Mobile AppSec · Sep 4, 2025 · 1 min read

Android Penetration Testing — Part 2

Advanced techniques with Frida & Objection — hooking, bypasses, and patterns for tougher Android targets.

Android Frida Objection
By Hashir Sami Khan @p4n7h3rx

Advanced Techniques with Frida & Objection

PART 2

1. Advanced Setup

You'll need these extra tools:

  • Frida — runtime instrumentation
  • Objection — easier Frida interface
  • Xposed Framework / Magisk — for hooking
  • Quark-Engine / Androbugs — advanced static analysis

2. Runtime Testing with Frida

Frida lets you hook into apps while they run.

Start the Frida server on the device:

adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"
frida-ps -U   # confirm it's running

Run a script:

frida -U -f com.target.app -l script.js --no-pause

3. Objection — Simplified Runtime Hacking

Launch Objection:

objection --gadget com.target.app explore

Disable SSL Pinning:

android sslpinning disable

Other tricks with Objection:

  • Dump memory
  • Bypass root detection
  • Modify functions live

4. Advanced Attack Surfaces

Exported Components

If android:exported="true" → Other apps can abuse it.

  • Activities → Can be launched externally.
  • Services → Attackers may send malicious data.
  • Broadcast Receivers → Triggered by any app.
  • Content Providers → Test for SQL injection.

Deep Links

Apps may use links like:

myapp://login?token=123

Test for:

  • Open Redirect
  • CSRF
  • XSS in WebView
  • LFI (Local File Inclusion)

WebView Exploits

If the developer enabled JavaScript:

webView.getSettings().setJavaScriptEnabled(true);
webView.addJavascriptInterface(...)

→ This may allow XSS or code injection.

5. Other Advanced Checks

  • Database Security: Look for unencrypted SQLite DBs under /data/data/com.app/.
  • Weak Crypto: Check if MD5, SHA1, or hardcoded keys are used.

Backup Attacks:

adb backup com.target.app

6. Automating Advanced Analysis

  • MobSF Dynamic Analysis → runs app inside emulator, captures traffic & behavior.
  • Quark-Engine → detects malware patterns.
  • AndroTickler → finds insecure components.

This work has been prepared in collaboration with Shaid Hussain, whose insights contributed significantly to the research of this article.

Tags: Bug Bounty, Hacking, Bug Bounty Tips