🤖 Android Mobile AppSec Labs — AndroGoat and OWASP Crackmes

Intro: Android is usually the easiest place to start hands-on mobile AppSec because the emulator and reverse-engineering workflow are accessible. This page gives you a practical Android lab path that stays useful for Product Security and AppSec review work.

What this page includes

how to set up Android mobile security labs;

when to use AndroGoat versus OWASP crackmes;

example commands for install, run, and review;

what to document after each lab.

Best lab choices

AndroGoat

Use AndroGoat when you want a broad vulnerability playground with issues such as:

certificate pinning mistakes;
unsafe custom URL schemes;
Android Network Security Configuration problems;
WebView issues;
root detection and bypass scenarios;
other common Android mobile weaknesses.

OWASP MAS crackmes / UnCrackable Apps

Use OWASP crackmes when you want focused reverse-engineering and tamper-resistance exercises.

These are excellent for learning:

repackaging awareness;
root detection bypass;
string extraction;
runtime instrumentation;
simple anti-tamper patterns.

Local setup

Base requirements

Android Studio or an emulator-capable environment;
adb;
jadx;
apktool;
optionally Frida and objection.

Install tooling

brew install jadx apktool
python3 -m pip install frida-tools objection
adb start-server
adb devices

AndroGoat quick start

Clone and build

git clone https://github.com/satishpatnayak/AndroGoat.git
cd AndroGoat

If you use Android Studio, import the project and build a debug APK from the IDE.

Install the app to an emulator

adb install app-debug.apk
adb shell pm list packages | grep -i goat

Basic triage workflow

jadx -d jadx-out app-debug.apk
apktool d app-debug.apk -o apktool-out
adb logcat | grep -i -E 'token|auth|error|ssl|pin'

OWASP crackmes quick start

Example device install

adb install UnCrackable-Level1.apk
adb shell monkey -p sg.vantagepoint.uncrackable1 1

Example static review

jadx -d uc1-jadx UnCrackable-Level1.apk
strings UnCrackable-Level1.apk | head -50

Example runtime instrumentation sanity check

frida-ps -U
objection -g sg.vantagepoint.uncrackable1 explore

What to focus on as a Product Security reviewer

Do not stop at “I bypassed it.” Ask:

is the issue only a local hardening weakness, or does it expose reusable authority?
would this weaken fraud controls, API trust, or secret protection?
is the root cause the mobile app, the backend API, or both?
what would the release criterion be for a high-risk app versus a low-risk app?

Suggested exercise progression

Exercise 1 — Android manifest review

Look for:

exported activities;
backup settings;
debuggable flags;
network security configuration;
dangerous permissions.

Exercise 2 — storage and logs

adb shell run-as <package.name> ls -R .
adb shell logcat -d > android-logcat.txt

Exercise 3 — transport and trust

Use an emulator proxy or device proxy and verify:

certificate validation behavior;
pinning behavior;
cleartext allowance;
WebView remote content behavior.

Exercise 4 — reverse engineering and tampering

Use crackmes to build comfort with:

identifying security-relevant classes;
patching assumptions in a training environment;
documenting what the app wrongly trusts.

Common mistakes

trying to solve every reverse-engineering puzzle before understanding the app flow;
confusing local hardening with backend authorization;
treating emulator-only observations as if they always imply remote compromise;
forgetting to document reproduction steps and fix ownership.

Cross-links

---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.