i AndroTickler – Java Tool Pentest Android Apps Faster – All things in moderation

AndroTickler – Java Tool Pentest Android Apps Faster

AndroTickler Overview

A java tool that helps to pentest Android apps faster, more easily and more efficiently. AndroTickler offers many features of information gathering, static and dynamic checks that cover most of the aspects of Android apps pentesting. It also offers several features that pentesters need during their pentests. AndroTickler also integrates with Frida to provide method tracing and manipulation. It was previously published under the name of Tickler.

AndroTickler requires a linux host and a rooted Android device connected to its USB port. The tool does not install anything on the Android device, it only creates a Tickler directory on /sdcard . AndroTickler depends on Android SDK to run commands on the device and copy app’s data to TicklerWorkspace directory on the host for further analysis. TicklerWorkspace is the working directory of AndroTickler and each app has a separate subdirectory in TicklerWorkspace which can contain the following (depending on user actions):
– DataDir directory: a copy of the data directory of the app
– Extracted directory: Output of apktool on the app, contains smali code, resources, libraries…etc.
– BgSnapshots directory: Contains background snapshots copied from the device.
– Images directory: contains any screenshots taken for the app.
– JavaCode directory: Contains app’s Java code decompiled by dex2jar and JD tools
– Logs directory: contains log files produced by -t -log, as explained below
– Transfers: files and directories copied from the device to the host using -copy2host
– AndroidManifest.xml: The manifest file of the app as per apktool
– Base.apk: the APK file of the app, installed on the device
– Debuggable.apk: a debuggable version of the app, produced by -dbg

libs directory and Tickler.conf configuration file exist in the same directory of the jar file. The configuration file sets the location of TicklerDir directory on the host and Tickler on /sdcard of the android device. If the configuration file does not exist or these 2 directories are not set, then default values will be used (Tickler_workspace on the current directory and /sdcard/Tickler respectively). Tickler_lib directory contains some Java libraries and external tools used by AndroTickler such as apktool and dex2jar.

AndroTickler highly depends on the following tools, so they should exist on your machine before using it:
– Java 7 or higher
– Android SDK tools (adb and friends)
– Sqlite3
Other tools are required for some features, but AndroTickler can still run without them:
– Frida
– Jarsigner

How to use it
1. Build tool from code
2. Move AndroTickler.jar is to the same directory as Tickler_lib directory and Tickler.conf file (automatically created in build/libs)
3. Connect your Android device with the application-to-test installed on

Command help
java -jar AndroTickler.jar -h

Information gathering/Static analysis

List installed Apps on the device:

java -jar AndroTickler.jar -pkgs

Searches for an app (package) installed on the device, whose package name contains the searchKey

java -jar AndroTickler.jar -findPkg [searchKey]

Package without extra attributes:

java -jar AndroTickler.jar -pkg {package} [other options]

Any command with a -pkg option (whether used with any of the following options or not), does the following actions if they have not been done before:
– Copies the app from the device
– Extracts the Manifest file of the app
– Decompiles the app to Java code using dex2jar and JD tools

General Info

java -jar AndroTickler.jar -pkg {package} -info

Returns the following information:
-App’s user ID
– App’s Directories path
– If the app’s code indicate usage of external storage
– App’s directories that already exist in External storage
– Content URIs in the code
– If the app is backable
– If the app is debuggable
– Data schemes (like iOS IPC)
– The permissions it uses

Code Squeezing

java -jar AndroTickler.jar -pkg {package} -squeeze [short | {codeLocation} ]

Fetches the following from the decompiled Java code of the app:
– Log messages
– Any indication of possible user credentials
– Java comments
– Used libs
– URLs in code
– Usage of shared preferences
– Usage of external storage
– Common components such as OkHttp and WebView

Unsurprisingly, its output is usually huge, so it is recommended to redirect the command’s output to a file short Squeezes only the decompiled code that belongs to the developer. For example, if an app has a package name of com.notEnaf.myapp, then squeeze short squeezes only the code in com/notEnaf directory.
Squeezes the code only in codeLocation directory. Helpful to limit your search or squeeze the source code if available.

Listing Components

java -jar AndroTickler.jar -pkg {package} -l [-exp] [-v]

Lists all components of the app:
-exp Shows only exported components
-v Gives more detailed information for each component:
– Component type
– Whether exported or not
– Its intent filters
– The tool checks the corresponding Java class to each component and returns all possible intent extras

Listing any kind of components

java -jar AndroTickler.jar -pkg {package} -l [-act | -ser | -rec | -prov ] [-exp] [-v]

-act : activities
-ser : services
-rec: broadcast receivers
-prov: Content providers
-exp: show only exported components of any of the above type


java -jar AndroTickler.jar -pkg {package} -db [|e|l|d] [nu]

By default, all -db commands update the app’s data storage directory on the host before running the check.
no attribute OR e Tests whether the databases of the app are encrypted. It is the default action in case no option is given after -db flag. l Lists all databases of the app. Encrypted databases might not be detected. d Takes a sqlite dump of any of the unencrypted databases. nu noUpdate: runs any of the above options without updating the app’s data directory on the host.

Data Storage Directory Comparison

java -jar AndroTickler.jar -pkg {package} -diff [d|detailed]

Copies the data storage directory of the app (to DataDirOld) then asks the user to do the action he wants and to press Enter when he’s done. Then it copies the data storage directory again (to DataDir) and runs diff between them to show which files got added, deleted or modified.
d|detailed Does the same as the normal -diff command, also shows what exactly changed in text files and unencrypted databases.


java -jar AndroTickler.jar -pkg {package} -t  -act -exp

Triggers exported activities

java -jar AndroTickler.jar -pkg {package} -t -prov -log

Queries all content providers and saves logcat messages until the tool stops execution

java -jar AndroTickler.jar -pkg {package} -t {component_name}

Triggers the component, type of triggering depends on the type of the component

Usage and Building

1. git clone https://github.com/ernw/AndroTickler && cd AndroTikler
2. gradlew
3. gradlew build
4. cd build/libs
5. java -jar AndroTickler.jar -h

Source: https://github.com/ernw

Leave a Reply