# Mobile Sec

## 00. Basic

* Secret Codes

```bash
## ------------------| Enable ADB + MTP
*#0808#
```

* Modem commands

```bash
## ------------------| Read basic info
AT+DEVCONINFO

## ------------------| Enter Download mode
AT+FUS?

## ------------------| Restart 
AT+CFUN=1,1
```

#### ADB Commands

```bash
## ------------------| Mount system as read and write
mount -o rw,remount /system

## ------------------| Install Split APKs
adb shell pm list packages | grep example
for f in $(adb shell pm path com.example | sed 's/package://g'); do adb pull "$f" .; done
adb install-multiple *.apk

## ------------------| List installed packages 
adb shell pm list packages -3

## ------------------| List installed packages with paths
adb shell pm list packages -3 -f

## ------------------| Find the app's install directory
pm dump com.example | grep codePath

## ------------------| Dump package info and find the library path
pm dump com.example | grep nativeLibraryDir

## ------------------| List system packages 
adb shell pm list packages -s
adb shell pm list packages | grep '<OEM/Carrier/App Name>'

## ------------------| Uninstall apk
adb shell pm uninstall -k --user 0 '<OEM/Carrier/App Name>'

## ------------------| Backup APK 
adb pull <PATH> app.apk

## ------------------| Get information about system services
adb shell dumpsys package com.routerspace

## ------------------| Start Activity through ADB shell
adb shell am start -n com.routerspace/.MainActivity

## ------------------| List all debug-able apps
grep " 1 /" /data/system/packages.list

## ------------------| View ContentProvider
adb shell 'content query --uri content://com.routerspace/.MainActivity/users'

## ------------------| Global Proxy
adb shell settings put global http_proxy <IP>:<PORT>    ## Set Proxy
adb shell settings put global http_proxy :0             ## Remove Proxy
### No authentication
adb shell settings put global http_proxy <ip>:<port>
### With Authentication
adb shell settings put global http_proxy <ip>:<port>
adb shell settings put global global_http_proxy_host <ip>
adb shell settings put global global_http_proxy_port <port>
adb shell settings put global global_http_proxy_username <username>
adb shell settings put global global_http_proxy_password <password>
### Disable proxy
adb shell settings delete global http_proxy
adb shell settings delete global global_http_proxy_host
adb shell settings delete global global_http_proxy_port
adb shell settings delete global global_http_proxy_username
adb shell settings delete global global_http_proxy_password
adb shell settings delete global global_http_proxy_exclusion_list
adb shell settings delete global global_proxy_pac_url
adb shell reboot
```

***

## 01. Setup

#### 01.1 [Install Anbox on kali linux](https://dev.to/sbellone/how-to-install-anbox-on-debian-1hjd)

```bash
## ------------------| Setup
sudo apt install anbox
sudo apt install android-tools-adb
sudo /sbin/modprobe ashmem_linux
sudo /sbin/modprobe binder_linux
ls -1 /dev/{ashmem,binder}
wget https://build.anbox.io/android-images/2018/07/19/android_amd64.img
sudo mv android_amd64.img /var/lib/anbox/android.img
sudo service anbox-container-manager restart

# ------------------| Start 
anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity

# ------------------| Install F-Droid
wget https://f-droid.org/F-Droid.apk
adb install F-Droid.apk
```

#### 01.2 Installing Android on VMWare Workstation

```bash
# ------------------| Download ISO
https://www.android-x86.org/

# ------------------| Setup VMWare and Install
Choose Other Linux 4.x
Advanced options... --> Auto_Installation --> Reboot

# ------------------| Fix boot-up freeze
## Step 01: Open grub editor (e)
## Step 02: Replace 'quiet' to 'nomodeset xforcevesa' and press enter
## Step 03: Press b
## Step 04: When you see Android logo press Alt+F1
## Step 05: Type following commands
mkdir /mnt/sda
mount /dev/block/sda1 /mnt/sda
vi /mnt/sda/grub/menu.lst
## Step 05: Replace 'quiet' to 'nomodeset xforcevesa' and save and reboot 
```

#### 01.3 Setup Android Studio Emulator on Apple Silicon (M1/M2)

> * Method I (Google Play API with Magisk Modules)

```bash
# ------------------| Download Command line tools
## Download command line tools from https://developer.android.com/studio
mkdir -p ~/Documents/Software/Android/sdk/cmdline-tools/latest/
mv cmdline-tools/* ~/Documents/Software/Android/sdk/cmdline-tools/latest/

# ------------------| Setup SDK
export ANDROID_AVD_HOME=~/.android/avd/
export ANDROID_HOME=~/Documents/Software/Android/sdk/
export ANDROID_SDK_ROOT=~/Documents/Software/Android/sdk/
export PATH=$PATH:$ANDROID_HOME/emulator:$ANDROID_HOME/tools:$ANDROID_HOME/tools/bin:$ANDROID_HOME/platform-tools
cd ~/Documents/Software/Android/sdk/cmdline-tools/latest/bin
./sdkmanager --list
./sdkmanager --install 'system-images;android-36;google_apis_playstore;arm64-v8a' 
./sdkmanager "platform-tools" "platforms;android-36"
./avdmanager create avd --name Pixel_7Pro --package "system-images;android-36;google_apis_playstore;arm64-v8a" --tag "google_apis_playstore" --abi "arm64-v8a" --device "pixel_7_pro"
~/Documents/Software/Android/sdk/emulator/emulator @Pixel_7Pro -no-snapshot-load -writable-system

# ------------------| Root 
git clone https://github.com/newbit1/rootAVD.git && cd rootAVD
./rootAVD.sh system-images/android-30/google_apis_playstore/arm64-v8a/ramdisk.img

# ------------------| Install Frida Modules
git clone https://github.com/ViRb3/magisk-frida.git && cd magisk-frida
python3 -m pip install requests
python3 main.py
adb push build/MagiskFrida-0.zip /sdcard/

# ------------------| Virtual keybord support
vi ~/.android/avd/Pixel_7Pro.avd/config.ini
## change hw.keyboard = yes

```

> * Method II (Google Play API Native Flash)

```bash
# ------------------| Download Command line tools
## Download command line tools from https://developer.android.com/studio
mkdir -p ~/Documents/Software/Android/sdk/cmdline-tools/latest/
mv cmdline-tools/* ~/Documents/Software/Android/sdk/cmdline-tools/latest/

# ------------------| Setup SDK
export ANDROID_HOME=~/Documents/Software/Android/sdk
export ANDROID_SDK_ROOT=$ANDROID_HOME
export ANDROID_AVD_HOME=~/.android/avd
export PATH=$PATH:$ANDROID_HOME/emulator
export PATH=$PATH:$ANDROID_HOME/tools
export PATH=$PATH:$ANDROID_HOME/tools/bin
export PATH=$PATH:$ANDROID_HOME/platform-tools
export PATH=$PATH:$ANDROID_HOME/cmdline-tools/latest/bin
cd ~/Documents/Software/Android/cmdline-tools/bin
./sdkmanager --list
./sdkmanager --install 'system-images;android-30;google_apis;arm64-v8a' 
./sdkmanager "platform-tools" "platforms;android-30"
./avdmanager create avd --name Pixel_7Pro --package "system-images;android-30;google_apis;arm64-v8a" --tag "google_apis" --abi "arm64-v8a" --device "pixel_7_pro"
~/Documents/Software/Android/sdk/emulator/emulator @Pixel_7Pro -no-snapshot-load -writable-system

# ------------------| Root 
git clone https://github.com/newbit1/rootAVD.git && cd rootAVD
./rootAVD.sh system-images/android-30/google_apis/arm64-v8a/ramdisk.img

# ------------------| Make system file writeble
wget https://github.com/wuxianlin/android_tools/raw/master/adbd-Insecure-v2.00.apk
adb install adbd-Insecure-v2.00.apk
adb reboot
adb root
adb remount
## Now you can write anything on /system

# ------------------| Install Google Play
## Download pico gapps
https://opengapps.org
unzip open_gapps-x86_64-6.0-pico-20170304.zip 
rm Core/setup*
lzip -d Core/*.lz
for f in $(ls Core/*.tar); do tar -x --strip-components 2 -f $f; done
adb remount
adb push etc /system
adb push framework /system
adb push app /system
adb push priv-app /system
adb shell stop
adb shell start

# ------------------| Virtual keybord support
vi ~/.android/avd/Pixel_7Pro.avd/config.ini
## change hw.keyboard = yes
```

#### 01.4 Install BurpSuite Certificate

```bash
## ------------------| Using Magisk 
wget https://github.com/h4rithd/BurpSuitCert/releases/download/1.0.0/BurpSuiteCert.zip
adb push BurpSuiteCert.zip /data/local/tmp/
adb shell
su
magisk --install-module /data/local/tmp/BurpSuiteCert.zip
reboot

## ------------------| Manual Mode
cacert.der
openssl x509 -inform DER -in cacert.der -out cacert.pem  
mv cacert.pem $(openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1).0
adb shell
adb push 9a5ba575.0 /sdcard/
mount -o rw,remount /system
mv /sdcard/9a5ba575.0 /system/etc/security/cacerts/  
chmod 644 /system/etc/security/cacerts/9a5ba575.0
```

#### 01.5 Other

* Auto start `frida-server`

<pre class="language-bash"><code class="lang-bash">#!/system/bin/sh
(
    while [ "$(getprop sys.boot_completed)" != "1" ]; do
        sleep 2
    done
    sleep 20
    /data/local/tmp/frida-server -D
    echo "Frida started at $(date)" >> /data/local/tmp/frida_boot.log
) &#x26;

### adb push start_frida.sh /data/local/tmp/start_frida.sh
<strong>### mv /data/local/tmp/start_frida.sh /data/adb/service.d/
</strong>### chmod +x /data/adb/service.d/start_frida.sh
### chown root:root /data/adb/service.d/start_frida.sh
### chmod 755 /data/local/tmp/frida-server
</code></pre>

* Fix `NET::ERR_CERT_AUTHORITY_INVALID` Issue

```bash
### Get the base64 encoded SHA256 fingerprint of the certificate
openssl x509 -in 9a5ba575.0 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
### Create a chflag file with the following content
### chrome --ignore-certificate-errors-spki-list=<base64_encoded_fingerprint>
echo 'chrome --ignore-certificate-errors-spki-list=zbu8GKlP5w8KK7vU+fV059UOM7O1RKVOsz2Gdc3oB1Y=' > chflag
### Execute the following commands to push the chflag file to the device
adb push chflag /sdcard/chflag
adb su
chmod 555 /sdcard/chflag
cp /sdcard/chflag /data/local/chrome-command-line
cp /sdcard/chflag /data/local/android-webview-command-line
cp /sdcard/chflag /data/local/webview-command-line
cp /sdcard/chflag /data/local/content-shell-command-line
cp /sdcard/chflag /data/local/tmp/chrome-command-line
cp /sdcard/chflag /data/local/tmp/android-webview-command-line
cp /sdcard/chflag /data/local/tmp/webview-command-line
cp /sdcard/chflag /data/local/tmp/content-shell-command-line
```

***

## 02. Other

### 02.1 Frida

```bash
## ------------------| List running apps
frida-ps -Ua

## ------------------| List installed apps
frida-ps -Uia

## ------------------| Auto-trace Java methods (Android)
frida-trace -U -j "com.package.ClassName!methodName"

## ------------------| Auto-trace ObjC methods (iOS)
frida-trace -U -m "-[ClassName *]" "AppName"

## ------------------| Auto-trace C functions (by name)
frida-trace -U -i "functionName" "AppName"

## ------------------| frida-trace to trace specific functions (quick)
frida-trace -U -i "SSL_*" -i "crypto_*" -n com.example.app

## ------------------| Spawn app and attach (resume)
frida -U -f com.example.app -l hook.js --no-paus

## ------------------| Attach to running process by name
frida -U -n com.example.app -l hook.js

## ------------------| Attach to running process by PID
frida -U -p 1234 -l hook.js

## ------------------| Remote device (adb forward first)
adb forward tcp:27042 tcp:27042
frida -H 127.0.0.1:27042 -n com.example.app -l hook.js

## ------------------| [SCRIPT] Basic Android Root Bypass
# Save as root_bypass.js and load with 'frida -U -l root_bypass.js -f com.package.name'
Java.perform(function() {
    var RootClass = Java.use("com.app.security.RootDetector");
    RootClass.isDeviceRooted.implementation = function() {
        console.log("[+] Bypassing root detection!");
        return false;
    };
});

## ------------------| [SCRIPT] Find all loaded classes (Android)
# Run in Frida REPL (frida -U -f com.package.name)
Java.perform(function() {
    Java.enumerateLoadedClasses({
        onMatch: function(className) {
            console.log(className);
        },
        onComplete: function() {
            console.log("[+] Class enumeration complete.");
        }
    });
});

## ------------------| [SCRIPT] Trace all methods in a class (Android)
# Run in Frida REPL or save to file
Java.perform(function() {
    var targetClass = 'com.package.name.TargetClass';
    var methods = Java.use(targetClass).class.getDeclaredMethods();
    
    methods.forEach(function(method) {
        var methodName = method.getName();
        console.log("[+] Hooking: " + methodName);
        
        Java.use(targetClass)[methodName].implementation = function() {
            console.log("[*] Called: " + targetClass + "." + methodName);
            return this[methodName].apply(this, arguments);
        };
    });
});

## ------------------| Dump strings and memory (useful quick)
# Run in Frida REPL or save to file
var ranges = Process.enumerateRanges('--x');
ranges.forEach(function(r){
    try {
        var s = Memory.readUtf8String(r.base, 256);
        if (s && s.length > 4) console.log(r.base + " -> " + s);
    } catch(e){}
});

```

#### Best Scripts

* [OneRule by h4rithd](https://codeshare.frida.re/@h4rithd/onerule-by-h4rithd/)
*

***

### 02.2 Magisk

#### Best Magisk Modules

<table><thead><tr><th width="210">Name</th><th width="525">Usage</th></tr></thead><tbody><tr><td><a href="https://github.com/LSPosed/LSPosed">LSPosed</a></td><td>Zygisk‑based Xposed framework. Install module ZIP via Magisk, activate it in Zygisk > DenyList, then enable per-app hooks in the LSPosed app.</td></tr><tr><td><a href="https://github.com/h4rithd/BurpSuitCert">BurpSuitCert</a></td><td>Systemlessly installs Burp Suite’s CA cert. Flash the Magisk ZIP, reboot, and trust the Burp CA for HTTPS interception.</td></tr><tr><td><a href="https://github.com/Magisk-Modules-Repo/MagiskHidePropsConf">MagiskHidePropsConf</a></td><td>Spoofs system props (e.g. fingerprint, device model). Install ZIP, use its GUI to set “safetynet” or “pixel” profiles, reboot.</td></tr><tr><td><a href="https://github.com/RikkaApps/Shizuku">Shizuku</a></td><td>Run apps with elevated privileges via ADB or root. Install Shizuku APK, activate service (via Magisk module or ADB), grant permissions in-app.</td></tr><tr><td><a href="https://github.com/Dr-TSNG/ZygiskNext">ZygiskNext</a></td><td>Extends Zygisk control/system patching. Install ZIP via Magisk, enable it, configure filters in its app.</td></tr><tr><td><a href="https://github.com/m0szy/Zygisk-SSL-Unpinning">Zygisk-SSL-Unpinning</a></td><td>Bypasses SSL pinning automatically. Flash the ZIP, reboot, enable module in Zygisk and it hooks SSL at runtime.</td></tr><tr><td><a href="https://github.com/xfqwdsj/IAmNotADeveloper">IAmNotADeveloper</a></td><td>Hides developer/dev debug flags. Flash ZIP, reboot, and it suppresses “developer” checks in apps.</td></tr><tr><td><a href="https://github.com/kdrag0n/safetynet-fix/releases">safetynet-fix</a></td><td>Fixes SafetyNet attestation. Install release ZIP via Magisk, reboot, test with SafetyNet API.</td></tr><tr><td><a href="https://github.com/osm0sis/PlayIntegrityFork">PlayIntegrityFork</a></td><td>Spoofs/bypasses Play Integrity API responses. Flash ZIP, reboot, and it hooks Play Integrity at runtime.</td></tr><tr><td><a href="https://github.com/Dr-TSNG/Hide-My-Applist">Hide-My-Applist</a></td><td>Hides selected apps from detection. Install module, open its interface and pick which apps to conceal, reboot.</td></tr><tr><td><a href="https://github.com/snake-4/Zygisk-Assistant">Zygisk-Assistant</a></td><td>UI manager for Zygisk modules. Flash module via Magisk, then use its app to order, enable/disable modules easily.</td></tr><tr><td><a href="https://github.com/tiann/KernelSU">KernelSU</a></td><td>Kernel-level root alternative. Flash custom KernelSU ZIP (replacing Magisk), reboot to get root without Magisk footprints.</td></tr><tr><td><a href="https://github.com/bmax121/APatch">APatch</a></td><td>Runtime app patching via Zygisk. Flash module, enable in Zygisk, use its interface to apply live patches (e.g. bypass checks).</td></tr></tbody></table>

* Best Android RATs
  * <https://github.com/ScRiPt1337/Teardroid-phprat>
  * <https://github.com/D3VL/L3MON>
  * <https://github.com/anirudhmalik/xhunter>
  * <https://github.com/swagkarna/Rafel-Rat>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/other/mobile-sec.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.