Hereβs your updated GitHub README with the new links properly organized:
A curated collection of learning resources to get started with Android application security, mobile app pentesting, and bug bounty hunting. This repository includes video tutorials, blog posts, hands-on labs, and practice materials for both Android and iOS platforms.
- Mobile Pentesting by Intigriti
- Hacker101 β Mobile Crash Course
- Android Bug Bounty Playlist
- How to Hack Android Apps (Frida)
- How to Bypass SSL Pinning
- How to Root Android Emulator in 2 Minutes
- Intercepting Android App Traffic with BurpSuite
- Mobile Application Pentesting
- Finding Sensitive Data in Android Apps with Nerdwell
- Exploiting Android Deep Links and Exported Components
- Mobile App Pentesting by Hacking Simplified
- Android Security Testing
- Full Android Penetration Testing Course Playlist
- Android App Penetration Testing - OWASP Top 10
- Bypass Biometrics in Mobile Apps
- Intercept traffic with Objection and Burp
- Hacking and Pentesting Android Apps
- Hacking and Pentesting iOS Apps
- Android Application Pen-testing Course
- Android Pentesting Checklist (HackTricks)
- Android Pentesting Checklist (GitHub)
- Awesome Mobile CTF Resources
- Mobile App Pentest Cheatsheet
- All Things Android Security
- Android Bug Bounty Reports & Resources
- @vaishalinagori112 on Medium
- @prasadraj954 on Medium
- B3nacβs Android Reports and Resources
- Oversecured Blog
- CorSecure Blog
- Frida Official Documentation
- SecurityBreached (Babayaga47)
- DeeSee's Android Security Resources
- Hacker101: Mobile Crash Course
- Mobisec Slides
- Bypassing Certificate Pinning (vavkamil)
- Android Hacking Primer
- OWASP Mobile Top Ten 2023 β fi5t
- Android SMS Stealer β Max Kersten
- Hacking SMS API via Static Analysis β Security Breached
- Bug Bounty Hunting Tips (Mobile Apps β Android Edition)
- Getting Started in Android Pentesting
- Exploiting Insecure Firebase DB
- Finding Leaked AWS Creds in Android Apps
- 200+ Bounty Payouts: SQLi in Content Providers
- 8 Ways to Bypass SSL Pinning in iOS
| Title | Speaker | Link |
|---|---|---|
| Pwning Android Apps at Scale | - | YouTube |
| Hacking Mobile Applications with Frida | David Coursey | YouTube |
| Unlocking secrets of proprietary software using Frida | - | YouTube |
| Hacking Banking app | - | YouTube |
| Conference Talks by Laurie Kirk | Laurie Kirk | YouTube Playlist |
- BeVigil - OSINT-based mobile app security scanner
- Frida PDF Guide (Google Drive)
- Frida script to bypass SSL pinning
- HEXTREE.IO - Mobile Security Resources
- APKLeaks - Extract secrets from APKs
| Category | Title | Link | Notes |
|---|---|---|---|
| Hardcoded credentials | Disclosure of all uploads via hardcoded api secret | HackerOne Report | - |
| WebView | Android security checklist: WebView | Blog Post | - |
| Insecure deeplinks | Account Takeover Via DeepLink | HackerOne Report | - |
| Sensitive information disclosure | HackerOne Report | - | |
| RCE/ACE | Why dynamic code loading could be dangerous for your apps: a Google example | Blog Post | - |
| RCE in TinyCards for Android | HackerOne Report | TinyCards made this report private | |
| Persistent arbitrary code execution in Android's Google Play Core Library | HackerOne Report | Details, explanation and the PoC | |
| CVE-2020-8913: Persistent arbitrary code execution in Google Play Core library | Blog Post | CVE-2020-8913 | |
| TikTok: three persistent arbitrary code executions and one theft of arbitrary files | Blog Post | Oversecured detects dangerous vulnerabilities in TikTok | |
| Memory corruption | Exploiting memory corruption vulnerabilities on Android | Blog Post | Includes PayPal example |
| Cryptography | Use cryptography in mobile apps the right way | Blog Post | - |
| SQL Injection | SQL Injection in Content Provider | HackerOne Report | - |
| Another SQL Injection in Content Provider | HackerOne Report | - | |
| Session theft | Steal user session | HackerOne Report | - |
| Steal files | Android security checklist: theft of arbitrary files | Blog Post | - |
| How to exploit insecure WebResourceResponse configurations | Blog Post | Includes Amazon apps example | |
| Vulnerable to local file steal, Javascript injection, Open redirect | HackerOne Report | - | |
| Token leakage due to stolen files via unprotected Activity | HackerOne Report | - | |
| Steal files due to exported services | HackerOne Report | - | |
| Steal files due to unprotected exported Activity | HackerOne Report | - | |
| Steal files due to insecure data storage | HackerOne Report | - | |
| Insecure local data storage, makes it easy to steal files | HackerOne Report | - | |
| Bypasses | Accidental $70k Google Pixel Lock Screen Bypass | Blog Post | - |
| Golden techniques to bypass host validations | HackerOne Report | - | |
| Two-factor authentication bypass due to vuln endpoint | HackerOne Report | - | |
| Another endpoint Auth bypass | HackerOne Report | - | |
| Bypass PIN/Fingerprint lock | HackerOne Report | - | |
| Bypass lock protection | HackerOne Report | - | |
| Bypass of biometrics security functionality | HackerOne Report | - | |
| XSS | HTML Injection in BatterySaveArticleRenderer WebView | HackerOne Report | - |
| XSS via SAMLAuthActivity | HackerOne Report | - | |
| XSS in ImageViewerActivity | HackerOne Report | - | |
| XSS via start ContentActivity | HackerOne Report | - | |
| XSS on Owncloud webview | HackerOne Report | - | |
| Privilege Escalation | 20 Security Issues Found in Xiaomi Devices | Blog Post | - |
| Discovering vendor-specific vulnerabilities in Android | Blog Post | - | |
| Common mistakes when using permissions in Android | Blog Post | - | |
| Two weeks of securing Samsung devices: Part 2 | Blog Post | - | |
| Two weeks of securing Samsung devices: Part 1 | Blog Post | - | |
| Intent Spoofing | HackerOne Report | - | |
| Access of some not exported content providers | HackerOne Report | - | |
| Access protected components via intent | HackerOne Report | - | |
| Fragment injection | HackerOne Report | - | |
| Javascript injection | HackerOne Report | - | |
| CSRF | Deeplink leads to CSRF in follow action | HackerOne Report | - |
| Case sensitive account collisions | overwrite account associated with email via android application | HackerOne Report | - |
| Intercept Broadcasts | Possible to intercept broadcasts about file uploads | HackerOne Report | - |
| Vulnerable exported broadcast reciever | HackerOne Report | - | |
| View every network request response's information | HackerOne Report | - | |
| Critical LFI vulnerability in Content Provider | Content Provider Local File Inclusion | POC Video | - |
| Name | Description | Link |
|---|---|---|
| Oversecured Vulnerable Android App (OVAA) | A vulnerable app showing modern security bugs in Android apps | GitHub |
| Damn Vulnerable Bank | Vulnerable Banking Application for Android | GitHub |
| InsecureShop | Intentionally Vulnerable Android Application | GitHub |
| Vuldroid | Vulnerable Android Application made with security issues | GitHub |
| InjuredAndroid | A vulnerable Android application with ctf examples based on bug bounty findings | GitHub |
| Android-InsecureBankv2 | Vulnerable Android application for learning about Android insecurities | GitHub |
| Damn Insecure and Vulnerable app (DIVA) | Damn Insecure and vulnerable App for Android | GitHub |
| OWASP-GoatDroid-Project | Fully functional training environment for Android security | GitHub |
| Sieve | Password Manager app showcasing common vulnerabilities | APK Download |
| Name | Description | Link |
|---|---|---|
| Android - PentestBook | Mobile pentesting resources | GitHub |
| Awesome-Android-Security | Curated list of Android security resources | GitHub |
| android-security-awesome | Collection of Android security resources | GitHub |
| Title | Description | Link |
|---|---|---|
| OWASP Mobile Top 10 2016 | Top mobile security risks | OWASP |
| OWASP Mobile Security Testing Guide | Comprehensive testing guide | GitHub |
| Android Applications Reversing 101 | Beginner's guide to Android reversing | Blog |
| Detect secret leaks in Android apps | Online detection tool | Website |
| Android Security Guidelines | Box's security guidelines | Documentation |
| Attacking Broadcast Receivers | Android security part 18 | Blog |
| Android WebView Vulnerabilities | Common WebView issues | Blog |
| Android APK Recon Setup | Setup and tips for recon | Blog |
| WebView addJavascriptInterface RCE | Remote code execution via WebView | Blog |
| Install PlayStore on Emulator | Guide for emulator setup | Medium |
| Android Bug Bounty Tips | Targeting mobile apps | Medium |
| Access to Protected Components | Oversecured blog post | Blog |
| Arbitrary Code Execution | Via third-party package contexts | Blog |
| Interception of Implicit Intents | Android security issue | Blog |
| Evernote Vulnerabilities | Universal XSS and cookie theft | Blog |
| Gaining Access to Content Providers | Android security issue | Blog |
| S.No | Title | Link | Notes |
|---|---|---|---|
| 1 | Drozer Installation and Basic Usage | Watch | |
| 2 | Android Component Testing with Drozer | Watch | |
| 3 | Content Provider Exploitation | Watch | Start at 3:04 |
| 4 | Advanced Drozer Techniques | Watch | |
| 5 | Practical Drozer Exploits | Watch | |
| 6 | Drozer for Penetration Testing | Watch | |
| 7 | Search all Drozer tutorials on YouTube | Search |
- Frida Playlist 1
- Frida Playlist 2
- Frida Playlist 3
- Frida Playlist 4
- Frida Tutorial - N2JtRXCofUU
- Frida Tutorial - R3ptGaFW1AU
- Frida Tutorial - 8PD6vRBgQrg
- Learn Objection Basics: YouTube Tutorial
- Pin Bypass via Objection: YouTube Guide
- Bypassing APK Detections:
- Multi-Part Series:
- APKTool β Decompile/modify APK (smali-level)
- Jadx / JD-GUI β Convert DEX to readable Java code
- MobSF β Automated static + dynamic scanner
- Androguard β Python tool for APK/DEX/smali analysis
- Bytecode Viewer β Reverse engineering with multiple decompilers
- ClassyShark β Explore APK classes/methods/manifest
- QARK β Detects security issues in APKs
- Enjarify / dex2jar β DEX to Java JAR conversion
- APKLeaks β Extract secrets, tokens, and URLs
- Frida β Hook/modify functions at runtime
- Objection β Runtime exploitation via Frida (no root required)
- Xposed / LSPosed β Framework for modifying app behavior
- Burp Suite β Intercept/modify network traffic
- Drozer β Android app attack framework
- Magisk β Systemless root; works with LSPosed modules
- ADB β Debugging bridge for Android device
- Logcat β Default Android logging system (
adb logcat) - Pidcat β Filtered Logcat output by package
- MatLog β GUI log reader (useful for non-rooted devices)
- XLog / Timber β In-app logging libraries used in apps
- Logd β Android logging daemon behind logcat
- Syslog β For rooted devices to log everything (system + kernel)
Feel free to raise issues or submit PRs to add more Android bug bounty and mobile hacking resources.