Continuing from the previous post (Part 1: Android Mobile Penetration Testing), let’s install some important tools. The virtual device is used so that you can test a combination of different versions of android mobile devices and mobile operating systems for vulnerabilities with the tools mentioned in this post.


Android Studio

Download and Install Android SDK from

After installation, use Android SDK manager and install at least two of the android platforms (Android 10.0 – Q, Android 9.0 – Pie). Create virtual devices through Android Virtual Device Manager (AVD) Pixel 2 Android 9.0:

Fig-1 Creating Virtual Device

Fig:1 Creating Virtual Device


Start the virtual device once installed. It may look different to the below screenshot depending on Android device installed:

Fig-2 Virtual Device Pixel2

Fig:2 Virtual Device Pixel2



Download drozer_2.x.x.deb from

  1. Drozer may require other python packages like python-openssl, python-protobuf etc depending on existing Kali or any Linux distro (distributions). Install using apt-get as below:
    1. apt-get install python-twisted python-openssl python-protobuf
    2. dpkg -i drozer_2.4.4.deb
  1. Run drozer from a command line and verify – output should be as below:

Fig:3 Installing Drozer


Objection (Frida)

This is a Mobile Exploitation tool kit powered by Frida. It helps to assess the Mobile App without the need for Jail broken devices.

Install Objection (Frida) using the below from a command line:

pip3 install -U objection

Sometimes it may take little longer to install with its packages.

Fig-4 Completed Drozer installation

Fig:4 Completed Drozer installation



Install Jadx by downloading from the below Github location:


Damn Insecure and Vulnerable App for Android (DIVA)

Download DIVA Mobile App from the below Github location:


How are these Tools related?

As you may be aware, the Mobile App .apk file is another form of .zip file.

  1. To extract .apk to source code, rename the .apk file as .zip file.
  2. Extract the zip file into a directory of choice.

Fig-5 Extrating .apk file

Fig:5 Extrating .apk file

  1. Convert the extracted classes.dex to .jar using dex2jar:


Fig-6 Converting .dex to .jar

Fig:6 Converting .dex to .jar

  1. Run jadx-gui in terminal – the Graphical User Interface (GUI) will then open:


Fig-7 Extracting .jar to source codeFig:7 Extracting .jar to source code



Fig-8 Extracted Source code from jar using Jadx

Fig:8 Extracted Source code from jar using Jadx


  1. Alternatively, instead of using the dex2jar and jadx-gui, we can convert the apk to java source code in one step using apktool. This tool can be downloaded from the link

Fig-9 Extracting Source code from .apk using apktool

Fig:9 Extracting Source code from .apk using apktool


Install the Application (apk) into the Virtual Device

Run the below command:

adb -s emulator-5554 install Free\

Now the Free into Virtual Device:


Fig-10-After-installing-App-to-Virtual-Devicea.png Fig-10 After installing App to Virtual Device2

Fig:10 After installing App to Virtual Device



We have been focussing on different tools used in Mobile Security testing, its usage and how to install Mobile application into a virtual device in this post. In the coming weeks we will be further looking at different kind of vulnerabilities addressed in Mobile applications.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch