Android App Penetration Testing & Frida Hooks

ADB Recon & Extraction: Mastering Android App Initial Assessment for Reverse Engineering

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android App Initial Assessment

In the intricate world of Android app reverse engineering and penetration testing, a thorough initial assessment is paramount. Before diving into complex dynamic analysis or static code scrutiny, understanding an application’s basic structure, permissions, and stored data can significantly streamline the entire process. This guide focuses on leveraging Android Debug Bridge (ADB) for reconnaissance and data extraction, alongside an introduction to Java Debug Wire Protocol (JDWP) for early-stage debugging, setting the stage for more advanced dynamic analysis tools like Frida.

Mastering these initial steps allows security researchers and reverse engineers to quickly identify potential attack surfaces, sensitive data locations, and interesting code paths, forming a solid foundation for deeper investigations.

Phase 1: ADB Reconnaissance – Gathering Intelligence

ADB is your primary Swiss Army knife for interacting with Android devices. It allows you to communicate with an emulator or a connected physical device, enabling a wide range of commands crucial for initial reconnaissance.

Identifying Package Information

The first step is often to list installed packages and then gather detailed information about your target application. Knowing the package name is fundamental.

# List all installed packages
adb shell pm list packages

# List third-party packages only
adb shell pm list packages -3

# Find a specific package (e.g., com.example.targetapp)
adb shell pm list packages | grep 'targetapp'

Once you have the package name, `dumpsys` is an invaluable tool to extract a wealth of information about its components, permissions, and configuration.

# Get detailed information about the package
adb shell dumpsys package com.example.targetapp

The output of `dumpsys package` is extensive, revealing declared permissions, activities, services, broadcast receivers, and content providers. Pay close attention to permissions marked as `dangerous` or `signature`, and identify exported components that might be accessible by other applications.

Exploring App Components

Understanding the app’s components helps map its attack surface. You can filter the `dumpsys` output to focus on specific component types:

# List all activities, services, receivers, and providers
adb shell dumpsys package com.example.targetapp | grep -E 'Activity|Service|Receiver|Provider'

Look for activities that might be exposed, services that run persistently, or content providers that could potentially leak sensitive data if misconfigured. Exported components (indicated by `exported=true` in their definition) are prime targets for inter-process communication (IPC) vulnerabilities.

Phase 2: Data Extraction – Retrieving Artifacts

Once you have a good understanding of the app’s structure, the next logical step is to extract its artifacts for static analysis and to look for locally stored sensitive data.

Pulling the APK

The application package (APK) file contains all the app’s code, resources, and manifest. Extracting it is essential for static analysis using tools like Jadx, Ghidra, or APKTool.

# 1. Find the APK path for the target app
adb shell pm path com.example.targetapp
# Expected output: package:/data/app/com.example.targetapp-XYZ==/base.apk

# 2. Pull the APK file to your current directory
adb pull /data/app/com.example.targetapp-XYZ==/base.apk .
# (Replace 'XYZ==' with the actual hash string from the previous command)

Accessing Internal Storage and Databases

Many Android applications store data in various locations within their private sandboxed directory, `/data/data/`. This can include databases (SQLite), shared preferences (XML files), and other arbitrary files. Accessing this directory usually requires root privileges or the app to be debuggable and using `run-as`.

# If the app is debuggable, use run-as to list its private directory contents
adb shell run-as com.example.targetapp ls -R

# Pull a specific SQLite database
adb shell run-as com.example.targetapp cat databases/my_app_db.db > my_app_db.db
# OR, if direct pull is allowed (e.g., on a rooted device)
adb pull /data/data/com.example.targetapp/databases/my_app_db.db .

# Pull shared preferences XML file
adb shell run-as com.example.targetapp cat shared_prefs/com.example.targetapp.xml > com.example.targetapp.xml
# OR, if direct pull is allowed
adb pull /data/data/com.example.targetapp/shared_prefs/com.example.targetapp.xml .

Reviewing these files often reveals API keys, user tokens, configuration settings, and other sensitive information that should not be stored client-side.

Phase 3: JDWP & Debugging Capabilities

Java Debug Wire Protocol (JDWP) is a crucial component of the Java Platform Debugger Architecture (JPDA), enabling debugging of Java applications. Android, being Java-based, utilizes JDWP. If an application is debuggable, it exposes a JDWP port, allowing debuggers to attach.

Understanding JDWP and Debuggable Apps

An Android app is debuggable if `android:debuggable=”true”` is set in its `AndroidManifest.xml`. While this is common for development builds, production apps should have it set to `false`. However, on rooted devices, you can often force any app to be debuggable:

# Enable debuggable globally (requires root & reboot)
adb shell setprop debug.force_debuggable 1
adb reboot

After reboot, all apps will be debuggable. You can confirm this by checking the app’s process entry in `dumpsys` or `ps` output for `D` flag (debuggable).

Port Forwarding for JDWP

To connect a debugger, you need to forward the JDWP socket from the device to your host machine. First, find the process ID (PID) of your target application:

# Find the PID of your target app
adb shell ps -ef | grep com.example.targetapp
# Sample output: u0_a123    1234  123 1234560 123456 ffffff S com.example.targetapp
# Here, 1234 is the PID.

Now, forward the JDWP port. The JDWP socket for a process is typically exposed as `jdwp:`.

# Forward local port 8000 to the app's JDWP debugger port
adb forward tcp:8000 jdwp:1234
# (Replace 1234 with the actual PID)

Connecting with `jdb`

With the port forwarded, you can use the standard Java debugger (`jdb`) to connect and start debugging:

# Connect jdb to the forwarded port
jdb -attach localhost:8000

Inside `jdb`, you can set breakpoints, inspect variables, and step through code. This provides a dynamic view of the application’s execution flow. Useful `jdb` commands include:

  • `classes`: List loaded classes.
  • `methods `: List methods in a class.
  • `stop in .`: Set a breakpoint at a method entry.
  • `stop at :`: Set a breakpoint at a specific line.
  • `cont` or `run`: Continue execution.
  • `step`: Step into the next line.
  • `next`: Step over the next line.
  • `print `: Print the value of a variable.
> stop in com.example.targetapp.MainActivity.onCreate
Set breakpoint com.example.targetapp.MainActivity.onCreate
> cont

Breakpoint hit: "thread=main", com.example.targetapp.MainActivity.onCreate(), line=50 bci=0
50            setContentView(R.layout.activity_main);

> print this
 this = instance of com.example.targetapp.MainActivity(id=12345)

While `jdb` offers basic debugging, its command-line interface can be cumbersome for complex scenarios. It’s often used to verify debuggability or to gain initial insights before switching to more powerful tools.

Bridging to Dynamic Analysis with Frida

The initial assessment with ADB and JDWP lays a critical groundwork for advanced dynamic analysis. While JDWP provides low-level debugging capabilities, Frida offers unparalleled power for dynamic instrumentation, allowing you to hook into functions, modify arguments, and even inject custom code at runtime, regardless of debuggable flags (on rooted devices).

Why Frida after JDWP/ADB?

JDWP, especially via `jdb`, has limitations: it’s often slow, lacks powerful scripting capabilities, and can be difficult to use for complex runtime modifications. Frida, on the other hand, excels at:

  • **Runtime Instrumentation:** Hooking any function (native or Java), modifying its behavior, and inspecting data in real-time.
  • **Bypassing Security Controls:** Dynamically patching SSL pinning, root detection, or obfuscation.
  • **Scriptability:** Writing powerful JavaScript hooks to automate complex tasks.

The reconnaissance phase helps you identify target classes, methods, and sensitive data flows. For instance, if `dumpsys package` revealed a peculiar `BroadcastReceiver` or static analysis of the APK pointed to an interesting `LoginManager.authenticate()` method, these become prime targets for Frida hooks.

Preparing for Frida Hooks

Your ADB recon provides the package name (`com.example.targetapp`), and your static analysis of the pulled APK identifies specific classes and methods. This information is directly fed into your Frida scripts. For example, to hook a `login` method identified during initial recon:

// frida_login_hook.js
Java.perform(function () {
    var LoginManager = Java.use('com.example.targetapp.LoginManager');

    LoginManager.authenticate.overload('java.lang.String', 'java.lang.String').implementation = function (username, password) {
        console.log("[*] LoginManager.authenticate called!");
        console.log("[+] Username: " + username);
        console.log("[+] Password: " + password);

        // You can modify arguments here before calling the original method
        // let modifiedUsername = "eviluser";
        // let modifiedPassword = "evilpass";

        // Call the original method
        var result = this.authenticate(username, password);

        console.log("[*] Original authenticate result: " + result);
        // You can modify the return value here
        // return true;
        return result;
    };
});
# Execute the Frida script
frida -U -f com.example.targetapp -l frida_login_hook.js --no-pause

This seamless transition from basic ADB commands and JDWP to advanced Frida scripting exemplifies the iterative nature of app reverse engineering. Each phase builds upon the last, providing deeper insights and more powerful control over the target application.

Conclusion

Mastering the initial assessment phase of Android app reverse engineering with ADB and JDWP is fundamental. By meticulously performing reconnaissance and data extraction, you gain a clear understanding of an application’s architecture, potential vulnerabilities, and sensitive data handling. These insights are not merely steps but essential prerequisites that empower you to design more effective and targeted dynamic analysis strategies with powerful tools like Frida. This systematic approach ensures that your reverse engineering efforts are efficient, comprehensive, and ultimately, successful.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #ADB #Android Security #Frida #JDWP #Reverse Engineering

Related Technical Guides

DIY RE Sandbox: Crafting Your Custom Automated Android APK Analysis Environment

May 29, 2026

Automating Root Bypass: Building a Dynamic Frida Script for Android App Pen Testing

May 30, 2026

Advanced Frida: Tracing and Modifying Android IPC Calls in Real-Time

May 29, 2026