# Android Mobile AppSec Labs — AndroGoat and OWASP Crackmes

> **Intro:** Android is usually the easiest place to start hands-on mobile AppSec because the emulator and reverse-engineering workflow are accessible. This page gives you a practical Android lab path that stays useful for Product Security and AppSec review work.
>
> **What this page includes**
>
> * how to set up Android mobile security labs;
> * when to use AndroGoat versus OWASP crackmes;
> * example commands for install, run, and review;
> * what to document after each lab.

## Best lab choices

### AndroGoat

Use AndroGoat when you want a **broad vulnerability playground** with issues such as:

* certificate pinning mistakes;
* unsafe custom URL schemes;
* Android Network Security Configuration problems;
* WebView issues;
* root detection and bypass scenarios;
* other common Android mobile weaknesses.

### OWASP MAS crackmes / UnCrackable Apps

Use OWASP crackmes when you want **focused reverse-engineering and tamper-resistance exercises**.

These are excellent for learning:

* repackaging awareness;
* root detection bypass;
* string extraction;
* runtime instrumentation;
* simple anti-tamper patterns.

## Local setup

### Base requirements

* Android Studio or an emulator-capable environment;
* `adb`;
* `jadx`;
* `apktool`;
* optionally Frida and objection.

### Install tooling

```bash
brew install jadx apktool
python3 -m pip install frida-tools objection
adb start-server
adb devices
```

## AndroGoat quick start

### Clone and build

```bash
git clone https://github.com/satishpatnayak/AndroGoat.git
cd AndroGoat
```

If you use Android Studio, import the project and build a debug APK from the IDE.

### Install the app to an emulator

```bash
adb install app-debug.apk
adb shell pm list packages | grep -i goat
```

### Basic triage workflow

```bash
jadx -d jadx-out app-debug.apk
apktool d app-debug.apk -o apktool-out
adb logcat | grep -i -E 'token|auth|error|ssl|pin'
```

## OWASP crackmes quick start

### Example device install

```bash
adb install UnCrackable-Level1.apk
adb shell monkey -p sg.vantagepoint.uncrackable1 1
```

### Example static review

```bash
jadx -d uc1-jadx UnCrackable-Level1.apk
strings UnCrackable-Level1.apk | head -50
```

### Example runtime instrumentation sanity check

```bash
frida-ps -U
objection -g sg.vantagepoint.uncrackable1 explore
```

## What to focus on as a Product Security reviewer

Do not stop at “I bypassed it.” Ask:

* is the issue only a local hardening weakness, or does it expose reusable authority?
* would this weaken fraud controls, API trust, or secret protection?
* is the root cause the mobile app, the backend API, or both?
* what would the release criterion be for a high-risk app versus a low-risk app?

## Suggested exercise progression

### Exercise 1 — Android manifest review

Look for:

* exported activities;
* backup settings;
* debuggable flags;
* network security configuration;
* dangerous permissions.

### Exercise 2 — storage and logs

```bash
adb shell run-as <package.name> ls -R .
adb shell logcat -d > android-logcat.txt
```

### Exercise 3 — transport and trust

Use an emulator proxy or device proxy and verify:

* certificate validation behavior;
* pinning behavior;
* cleartext allowance;
* WebView remote content behavior.

### Exercise 4 — reverse engineering and tampering

Use crackmes to build comfort with:

* identifying security-relevant classes;
* patching assumptions in a training environment;
* documenting what the app wrongly trusts.

## Common mistakes

* trying to solve every reverse-engineering puzzle before understanding the app flow;
* confusing local hardening with backend authorization;
* treating emulator-only observations as if they always imply remote compromise;
* forgetting to document reproduction steps and fix ownership.

## Cross-links

* [Mobile Security Lab Track — NowSecure, iOS, and Android Learning Flow](/learning-labs-interview-and-templates/index-2/mobile-security-lab-track-nowsecure-ios-and-android.md)
* [NowSecure Mobile AppSec Learning Flow](/learning-labs-interview-and-templates/index-2/nowsecure-mobile-appsec-learning-flow.md)
* [Mobile Application Security Testing](/application-security-and-secure-sdlc/index-1/mobile-application-security-testing.md)

\---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-2/android-mobile-appsec-labs-androgoat-and-crackmes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.