Penetrating a Mobile App: Unpacking, Root Bypass, Component Export & Data Leak Exploits

Many recent penetration‑testing projects involve mobile applications, so this article shares practical app discovery and testing techniques based on real vulnerabilities found in the past year.

The first step is to check whether the APK is protected. Using an APK analysis tool the author identified 360 protection, which could be stripped, although frida‑dexdump failed due to frida‑specific detection, suggesting a modified frida may be required.

Next, the author applied fundex and lsposed to unpack the APK. After launching the app, the unpacked .dex files appeared under /data/data/<package_name>. The package name was obtained with the am monitor command.

After unpacking, the dex files were compressed and downloaded to a local computer for further analysis.

The app also performed root detection. The author bypassed it with a popular Magisk plugin, allowing the app to run without triggering the root check.

Mobile apps consist of four main components. By inspecting the decompiled AndroidManifest.xml, the author found several components with android:exported="true". These can be invoked without authentication. Using the command

adb shell am start -n com.xx.apps.xxx/com.xxx.apps.xxx.ui.profile.Change

the author opened the password‑change activity without logging in, demonstrating how a malicious app could abuse exported components for phishing.

The author also discovered a backup configuration error: when android:allowBackup="true", the app data can be exported with adb backup -noapk com.xxx.apps.xxxx -f es_backup.ab Restoring this backup on another device logs in automatically, effectively bypassing credential entry.

Many apps store credentials in plain text or with weak encoding (e.g., Base64, MD5). The author located a local SQLite database xxx1_5.db containing a useraccount table with usernames, passwords (MD5), phone numbers, and IDs. The MD5 hashes can be cracked via hash‑cracking tools.

Similar steps revealed plaintext log files containing sensitive information.

Beyond app‑specific issues, the author notes that many web‑style tests also apply. For example, an unrestricted file‑upload endpoint leaked temporary OSS credentials, which were used to access the storage bucket and view its contents.

All techniques demonstrated are for authorized security research only; unauthorized use is prohibited.