RE env for inspecting APKs
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Beau Kujath b95ad413fd tweaked root instructions 4 months ago
frida adding re env setup 1 year ago
jadx adding re env setup 1 year ago
root-android tweaked root instructions 4 months ago
setup_scripts tweaked root instructions 4 months ago
socks_setup shadowsocks setup and Android rooting steps 1 year ago
.gitmodules ng: Added NetGuard (ng) as a submodule. 1 year ago Update '' 1 year ago adding re env setup 1 year ago adding re env setup 1 year ago adding re env setup 1 year ago adding re env setup 1 year ago


Lab for reverse engineering APKs

RE environment for dynamic and static analysis of APKs


  1. mitmproxy
  2. Frida
  3. Genymotion
  4. Jadx
  5. apktool

Note: Setup scripts built and tested on Ubuntu 20


  1. Python3: sudo apt install python3
  2. pip3: sudo apt install python3-pip
  3. dev-tools: apt install build-essential)

Install Dynamic Analysis Tools

  1. Run install script for mitmproxy and genymotion emulator: ./
  2. Create and start Android emulated device in Genymotion OR attach physical rooted test Android device over USB.
  3. Make sure test device is accessible over adb with root access: adb shell -> su
  4. Run script to copy mitmproxy cert to be system cert on device: cd setup_scripts; ./
  5. Install frida: cd frida; ./
  6. Get frida-server binary then push to test Android device: ./
  7. Start frida-server on Android: adb shell -> su -> /data/local/tmp/frida-server &
  8. Verify frida is attaching to device over adb: frida-ps -U

Note: May need to mount Android filesystem as writable after step 3: adb shell; su; mount -o rw,remount /system

Capturing Live HTTPS from app

  1. Start mitmproxy on desktop: cd mitmprox; ./mitmweb
  2. Make sure test Android is connected to proxy: Settings -> Network -> Wi-Fi -> Click then hold down connected network -> Modify network -> (click) Advanced options drop down -> Set Proxy to "Manual" -> hostname = IP of desktop -> proxy port = 8080
  3. View decrypted traffic panel in mitmweb browser on desktop at: localhost:8081
  4. Visit any site in browser on Android to verify decryption is working

Use Frida to bypass SSL pinning and capture files accessed

  1. Make sure frida server is started on Android and verify connection: frida-ps -U
  2. Find name of app package to target with frida: adb shell pm list packages
  3. Bypass SSL for targeted app: frida -l frida_scripts/multiple_unpinning.js -U -f <package_id> --no-pause
  4. Trace files being opened by app on device: frida-trace -U -i open -f <package_id>

Note: Most Android apps do not need SSL pinning bypass for mitmproxy to work