -U -f com.example.rn \
-l assets/frida-scripts/ssl-pinning-bypass.js \
-l assets/frida-scripts/native-hook.js
```
### Issue: Runtime Defense Analysis Returns Empty Results
```bash
# Passive mode only checks static indicators
# Solution: Use --active-mode with authorized lab
bash scripts/02-rasp/runtime-defense-analyzer.sh \
app.apk com.example.app \
--active-mode \
--authorized-lab \
--output findings-rda.json
# Ensure device/emulator is accessible
adb devices # Should show device
# Ensure app is debuggable or use root
adb shell "su -c 'pm list packages | grep example'"
```
### Issue: MASVS Scorer Shows Low Score
```bash
# Low scores indicate security gaps - this is expected behavior
# Review failed controls:
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json --verbose
# Common failure patterns:
# - MASVS-STORAGE-1: Hardcoded secrets → Use Android Keystore
# - MASVS-CRYPTO-1: Weak crypto → Upgrade to AES-256-GCM
# - MASVS-NETWORK-1: No SSL pinning → Implement certificate pinning
# - MASVS-RESILIENCE-1: No obfuscation → Apply ProGuard/R8
```
## Agent Usage Examples
### Example 1: Quick APK Audit
**User**: "Audit this APK: ~/Downloads/banking-app.apk"
**Agent Actions**:
```bash
cd dragonjar-android-pentesting
bash scripts/auto-audit-static.sh ~/Downloads/banking-app.apk --semgrep
python3 scripts/05-reporting/masvs-scorer.py findings-merged.json
```
**Agent Response**: "Found 8 security issues: 2 CRITICAL (hardcoded API keys), 3 HIGH (exported activities without permissions), 2 MEDIUM (weak crypto), 1 LOW (debug logs). MASVS score: 68.2/100 (Grade: D). Report saved to findings-merged.json."
### Example 2: Bypass SSL Pinning
**User**: "This banking app has SSL pinning. I need to intercept the login request."
**Agent Actions**:
```bash
# Start Frida with SSL bypass
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.banking.app \
--script ssl-pinning-bypass
```
**Agent Response**: "SSL pinning bypassed (OkHttp3 CertificatePinner detected). Configure your proxy (Burp/ZAP) to 127.0.0.1:8080. Restart the app and attempt login."
### Example 3: Detect RASP Protections
**User**: "Check what runtime protections this app has."
**Agent Actions**:
```bash
bash scripts/02-rasp/runtime-defense-analyzer.sh \
~/Downloads/app.apk com.protected.app \
--active-mode --authorized-lab \
--output findings-rda.json
cat findings-rda.json
```
**Agent Response**: "Detected 4 protections: RootBeer (root detection), custom emulator checks, Frida detection (anti-instrumentation), DexGuard obfuscation. Bypass profiles available: rootbeer_standard, frida_detection, emulator_detection. Run rasp-bypass-runner.sh to generate bypass command."
### Example 4: Find Hardcoded Secrets in React Native
**User**: "This is a React Native app. Find any hardcoded API keys in the JavaScript bundle."
**Agent Actions**:
```bash
bash scripts/auto-audit-static.sh ~/Downloads/rn-app.apk
grep -r "API_KEY\|api_key\|apiKey" decoded/assets/*.bundle
```
**Agent Response**: "Found 3 hardcoded secrets in assets/index.android.bundle: Firebase API key (line 4521), Stripe publishable key (line 8912), AWS access key ID (line 12045). Evidence saved to findings-merged.json with MASVS-STORAGE-1 control failure."
## Advanced Topics
### Native Code Analysis
```bash
# Extract native libraries
unzip app.apk "lib/*" -d native/
# Analyze with Ghidra/IDA (manual)
# Or use Frida for runtime analysis:
python3 scripts/07-tools/frida-exploit-helper.py \
-p com.example.app \
--hook JNI_OnLoad,RegisterNatives
# Hook specific native function by offset
frida -U -f com.example.app -l - << 'EOF'
var base = Module.findBaseAddress('libnative.so');
Interceptor.attach(base.add(0x1234), {
onEnter: function(args) {
console.log('[+] Native function called');
console.log('Arg0: ' + args[0]);
}
});
EOF
```
### Attestation Bypass Limitations
```markdown
**Important**: Client-side hooks cannot forge server-verified attestation:
- ❌ Play Integrity verdicts (Google server-signed)
- ❌ SafetyNet attestation responses
- ❌ Approov tokens (server-side verification)
- ❌ App Attest (Apple server validation)
**Authorized Testing Approaches**:
- ✅ Use test tenant with backend allowlist
- ✅ Configure mock verifier in staging environment
- ✅ Request official pentest exception from vendor
- ✅ Use approved lab environment with vendor cooperation
```
### Custom Semgrep Rules
```yaml
# Add custom rule to scripts/03-static-analysis/semgrep-rules/
rules:
- id: custom-api-key-pattern
pattern: |
const-string $VAR, "cust_$KEY"
message: Custom API key pattern detected
severity: ERROR
languages: [smali]
metadata:
owasp_mobile: M1
masvs_control: MASVS-STORAGE-1
```
## References
- OWASP MASVS: https://mas.owasp.org/MASVS/
- OWASP MASTG: https://mas.owasp.org/MASTG/
- Frida Documentation: https://frida.re/docs/
- APKTool Documentation: https://apktool.org/docs/
- DragonJAR Community: https://www.dragonjar.org/
## License
Apache 2.0 - See LICENSE file for details.
Creator's repository · aradotso/security-skills