Android Pentesting Tricks

Name: Android Pentesting Tricks
Author: yaklang

yaklang/hack-skills

Drop in Frida hook templates to bypass SSL pinning and root checks, trace methods, and debug WebViews while pentesting your own Android app before release.

Overview

Android Pentesting Tricks is an agent skill for the Ship phase that provides ready-to-use Frida scripts for SSL pinning bypass, root detection bypass, tracing, and WebView debugging on Android test builds.

Install

npx skills add https://github.com/yaklang/hack-skills --skill android-pentesting-tricks

What is this skill?

Universal SSL pinning bypass hooks TrustManager and OkHttp3 CertificatePinner
Root detection bypass patterns for common Android checks
Method tracing and crypto hook templates for runtime inspection
WebView debugging helpers for hybrid app surfaces
Companion reference—assumes main Android pentesting SKILL.md methodology is already loaded

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are security-testing an Android app and keep rewriting the same Frida hooks for pinning, root checks, and crypto instead of running a structured assessment.

Who is it for?

Solo developers or small teams with Frida experience pentesting their own Android APKs on lab devices.

Skip if: Builders without Android security context, unauthorized third-party apps, or teams wanting automated CI SAST without dynamic instrumentation.

When should I use this skill?

Load when you need ready-to-use Frida scripts for Android application testing and the main Android pentesting SKILL.md methodology is already in context.

What do I get? / Deliverables

You attach proven Frida templates during authorized tests so you can observe traffic and behavior, then feed findings back into hardening before launch.

Runnable Frida .js templates for pinning, root, trace, and crypto hooks
Documented hook points aligned to common Android security controls

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Mobile security hardening and validation belong in Ship when you test real builds, not during initial UI scaffolding. Security subphase covers appsec review and controlled offensive checks on artifacts you are about to ship.

Also useful

OperateIteration & experiments

How it compares

Use as a Frida script cookbook layered on the main Android pentesting SKILL.md—not a replacement for threat modeling or store compliance checklists.

Common Questions / FAQ

Who is android-pentesting-tricks for?

Mobile indie builders and security-minded developers who run authorized dynamic analysis on Android apps with Frida and need vetted hook templates.

When should I use android-pentesting-tricks?

In Ship security while validating release candidates—after you have a test build and before you publish to app stores or enterprise distribution.

Is android-pentesting-tricks safe to install?

Treat hooks as powerful instrumentation; review the Security Audits panel on this page and only run against apps and environments you are permitted to test.

SKILL.md

READMESKILL.md - Android Pentesting Tricks

# Frida Script Templates for Android Testing

> **AI LOAD INSTRUCTION**: Load this when you need ready-to-use Frida scripts for Android application testing. Covers SSL pinning bypass, root detection bypass, method tracing, crypto hooks, and WebView debugging. Assumes the main [SKILL.md](./SKILL.md) is already loaded for general Android testing methodology.

---

## 1. UNIVERSAL SSL PINNING BYPASS

```javascript
// frida_ssl_bypass.js — hooks multiple SSL validation points
Java.perform(function() {

    // Hook TrustManager
    var TrustManager = Java.registerClass({
        name: 'com.frida.TrustManager',
        implements: [Java.use('javax.net.ssl.X509TrustManager')],
        methods: {
            checkClientTrusted: function(chain, authType) {},
            checkServerTrusted: function(chain, authType) {},
            getAcceptedIssuers: function() { return []; }
        }
    });

    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    SSLContext.init.overload(
        '[Ljavax.net.ssl.KeyManager;',
        '[Ljavax.net.ssl.TrustManager;',
        'java.security.SecureRandom'
    ).implementation = function(km, tm, sr) {
        this.init(km, [TrustManager.$new()], sr);
    };

    // Hook OkHttp3 CertificatePinner
    try {
        var CertPinner = Java.use('okhttp3.CertificatePinner');
        CertPinner.check.overload('java.lang.String', 'java.util.List')
            .implementation = function(hostname, peerCerts) {
            return; // skip pinning check
        };
    } catch(e) {}

    // Hook OkHttp3 CertificatePinner.check$okhttp
    try {
        var CertPinner = Java.use('okhttp3.CertificatePinner');
        CertPinner['check$okhttp'].implementation = function(hostname, fn) {
            return;
        };
    } catch(e) {}

    // Hook HttpsURLConnection
    try {
        var HttpsConn = Java.use('javax.net.ssl.HttpsURLConnection');
        HttpsConn.setSSLSocketFactory.implementation = function(factory) {
            return; // prevent custom factory
        };
        HttpsConn.setHostnameVerifier.implementation = function(verifier) {
            return; // prevent custom verifier
        };
    } catch(e) {}

    console.log('[+] SSL Pinning bypassed');
});
```

---

## 2. ROOT DETECTION BYPASS

```javascript
// frida_root_bypass.js — comprehensive root detection bypass
Java.perform(function() {

    // Hook File.exists for su binary checks
    var File = Java.use('java.io.File');
    var rootPaths = ['/system/xbin/su', '/sbin/su', '/system/bin/su',
        '/system/su', '/data/local/xbin/su', '/data/local/bin/su',
        '/su/bin/su', '/magisk/.core/bin/su'];

    File.exists.implementation = function() {
        var path = this.getAbsolutePath();
        for (var i = 0; i < rootPaths.length; i++) {
            if (path === rootPaths[i]) {
                console.log('[Root Bypass] File.exists blocked: ' + path);
                return false;
            }
        }
        return this.exists();
    };

    // Hook Build.TAGS
    var Build = Java.use('android.os.Build');
    Build.TAGS.value = 'release-keys';

    // Hook PackageManager for Magisk/SuperSU detection
    var PM = Java.use('android.app.ApplicationPackageManager');
    var rootPackages = ['com.topjohnwu.magisk', 'eu.chainfire.supersu',
        'com.koushikdutta.superuser', 'com.noshufou.android.su'];

    PM.getPackageInfo.overload('java.lang.String', 'int').implementation = function(name, flags) {
        for (var i = 0; i < rootPackages.length; i++) {
            if (name === rootPackages[i]) {
                console.log('[Root Bypass] PM.getPackageInfo blocked: ' + name);
                throw Java.use('android.content.pm.PackageManager$NameNotFoundException').$new(name);
            }
        }
        return this.getPackageInfo(name, flags);
    };

    // Hook Runtime.exec for "which su" checks
    var Runtime = Java.use('java.lang.Runtime');
    Runtime.exec.overload('java.lang.String').implementation = function(cmd) {

What is this skill?

Universal SSL pinning bypass hooks TrustManager and OkHttp3 CertificatePinner

Root detection bypass patterns for common Android checks

Method tracing and crypto hook templates for runtime inspection

WebView debugging helpers for hybrid app surfaces

Companion reference—assumes main Android pentesting SKILL.md methodology is already loaded

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

Also useful

OperateIteration & experiments

SKILL.md

READMESKILL.md - Android Pentesting Tricks

# Frida Script Templates for Android Testing

> **AI LOAD INSTRUCTION**: Load this when you need ready-to-use Frida scripts for Android application testing. Covers SSL pinning bypass, root detection bypass, method tracing, crypto hooks, and WebView debugging. Assumes the main [SKILL.md](./SKILL.md) is already loaded for general Android testing methodology.

---

## 1. UNIVERSAL SSL PINNING BYPASS

```javascript
// frida_ssl_bypass.js — hooks multiple SSL validation points
Java.perform(function() {

    // Hook TrustManager
    var TrustManager = Java.registerClass({
        name: 'com.frida.TrustManager',
        implements: [Java.use('javax.net.ssl.X509TrustManager')],
        methods: {
            checkClientTrusted: function(chain, authType) {},
            checkServerTrusted: function(chain, authType) {},
            getAcceptedIssuers: function() { return []; }
        }
    });

    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    SSLContext.init.overload(
        '[Ljavax.net.ssl.KeyManager;',
        '[Ljavax.net.ssl.TrustManager;',
        'java.security.SecureRandom'
    ).implementation = function(km, tm, sr) {
        this.init(km, [TrustManager.$new()], sr);
    };

    // Hook OkHttp3 CertificatePinner
    try {
        var CertPinner = Java.use('okhttp3.CertificatePinner');
        CertPinner.check.overload('java.lang.String', 'java.util.List')
            .implementation = function(hostname, peerCerts) {
            return; // skip pinning check
        };
    } catch(e) {}

    // Hook OkHttp3 CertificatePinner.check$okhttp
    try {
        var CertPinner = Java.use('okhttp3.CertificatePinner');
        CertPinner['check$okhttp'].implementation = function(hostname, fn) {
            return;
        };
    } catch(e) {}

    // Hook HttpsURLConnection
    try {
        var HttpsConn = Java.use('javax.net.ssl.HttpsURLConnection');
        HttpsConn.setSSLSocketFactory.implementation = function(factory) {
            return; // prevent custom factory
        };
        HttpsConn.setHostnameVerifier.implementation = function(verifier) {
            return; // prevent custom verifier
        };
    } catch(e) {}

    console.log('[+] SSL Pinning bypassed');
});
```

---

## 2. ROOT DETECTION BYPASS

```javascript
// frida_root_bypass.js — comprehensive root detection bypass
Java.perform(function() {

    // Hook File.exists for su binary checks
    var File = Java.use('java.io.File');
    var rootPaths = ['/system/xbin/su', '/sbin/su', '/system/bin/su',
        '/system/su', '/data/local/xbin/su', '/data/local/bin/su',
        '/su/bin/su', '/magisk/.core/bin/su'];

    File.exists.implementation = function() {
        var path = this.getAbsolutePath();
        for (var i = 0; i < rootPaths.length; i++) {
            if (path === rootPaths[i]) {
                console.log('[Root Bypass] File.exists blocked: ' + path);
                return false;
            }
        }
        return this.exists();
    };

    // Hook Build.TAGS
    var Build = Java.use('android.os.Build');
    Build.TAGS.value = 'release-keys';

    // Hook PackageManager for Magisk/SuperSU detection
    var PM = Java.use('android.app.ApplicationPackageManager');
    var rootPackages = ['com.topjohnwu.magisk', 'eu.chainfire.supersu',
        'com.koushikdutta.superuser', 'com.noshufou.android.su'];

    PM.getPackageInfo.overload('java.lang.String', 'int').implementation = function(name, flags) {
        for (var i = 0; i < rootPackages.length; i++) {
            if (name === rootPackages[i]) {
                console.log('[Root Bypass] PM.getPackageInfo blocked: ' + name);
                throw Java.use('android.content.pm.PackageManager$NameNotFoundException').$new(name);
            }
        }
        return this.getPackageInfo(name, flags);
    };

    // Hook Runtime.exec for "which su" checks
    var Runtime = Java.use('java.lang.Runtime');
    Runtime.exec.overload('java.lang.String').implementation = function(cmd) {

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is android-pentesting-tricks for?

When should I use android-pentesting-tricks?

Is android-pentesting-tricks safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is android-pentesting-tricks for?

When should I use android-pentesting-tricks?

Is android-pentesting-tricks safe to install?

SKILL.md