Author: Jai
Version: 2.5.2
This suite automates Android app pentesting and reverse engineering tasks. It provides a menu-driven interface for installing tools, managing emulators, interacting with devices, and running common security tests.
The suite provides the following 30 features via its menu:
- Install/verify tools (open installer): Install or verify all required tools in the ./tools directory.
- Check emulator root status: Check if connected emulator has root access and writable system partition.
- Setup emulator (Play Store + Root): Guide to setup Android emulator with Play Store and root access.
- Get PID for package name: Find the process ID for a given Android package name.
- Install APK via ADB: Install an APK file to the connected Android device using ADB.
- Uninstall APK via ADB: Uninstall an app from the device using its package name.
- Push file to device via ADB: Copy a file from your computer to the Android device.
- Pull file from device via ADB: Copy a file from the Android device to your computer.
- Collect device information: Gather information about the connected Android device.
- Setup Frida server (interactive): Interactive setup with version selection from GitHub releases.
- Stop Frida server on device: Stop/kill the Frida server process on the device.
- Get process list: List all running processes on the device.
- View/Save Logcat Output: View or save the device's logcat output.
- List installed packages: List all installed package names on the connected device.
- Dump app memory with fridump: Dump running app memory using fridump and Frida (requires package name/PID).
- APKTool decompile APK: Decompile an APK using APKTool.
- Run APKLeaks on APK: Scan an APK for secrets using APKLeaks.
- Extract app data directory: Extract the /data/data/ directory from the device (root required, 10min timeout with extension option).
- Run apk-components-inspector on APK: Analyze APK components using apk-components-inspector.
- Run frida-script-gen (generate Frida scripts): Generate Frida scripts using frida-script-gen tool.
- Run MobApp-Storage-Inspector on APK: Analyze APK storage using MobApp-Storage-Inspector.jar.
- Setup Burp Suite CA certificate: Install Burp Suite CA certificate to Android device/emulator for HTTPS interception.
- Objection Testing Suite: Comprehensive Android app testing with Objection framework.
- Create/Launch AVD with Magisk+Xposed (root, writable): Automate AVD creation and patching with Magisk and Xposed, with writable system and root.
- Sensitive Strings/Secrets Finder: Scan APK or decompiled code for sensitive strings, secrets, and credentials.
- Automated Backup/Restore: Backup and restore app data using ADB (root required for some apps).
- App Repackaging Utility: Repackage APKs after modification for testing or bypassing protections.
- Automated Uninstall/Cleaner: Uninstall app and optionally clean up related files and data.
- Deep Link Security Tester: Test deep links for Open Redirect, XSS, Path Traversal, SQL Injection, Auth Bypass, and Intent Injection vulnerabilities.
- Exit: Exit the Android Suite.
- Extract deep links from AndroidManifest.xml (auto-discovers decompiled folder or auto-decompiles APK)
- 7 payload categories with 35+ test cases:
- Open Redirect (8 payloads)
- XSS Injection (5 payloads)
- Path Traversal (4 payloads)
- SQL Injection (4 payloads)
- Auth Bypass (7 payloads)
- File Access (4 payloads)
- Intent Injection (5 payloads)
- Two testing modes:
- Full Test Mode - Requires device/emulator, executes ADB commands, analyzes logcat for vulnerabilities
- Offline Analysis Mode - No device required, generates reconnaissance report with ADB commands for manual testing
- Auto-discovery - Finds decompiled AndroidManifest.xml automatically
- Auto-decompile - Runs apktool if no manifest found
- Risk assessment - Categorizes findings by severity (HIGH/MEDIUM/LOW)
- Output - JSON reports + shell scripts with ADB test commands
from android_pentest import AndroidPentester
p = AndroidPentester()
# Offline mode - just APK path (auto-discovers/decompiles manifest)
p.run_deeplink_offline_analysis(apk_path=r'path\to\app.apk')
# Full test mode - requires connected device
p.run_deeplink_security_test(apk_path=r'path\to\app.apk')# Clone the repository
git clone https://github.com/Jaikumar3/Android-suite.git
cd Android-suite
# Install Python dependencies
pip install -r requirements.txt
# Run the tool
python main.py- Select Option 1 to install/verify all required tools
- Connect your Android device or start an emulator
- Select any option (2-29) to start pentesting
When you select "Install/verify tools" from the menu, you’ll see these options:
- Standard installation: Python packages + Android SDK
- Install Android Studio Command Line Tools
- Install Android Emulator with AVD
- Install full Android Studio IDE
- Full installation (everything)
- Verify existing installation
- Default installer
- Recommended installation (best-practice setup)
The recommended installation sets up the most common tools and a preconfigured Android 12L (Sv2) x86_64 AVD with Google APIs.
These tools are installed automatically via Option 1 (Install/verify tools):
| Tool | Purpose |
|---|---|
| Android SDK | ADB, aapt, emulator |
| APKTool | Decompile APK resources |
| JADX | Decompile to Java source |
| Frida Server | On-device instrumentation |
| APKLeaks | Secrets scanning |
Manual requirement:
- Java 17+ - Required for JADX and MobApp-Storage-Inspector (Download)
- Windows, macOS, or Linux
- Python 3.8+
- Java 17+ (for MobApp-Storage-Inspector)
- Android SDK tools (installed via suite)
- If color output is missing, ensure
coloramais installed (pip install colorama). - For Java-based tools, install Java 17+ from Adoptium.
- For Frida/Objection, ensure device is rooted or use an emulator.
Pull requests and suggestions are welcome!
MIT License
See CHANGELOG.md for version history and release notes.
For more details, see the in-app help menu or comments in main.py and installer.py.