Merge pull request #1906 from HackTricks-wiki/update_Jezail__Rooted_Android_Pentesting_Toolkit_exposing_20260217_185901

carlospolop · web-flow · commit 8f30b89e3dec · 2026-03-04T14:13:18.000+01:00
Jezail Rooted Android Pentesting Toolkit exposing a REST API...
diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -57,6 +57,13 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
 java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
 ```
 
+## Jezail rooted Android pentesting toolkit (REST API + web UI)
+
+- Runs on a **rooted device** (Magisk/rootAVD) and starts an **HTTP server on tcp/8080** with a **Flutter web UI** and **REST API**.
+- Install the release APK with perms: `adb install -g -r jezail.apk`, then launch the app (server auto-starts).
+- Endpoints: `http://<device-ip>:8080/` (UI), `http://<device-ip>:8080/api/json` (API listing), `http://<device-ip>:8080/api/swagger` (Swagger).
+- Emulator port-forward to reach UI/API from the host: `adb forward tcp:8080 tcp:8080` then browse `http://localhost:8080`.
+
 ## Android Enterprise & Work Profile Attacks
 
 {{#ref}}
@@ -892,5 +899,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
 - [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 - [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
+- [Jezail rooted Android pentesting toolkit (REST API + Flutter UI)](https://github.com/zahidaz/jezail)
 
 {{#include ../../banners/hacktricks-training.md}}
