Android Pentesting Skill

World-class Android pentesting skill for AI agents. It combines static analysis, dynamic instrumentation, RASP detection, authorized bypass validation, source-to-sink tracing, MASVS scoring, and professional reporting in one DRY workflow.

🎯 What This Skill Does

This skill turns an AI agent into an Android APK security auditor. It can:

• Decode and inspect APKs with APKTool, JADX, APKiD, Android SDK tools, and Frida.
• Map attack surface: manifest, exported components, deep links, WebViews, storage, crypto, networking, native code, and framework-specific code.
• Run static analysis with curated grep patterns and MASTG-aligned Semgrep rules, then merge and deduplicate findings.
• Trace source-to-sink flows and separate confirmed issues from findings that need dynamic validation.
• Detect runtime defenses and RASP/shielding SDKs, then build authorized Frida bypass stacks using reusable profiles instead of duplicated logic.
• Validate common client-side protections such as SSL pinning, root/debug/emulator checks, anti-Frida, FLAG_SECURE, RASP callbacks, and packer/native checks where technically feasible.
• Score and report findings with CVSS 4.0, MASVS mapping, executive risk context, JSON schemas, and professional report templates.
• Support APK modification workflows: smali/resource patching, repackaging, signing, and validation.

Important: Client-side hooks do not forge server-side attestation verdicts. For Approov, Play Integrity, SafetyNet, or similar backend-enforced controls, use an authorized test tenant, backend allowlist, mock verifier, or approved lab configuration.

📦 Installation

Option 1: Clone into Agent Skills Directory

# For Claude Code / OpenCode agents
cd ~/.agents/skills/
git clone https://github.com/DragonJAR/Android-Pentesting-Skill Android-Pentesting-Skill

# For other agents, place in your skills directory

Option 2: Install Globally

# Clone to any location
git clone https://github.com/DragonJAR/Android-Pentesting-Skill.git

# Add to your agent's skill path configuration

⚙️ Prerequisites

The skill expects these tools to be installed:

Tool	Version	Purpose
APKTool	3.0.1+	APK decoding/rebuilding (aapt2-only mode)
JADX	1.5.5+	Java/Kotlin decompilation
Android SDK	Platform 36+, Build 36+	adb, aapt2, zipalign, apksigner
Frida	17.9+	Dynamic instrumentation
Objection	1.12.4+	Mobile exploration (maintenance mode)
APKiD	3.0.0+	Framework detection

Verification

Run the Python preflight check to verify all dependencies:

python3 scripts/06-setup/preflight-check.py

Shell variant for Linux or macOS with Homebrew Bash 4+:

/opt/homebrew/bin/bash scripts/06-setup/preflight-check.sh

Or, on systems where /usr/bin/env bash is Bash 4+:

./scripts/06-setup/preflight-check.sh

PowerShell variant for Windows environments:

./scripts/06-setup/preflight-check.ps1

🛡️ RASP Detect → Bypass Workflow

The RASP workflow is intentionally DRY:

1. Detect protections with RDA.
2. Map triggered detectors to bypass profiles.
3. Reuse existing Frida scripts from assets/frida-scripts/.
4. Print first, run only when authorized with --run --authorized-lab.

# 1) Detect RASP/runtime defenses
bash scripts/02-rasp/runtime-defense-analyzer.sh app.apk com.target.app --output findings-rda.json

# 2) Review available bypass profiles
bash scripts/02-rasp/rasp-bypass-runner.sh --list-profiles

# 3) Generate a reviewed Frida command from findings
bash scripts/02-rasp/rasp-bypass-runner.sh \
  --package com.target.app \
  --from-rda findings-rda.json \
  --print-command

# 4) Execute only in an authorized lab
bash scripts/02-rasp/rasp-bypass-runner.sh \
  --package com.target.app \
  --from-rda findings-rda.json \
  --run --authorized-lab

Profiles live in scripts/02-rasp/bypass-profiles.json and reuse existing Frida scripts under assets/frida-scripts/. See references/rasp-bypass-workflow.md for coverage, limits, and reporting requirements.

🚀 Usage Examples

Example 1: Basic APK Audit

User prompt:

Audit this APK: /path/to/app.apk

Agent response:

I'll analyze the APK for security vulnerabilities.

[Phase 0] Decoding APK with APKTool...
[Phase 1] Analyzing AndroidManifest.xml...
[Phase 2] Running targeted security patterns...
[Phase 3] Tracing data flows...
[Phase 5] Generating findings report...

Found 3 issues:
1. [HIGH] Exported Activity Without Permission (M8: Security Misconfiguration)
2. [MEDIUM] Hardcoded API Key (M1: Improper Credential Usage)
3. [LOW] Debug Logging Enabled (M8: Security Misconfiguration)

Example 2: Full Audit with All Modules

User prompt:

Audit this APK with all modules: runtime defense, semgrep, and MASVS scoring.

Agent response:

[Phase 0] Decoding APK with APKTool + JADX...
[Phase 0] Detected framework: Flutter
[Phase 1] Mapping attack surface from AndroidManifest.xml...
[Phase 2] Running targeted grep patterns...
[Phase 2.5] Running Semgrep MASTG rules (70+ rules)...
[Phase 3] Tracing source-to-sink data flows...
[Phase 4] Running Runtime Defense Analysis (18 catalog entries, 14 executable detectors)...
[Phase 5] Classifying findings and calculating MASVS compliance score...

MASVS Score: 72.6/100 (Grade: C)
- 16/23 controls passed
- 7 controls failed (Critical: 1, High: 1, Medium: 1, Low: 4)

Found 4 issues:
1. [CRITICAL] Hardcoded API Key (M1: Improper Credential Usage)
2. [HIGH] Exported Activity with Intent Redirection (M8: Security Misconfiguration)
3. [MEDIUM] Weak SSL Certificate Validation (M5: Insecure Communication)
4. [LOW] Debug Mode Enabled (M8: Security Misconfiguration)

Example 3: SSL Pinning Bypass

User prompt:

The app has SSL pinning. Bypass it with Frida and intercept traffic.

Agent response:

I'll use the SSL pinning bypass script to intercept HTTPS traffic.

[1] Identifying SSL pinning implementation...
    Found: OkHttp3 CertificatePinner
[2] Loading Frida script: ssl-pinning-bypass.js
[3] Hooking CertificatePinner.check()
[4] SSL pinning bypassed. Traffic now decrypted.

Intercepted request:
POST /api/login
{"email": "user@example.com", "password": "secret123"}

Example 4: React Native Analysis

User prompt:

Analyze this React Native APK for hardcoded secrets in the JavaScript bundle.

Agent response:

[Phase 0] Detected React Native framework (libhermes.so found)
[Phase 0] Extracting JavaScript bundle from assets/index.android.bundle
[Phase 2] Scanning for secrets in JavaScript bundle...

Found 2 hardcoded secrets:
- API_KEY = "sk_live_abc123..." at bundle.js:4521 (M1: Improper Credential Usage)
- AWS_SECRET = "wJalrXUtnFEMI/K7MDENG..." at bundle.js:8912 (M1: Improper Credential Usage)

Example 5: Flutter Analysis

User prompt:

Analyze this Flutter APK. I need to intercept HTTPS traffic from the app.

Agent response:

[Phase 0] Detected Flutter framework (libflutter.so found)
[Phase 0] Flutter uses BoringSSL natively - Java SSL hooks won't work
[Phase 0] Using Blutter to extract Dart code: python3 blutter.py lib/arm64-v8a/
[Phase 4] Loading Frida script: native-hook.js (BoringSSL targets)
[Phase 4] Hooking SSL_CTX_set_custom_verify() for certificate bypass
[Phase 4] Hooking SSL_read/SSL_write() for traffic interception

Flutter traffic now intercepted and decrypted.

Example 6: APK Modification

User prompt:

Disable the root detection in this APK and repackage it.

Agent response:

[1] Decoding APK with APKTool...
[2] Locating root detection code...
    Found: com/app/security/RootDetector.checkRoot()
[3] Patching smali to return false...
    const/4 v0, 0x0  # Always return false
[4] Rebuilding with APKTool...
[5] Aligning with zipalign...
[6] Signing with apksigner...
[7] Verifying signature...

Modified APK ready: app_patched.apk
SHA-256: abc123def456...

Example 7: Runtime Defense Analysis

User prompt:

Run the runtime defense analysis to check what protections this app has.

Agent response:

[Phase 4] Loading Runtime Defense Analysis...

Detector catalog: 18 entries (14 executable Frida detectors + 4 backend/cloud entries marked not applicable).
Executable detectors include:
- rootbeer, safetynet, emulator, debug, frida_detect
- screenshot, screenrecorded, custom
- talsec, approov, dexguard, appdome, doverunner, digitalai

Running passive detection...
Results: 3 protections detected:
- [DETECTED] Root detection (RootBeer library)
- [DETECTED] Emulator detection
- [NOT DETECTED] Frida detection

findings-rda.json generated with full detector report.

📖 Skill Capabilities

Static Analysis (Phases 0-3)

Capability	Description
APK Decompilation	JADX for Java/Kotlin, APKTool for smali/resources
Framework Detection	React Native, Flutter, Cordova, Xamarin, Native
Obfuscation Analysis	ProGuard/R8, DexGuard, custom patterns
Manifest Analysis	50+ security checks for exported components, permissions, deep links
IPC / Intent Abuse	Intent injection, nested intent relays, PendingIntent, FileProvider, deep link pivot patterns
Secrets Detection	API keys, passwords, tokens in code and resources
Data Flow Tracing	Source-to-sink methodology with confidence levels
Semgrep SAST (Phase 2.5)	70+ MASTG-aligned rules for automated code scanning

Dynamic Analysis (Phase 4)

Capability	Description
Frida Scripts	37 scripts for hooking, bypass, interception, and native triage
SSL Pinning Bypass	Java/Conscrypt focused (HttpsURLConnection, TrustManagerImpl etc.). See script header for exact current coverage and gaps (OkHttp, WebView, NSC, Flutter require extra work).
Root Detection Bypass	30+ root packages, 80+ paths, native hooks (fopen, access, stat) plus a focused native root detection probe
Runtime Defense Analysis (RDA)	18 catalog entries, 14 executable Frida detectors, and authorized bypass profile runner
Crypto Interception	Monitor Cipher, MessageDigest, Mac, Signature operations
Biometric Bypass	BiometricPrompt, FingerprintManager, crypto-object binding
Keystore Inspection	List entries, extract metadata, check security flags
Network Interception	OkHttp chains, HttpURLConnection, WebSocket monitoring
Native Hooking	JNI_OnLoad, RegisterNatives, by-offset hooks, and library-load-aware native probes

Frida Exploit Helper

# List available bundled scripts
python3 scripts/07-tools/frida-exploit-helper.py --list-scripts

# Hook memory functions
python3 scripts/07-tools/frida-exploit-helper.py -p com.target.app --hook malloc,free

# Use bundled SSL pinning bypass script
python3 scripts/07-tools/frida-exploit-helper.py -p com.target.app --script ssl-pinning-bypass

# Memory layout analysis
python3 scripts/07-tools/frida-exploit-helper.py -p com.target.app --layout

# Runtime Defense Analysis (RDA) — detect app protections
python3 scripts/07-tools/frida-exploit-helper.py -p com.target.app --runtime-defense

Full Workflow with All Modules

# Run static audit with Semgrep enrichment
bash scripts/auto-audit-static.sh app.apk --semgrep

# Run runtime defenses and scoring as explicit modules
bash scripts/02-rasp/runtime-defense-analyzer.sh app.apk com.target.app --active-mode --authorized-lab --output findings-rda.json
python3 scripts/03-static-analysis/semgrep-scan.py decoded/ --output semgrep.json
python3 scripts/05-scoring/calculate-score.py findings.json --json-output

APK Modification

Capability	Description
Smali Patching	Modify Dalvik bytecode directly
Resource Editing	Change XML, strings, configurations
Static Pinning Tampering	Override network_security_config, replace pins, bundled certs, or BKS/JKS truststores
Repackaging	Rebuild, align, sign with correct flow: zipalign → apksigner

Reporting (Phase 5)

Capability	Description
CVSS 4.0 Scoring	FIRST.org compliant severity ratings
MASVS Compliance Score	OWASP MASVS v2 control coverage with explicit pass/fail/not-tested semantics
Executive Risk Score	Optional aggregate 0-100/A-F business-risk summary, separate from CVSS and MASVS
OSINT Enrichment	Optional passive correlation of package, domains, endpoints, public leaks, and archived URLs
Audit Modes	Presets for quick, static, full, protected-app, OSINT, and reporting-only workflows
OWASP MASTG Mapping	Test IDs and MASVS categories
Professional Templates	Executive summary, findings, remediation

🔧 Skill Structure

Android-Pentesting-Skill/
├── SKILL.md                              # Skill definition (Phases 0-5)
├── references/                           # 83 reference/support files
│   ├── attack-patterns.md                # OWASP M1-M10 patterns
│   ├── intent-injection.md               # Nested intent / confused deputy guide
│   ├── pendingintent-security.md         # PendingIntent abuse and hardening
│   ├── dynamic-analysis-setup.md         # Frida/Objection + SSL pinning playbook
│   ├── frida-scripts-index.md            # Canonical bundled script catalog
│   ├── cvss-scoring-guide.md             # CVSS 4.0 methodology
│   ├── reporting-templates.md            # Finding templates
│   ├── flutter-security.md               # Flutter security guide
│   ├── react-native-security.md          # React Native security guide
│   ├── android-keystore2-testing.md      # Keystore2 testing (Android 12+)
│   ├── biometric-testing-comprehensive.md # BiometricPrompt testing
│   ├── deep-link-exploitation.md         # Deep link attacks
│   ├── project-manifest.md               # Ground-truth file inventory
│   └── ... (70 more)
├── assets/frida-scripts/                 # 38 files (37 Frida scripts + README)
│   ├── ssl-pinning-bypass.js             # SSL pinning bypass
│   ├── root-detection-bypass.js          # Root detection bypass
│   ├── native-root-detection-probe.js    # Focused native root/RASP triage
│   ├── native-hook.js                    # Generic JNI / native helper
│   ├── biometric-bypass.js               # Biometric auth bypass
│   ├── network-interceptor.js            # HTTP/HTTPS interception
│   ├── crypto-intercept.js               # Crypto operations hooking
│   └── ... (30 more)
├── scripts/                              # Utility and validation scripts
│   ├── 01-cross-platform/               # Framework-specific analysis
│   │   ├── cordova-analysis.sh
│   │   ├── flutter-analysis.sh
│   │   ├── react-native-analysis.sh
│   │   └── unity-analysis.sh
│   ├── 02-rasp/                         # Runtime Defense Analysis (RDA)
│   │   ├── detector-catalog.json          # 18 detector registry
│   │   ├── runtime-defense-analyzer.sh   # Phase 4 RDA entry point
│   │   ├── rasp-bypass-runner.sh         # Authorized bypass stack runner
│   │   ├── bypass-profiles.json          # DRY detector-to-bypass profile map
│   │   ├── findings-schema.json          # Shared findings schema
│   │   └── rasp-detectors/              # 14 Frida detector scripts + 4 not-applicable catalog entries
│   │       ├── rootbeer.js
│   │       ├── safetynet.js
│   │       ├── emulator.js
│   │       ├── debug.js
│   │       ├── frida-detect.js
│   │       ├── screenshot.js
│   │       ├── screenrecorded.js
│   │       └── custom.js
│   ├── 03-static-analysis/              # Semgrep SAST + merge
│   │   ├── semgrep-scan.py              # semgrep wrapper
│   │   ├── merge-findings.py            # Deduplication
│   │   ├── update-rules.sh              # Upstream rule sync
│   │   └── semgrep-rules/               # 70+ MASTG rules
│   ├── 04-android-15-16/               # Android 15/16 specific scripts
│   │   ├── android15-apis.js
│   │   ├── passkey-test.js
│   │   └── privacy-sandbox-test.sh
│   ├── 05-scoring/                     # MASVS compliance scoring
│   │   ├── calculate-score.py           # Score engine (0-100 + A-F)
│   │   ├── masvs-matrix.json           # 23 MASVS v2 controls
│   │   ├── masvs-mapping.json          # Finding-to-control mapping
│   │   └── update-coverage.py           # Coverage table generator
│   ├── 06-setup/                       # Preflight checks & validation
│   │   ├── preflight-check.sh
│   │   ├── preflight-check.py
│   │   ├── preflight-check.ps1
│   │   ├── validate-frida-scripts.sh
│   │   └── validate-shell-scripts.sh
│   ├── 07-tools/                       # Core analysis tools
│   │   ├── frida-exploit-helper.py
│   │   ├── generate-report.py
│   │   ├── rop-helper.py
│   │   ├── correlate-findings.py
│   │   ├── mobsf-api-scan.py
│   │   └── burp-findings-export.py
│   ├── auto-audit-static.sh           # Main workflow orchestrator
│   ├── audit-android-components.sh     # Component security audit
│   └── test-findings.json              # Sample report input
├── references/schemas/                    # 2 JSON schemas for report/finding contracts
└── references/ai-prompts/                 # AI-powered analysis prompts
    ├── java-security-analyzer.md         # Java code analysis prompts
    ├── native-binary-analyzer.md          # Native binary analysis prompts
    ├── exploit-generator.md              # Exploit PoC generation prompts
    └── report-enhancer.md                # Report enhancement prompts

🎓 Trigger Phrases

The skill activates when the user says:

• "audit this APK"
• "analyze android app"
• "mobile pentest"
• "APK security"
• "decompile APK"
• "android vulnerability assessment"
• "reverse engineer android"
• "modify APK"
• "bypass SSL pinning"
• "bypass root detection"
• "intent injection"
• "deep link abuse"

⚠️ Limitations

1. Dynamic analysis requires a device or emulator — Frida needs a running Android system
2. Some packers require manual unpacking — DexGuard 9+, Arxan may need interactive debugging
3. Android 14+ restrictions — Certain Intent behaviors require explicit -n package/activity flags
4. Frida version matching — frida-server on device must match frida-tools on host exactly
5. Flutter uses BoringSSL natively — Java SSL hooks don't work, need native hooks

📚 Standards Alignment

This skill is aligned with:

• OWASP MASTG — Mobile Application Security Testing Guide
• OWASP MASVS — Mobile Application Security Verification Standard
• Passive OSINT enrichment — Scope-controlled public evidence correlation for APK findings
• OWASP Mobile Top 10 2024 — Top 10 mobile risks
• CVSS 4.0 — Common Vulnerability Scoring System

🔐 OWASP Mobile Top 10 (2024)

ID	Category
M1	Improper Credential Usage
M2	Inadequate Supply Chain Security
M3	Insecure Authentication/Authorization
M4	Insufficient Input/Output Validation
M5	Insecure Communication
M6	Inadequate Privacy Controls
M7	Insufficient Binary Protections
M8	Security Misconfiguration
M9	Insecure Data Storage
M10	Insufficient Cryptography

🤝 Contributing

Contributions are welcome! Please see the references/ directory for areas that need expansion.

📄 License

Apache License 2.0 — See LICENSE for details.

👨‍💻 Author

DragonJAR SAS — https://www.DragonJAR.org

Experts in IT security services, proactive validation, and offensive security.

---

⚠️ Disclaimer: This skill is intended for authorized security testing only. Users must obtain proper authorization before conducting any security assessment. The authors are not responsible for misuse of this tool.