A comprehensive list of CLI commands and shortcuts for Android bug bounty hunting, including ADB, Frida, Objection, and Drozer.
| Command | Description |
|---|---|
emulator -list-avds | List available Android Virtual Devices |
emulator -avd New-Pixel_4 -writable-system -no-snapshot | Start emulator with writable system |
emulator -avd Pixel_3a_Root -writable-system -no-snapshot -port 5560 | Start emulator on specific port |
| Command | Description |
|---|---|
docker run -it --rm -p 8000:8000 -p 1337:1337 -e MOBSF_ANALYZER_IDENTIFIER=emulator-5554 opensecurity/mobile-security-framework-mobsf:latest | Start MOBSF container |
| Command | Description |
|---|---|
adb shell pm list packages -3 | List 3rd party packages |
adb shell getprop ro.product.cpu.abi | Get device CPU architecture |
adb push frida-server /data/local/tmp/ | Push file to device |
adb -s emulator-5560 push C:\Users\HP\Downloads\frida-server /data/local/tmp | Push to specific emulator |
adb shell "chmod +x /data/local/tmp/frida-server" | Make frida-server executable |
adb shell "/data/local/tmp/frida-server &" | Start frida-server in background |
| Command | Description |
|---|---|
frida-ps -Uia | List running apps on USB device |
frida -U -f com.target.app --no-pause -l ssl-pinning-bypass.js | Inject script into app |
frida --codeshare dzonerzy/fridantiroot -f <package-name> -U | Use anti-root detection script |
frida --codeshare masbog/frida-android-unpinning-ssl -f <package-name> -U | Use SSL unpinning script |
| Command | Description |
|---|---|
objection-connect | Connect to device |
objection-patch <my.apk> | Patch APK for objection |
objection -g <package name> explore | Explore app with objection |
android root disable | Disable root detection |
android sslpinning disable | Disable SSL pinning |
android hooking watch class <package-name>.UserMainActivity | Watch class methods |
android hooking list classes | List all classes |
| Command | Description |
|---|---|
help | Show help menu with commands |
list | List all available modules |
run <module> | Run a specific module |
run app.package.list | List installed packages |
run app.package.attacksurface -a <package> | Show attack surface (exported components) |
run app.package.info -a <package> | Show detailed info about a package |
run app.activity.info -a <package> | List activities of an app |
run app.provider.info -a <package> | List content providers |
run app.service.info -a <package> | List services |
run app.broadcast.info -a <package> | List broadcast receivers |
run app.activity.start -a <package> -n <activity> | Start a specific activity |
run scanner.provider.injection -a <package> | Check for SQL injection in content providers |
run scanner.provider.access -a <package> | Check for content provider access issues |
run scanner.misc.debuggable -a <package> | Check if app is debuggable |
run scanner.misc.exportedcomponents -a <package> | Check for exported components |
run scanner.permissions.findleaks -a <package> | Find permission leaks |
run exploit.reinvokeactivity -a <package> -n <activity> | Exploit activity re-invocation |
run exploit.debug | Exploit debugging features |
run exploit.serial -a <package> | Check for serial number leaks |
run shell | Get a shell on the device |
run shell pm list packages | List all packages via shell |
run shell dumpsys package <package> | Get package dump information |
run file.list -p /path/ | List files in a directory |
run file.download -p <path> | Download file from device |
run app.package.dump -a <package> | Dump manifest & app details |
run scanner.activity.launcher -a <package> | Check for launcher activities |
run scanner.broadcast.receiver -a <package> | Scan for vulnerable broadcast receivers |
run scanner.service.exported -a <package> | Detect exported services |
run scanner.file.find -f <filename> | Find files matching filename |
run scanner.file.find -p <path> | Search files recursively under path |
run scanner.intent.receiver -a <package> | Test intent receivers for possible hijacking |
run scanner.intent.sender -a <package> | Test sending intents to apps |
run exploit.activity.intent -a <package> -n <activity> | Exploit vulnerable activity intents |
run exploit.provider.injection -a <package> | Exploit content provider SQL injection |
run exploit.provider.insert -a <package> | Insert malicious data into content provider |
run exploit.provider.delete -a <package> | Delete data via content provider |
run exploit.provider.update -a <package> | Update data via content provider |
run exploit.provider.query -a <package> | Query data via content provider |
run scanner.credentials.find | Find exposed credentials on device |
run scanner.storage.find | Find sensitive files in storage |
run scanner.intent.injection | Detect intent injection vulnerabilities |
run exploit.sharedprefs.read -a <package> -p <path> | Read shared preferences file |
run exploit.sharedprefs.write -a <package> -p <path> -k <key> -v <value> | Modify shared preferences |
run scanner.webview.loadurl | Test if app loads arbitrary URLs in WebView |
run scanner.webview.javascript | Detect vulnerable WebView JavaScript interfaces |
run exploit.ssl.trustmanager | Test SSL trust manager bypass |
run scanner.permission.injection | Check for permission escalation opportunities |
run exploit.permission.escalation | Try permission escalation |
run scanner.database.leak -a <package> | Detect database leaks |
run scanner.crypto.insecure -a <package> | Detect insecure crypto usage |
run scanner.network.manifest | Check for insecure network configurations in manifest |
run scanner.misc.nativecode | Check for native code usage that may be vulnerable |
run scanner.misc.screenshots | Detect if app allows screenshots |
run exploit.binding.command | Try to execute system commands via exported bindings |
