hacktricks/mobile-pentesting/android-checklist.md

# Orodha ya Ukaguzi wa APK ya Android

<details>

<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Unataka kuona **kampuni yako ikionyeshwa kwenye HackTricks**? au unataka kupata upatikanaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **nifuata** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

**Kikundi cha Usalama cha Try Hard**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

***

### [Jifunze Msingi wa Android](android-app-pentesting/#2-android-application-fundamentals)

* [ ] [Msingi](android-app-pentesting/#fundamentals-review)
* [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali)
* [ ] [Vipengele vya Kuingia](android-app-pentesting/#application-entry-points)
* [ ] [Shughuli](android-app-pentesting/#launcher-activity)
* [ ] [URL Schemes](android-app-pentesting/#url-schemes)
* [ ] [Watoa Huduma za Yaliyomo](android-app-pentesting/#services)
* [ ] [Huduma](android-app-pentesting/#services-1)
* [ ] [Wapokeaji wa Matangazo](android-app-pentesting/#broadcast-receivers)
* [ ] [Nia](android-app-pentesting/#intents)
* [ ] [Mtego wa Nia](android-app-pentesting/#intent-filter)
* [ ] [Vipengele vingine](android-app-pentesting/#other-app-components)
* [ ] [Jinsi ya kutumia ADB](android-app-pentesting/#adb-android-debug-bridge)
* [ ] [Jinsi ya kuhariri Smali](android-app-pentesting/#smali)

### [Uchambuzi Stahiki](android-app-pentesting/#static-analysis)

* [ ] Angalia matumizi ya [ufichaji](android-checklist.md#some-obfuscation-deobfuscation-information), angalia kama simu imefungwa mizizi, kama inatumika emulator na uchunguzi wa kuzuia uharibifu. [Soma hii kwa maelezo zaidi](android-app-pentesting/#other-checks).
* [ ] Programu nyeti (kama programu za benki) inapaswa kuangalia kama simu imefungwa mizizi na inapaswa kuchukua hatua kwa kuzingatia hilo.
* [ ] Tafuta [maneno ya kuvutia](android-app-pentesting/#looking-for-interesting-info) (nywila, URL, API, encryption, backdoors, tokens, Bluetooth uuids...).
* [ ] Tahadhari maalum kwa [firebase ](android-app-pentesting/#firebase)APIs.
* [ ] [Soma maelezo:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml)
* [ ] Angalia kama programu iko katika hali ya kurekebisha na jaribu "kuitumia"
* [ ] Angalia kama APK inaruhusu nakala za akiba
* [ ] Shughuli Zilizowekwa Wazi
* [ ] Watoa Huduma za Yaliyomo
* [ ] Huduma Zilizofichuliwa
* [ ] Wapokeaji wa Matangazo
* [ ] URL Schemes
* [ ] Je, programu ina[hifadhi data bila usalama ndani au nje](android-app-pentesting/#insecure-data-storage)?
* [ ] Je, kuna [nywila iliyoingizwa au iliyohifadhiwa kwenye diski](android-app-pentesting/#poorkeymanagementprocesses)? Je, programu inatumia [algorithms za crypto zisizo salama](android-app-pentesting/#useofinsecureandordeprecatedalgorithms)?
* [ ] Maktaba zote zimekompiliwa kwa kutumia bendera ya PIE?
* [ ] Usisahau kuwa kuna[ Wachambuzi wa Android wa Stahiki](android-app-pentesting/#automatic-analysis) ambao wanaweza kukusaidia sana wakati huu.

### [Uchambuzi wa Kudumu](android-app-pentesting/#dynamic-analysis)

* [ ] Andaa mazingira ([mtandaoni](android-app-pentesting/#online-dynamic-analysis), [VM ya ndani au ya kimwili](android-app-pentesting/#local-dynamic-analysis))
* [ ] Je, kuna [ufichuaji usio wa makusudi wa data](android-app-pentesting/#unintended-data-leakage) (kuingiza, kunakili/kubandika, machapisho ya kuharibika)?
* [ ] [Taarifa za siri zinahifadhiwa kwenye mabandiko ya SQLite](android-app-pentesting/#sqlite-dbs)?
* [ ] [Shughuli Zilizowekwa Wazi zinazoweza kuchexploit](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)?
* [ ] [Watoa Huduma Zilizoweza kuchexploit](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
* [ ] [Huduma Zilizofichuliwa Zilizoweza kuchexploit](android-app-pentesting/#exploiting-services)?
* [ ] [Wapokeaji wa Matangazo Zilizoweza kuchexploit](android-app-pentesting/#exploiting-broadcast-receivers)?
* [ ] Je, programu inatuma taarifa kwa wazi/ikitumia algorithms dhaifu](android-app-pentesting/#insufficient-transport-layer-protection)? je, ni rahisi kufanya MitM?
* [ ] [Kagua trafiki ya HTTP/HTTPS](android-app-pentesting/#inspecting-http-traffic)
* [ ] Hii ni muhimu sana, kwa sababu ukichukua trafiki ya HTTP unaweza kutafuta kasoro za kawaida za Wavuti (Hacktricks ina habari nyingi kuhusu kasoro za Wavuti).
* [ ] Angalia kwa uwezekano wa [Muingiliano wa Upande wa Mteja wa Android](android-app-pentesting/#android-client-side-injections-and-others) (labda uchambuzi wa msimbo wa stahiki utasaidia hapa)
* [ ] [Frida](android-app-pentesting/#frida): Tu Frida, itumie kupata data ya kuvutia ya kudumu kutoka kwenye programu (labda nywila fulani...)

### Baadhi ya habari za ufichaji/Deobfuscation

* [ ] [Soma hapa](android-app-pentesting/#obfuscating-deobfuscating-code)


**Kikundi cha Usalama cha Try Hard**

<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>

{% embed url="https://discord.gg/tryhardsecurity" %}

<details>

<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Unataka kuona **kampuni yako ikionyeshwa kwenye HackTricks**? au unataka kupata upatikanaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **nifuata** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa [repo ya hacktricks](https://github.com/carlospolop/hacktricks) and [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00			`# Orodha ya Ukaguzi wa APK ya Android`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* Je, unafanya kazi katika kampuni ya usalama wa mtandao? Unataka kuona kampuni yako ikionyeshwa kwenye HackTricks? au unataka kupata upatikanaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* Jiunge na [💬](https://emojipedia.org/speech-balloon/) [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au nifuata kwenye Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:40:07 +00:00			`Kikundi cha Usalama cha Try Hard`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:40:07 +00:00
			`{% embed url="https://discord.gg/tryhardsecurity" %}`

			`***`

Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`### [Jifunze Msingi wa Android](android-app-pentesting/#2-android-application-fundamentals)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:40:07 +00:00			`* [ ] [Msingi](android-app-pentesting/#fundamentals-review)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`* [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali)`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] [Vipengele vya Kuingia](android-app-pentesting/#application-entry-points)`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* [ ] [Shughuli](android-app-pentesting/#launcher-activity)`
			`* [ ] [URL Schemes](android-app-pentesting/#url-schemes)`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] [Watoa Huduma za Yaliyomo](android-app-pentesting/#services)`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* [ ] [Huduma](android-app-pentesting/#services-1)`
			`* [ ] [Wapokeaji wa Matangazo](android-app-pentesting/#broadcast-receivers)`
			`* [ ] [Nia](android-app-pentesting/#intents)`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:40:07 +00:00			`* [ ] [Mtego wa Nia](android-app-pentesting/#intent-filter)`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] [Vipengele vingine](android-app-pentesting/#other-app-components)`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* [ ] [Jinsi ya kutumia ADB](android-app-pentesting/#adb-android-debug-bridge)`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] [Jinsi ya kuhariri Smali](android-app-pentesting/#smali)`
Translated to Swahili 2024-02-11 02:13:58 +00:00
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`### [Uchambuzi Stahiki](android-app-pentesting/#static-analysis)`
Translated to Swahili 2024-02-11 02:13:58 +00:00
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* [ ] Angalia matumizi ya [ufichaji](android-checklist.md#some-obfuscation-deobfuscation-information), angalia kama simu imefungwa mizizi, kama inatumika emulator na uchunguzi wa kuzuia uharibifu. [Soma hii kwa maelezo zaidi](android-app-pentesting/#other-checks).`
			`* [ ] Programu nyeti (kama programu za benki) inapaswa kuangalia kama simu imefungwa mizizi na inapaswa kuchukua hatua kwa kuzingatia hilo.`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] Tafuta [maneno ya kuvutia](android-app-pentesting/#looking-for-interesting-info) (nywila, URL, API, encryption, backdoors, tokens, Bluetooth uuids...).`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* [ ] Tahadhari maalum kwa [firebase ](android-app-pentesting/#firebase)APIs.`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* [ ] [Soma maelezo:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml)`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] Angalia kama programu iko katika hali ya kurekebisha na jaribu "kuitumia"`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00			`* [ ] Angalia kama APK inaruhusu nakala za akiba`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-14 23:40:07 +00:00			`* [ ] Shughuli Zilizowekwa Wazi`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] Watoa Huduma za Yaliyomo`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* [ ] Huduma Zilizofichuliwa`
			`* [ ] Wapokeaji wa Matangazo`
			`* [ ] URL Schemes`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] Je, programu ina[hifadhi data bila usalama ndani au nje](android-app-pentesting/#insecure-data-storage)?`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* [ ] Je, kuna [nywila iliyoingizwa au iliyohifadhiwa kwenye diski](android-app-pentesting/#poorkeymanagementprocesses)? Je, programu inatumia [algorithms za crypto zisizo salama](android-app-pentesting/#useofinsecureandordeprecatedalgorithms)?`
			`* [ ] Maktaba zote zimekompiliwa kwa kutumia bendera ya PIE?`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`* [ ] Usisahau kuwa kuna[ Wachambuzi wa Android wa Stahiki](android-app-pentesting/#automatic-analysis) ambao wanaweza kukusaidia sana wakati huu.`
Translated to Swahili 2024-02-11 02:13:58 +00:00
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`### [Uchambuzi wa Kudumu](android-app-pentesting/#dynamic-analysis)`
Translated to Swahili 2024-02-11 02:13:58 +00:00
			`* [ ] Andaa mazingira ([mtandaoni](android-app-pentesting/#online-dynamic-analysis), [VM ya ndani au ya kimwili](android-app-pentesting/#local-dynamic-analysis))`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* [ ] Je, kuna [ufichuaji usio wa makusudi wa data](android-app-pentesting/#unintended-data-leakage) (kuingiza, kunakili/kubandika, machapisho ya kuharibika)?`
			`* [ ] [Taarifa za siri zinahifadhiwa kwenye mabandiko ya SQLite](android-app-pentesting/#sqlite-dbs)?`
			`* [ ] [Shughuli Zilizowekwa Wazi zinazoweza kuchexploit](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)?`
			`* [ ] [Watoa Huduma Zilizoweza kuchexploit](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?`
			`* [ ] [Huduma Zilizofichuliwa Zilizoweza kuchexploit](android-app-pentesting/#exploiting-services)?`
			`* [ ] [Wapokeaji wa Matangazo Zilizoweza kuchexploit](android-app-pentesting/#exploiting-broadcast-receivers)?`
			`* [ ] Je, programu inatuma taarifa kwa wazi/ikitumia algorithms dhaifu](android-app-pentesting/#insufficient-transport-layer-protection)? je, ni rahisi kufanya MitM?`
			`* [ ] [Kagua trafiki ya HTTP/HTTPS](android-app-pentesting/#inspecting-http-traffic)`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00			`* [ ] Hii ni muhimu sana, kwa sababu ukichukua trafiki ya HTTP unaweza kutafuta kasoro za kawaida za Wavuti (Hacktricks ina habari nyingi kuhusu kasoro za Wavuti).`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* [ ] Angalia kwa uwezekano wa [Muingiliano wa Upande wa Mteja wa Android](android-app-pentesting/#android-client-side-injections-and-others) (labda uchambuzi wa msimbo wa stahiki utasaidia hapa)`
			`* [ ] [Frida](android-app-pentesting/#frida): Tu Frida, itumie kupata data ya kuvutia ya kudumu kutoka kwenye programu (labda nywila fulani...)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2024-03-09 13:36:24 +00:00			`### Baadhi ya habari za ufichaji/Deobfuscation`

			`* [ ] [Soma hapa](android-app-pentesting/#obfuscating-deobfuscating-code)`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00

			`Kikundi cha Usalama cha Try Hard`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`<figure><img src="../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00
			`{% embed url="https://discord.gg/tryhardsecurity" %}`

			`<details>`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00
			`* Je, unafanya kazi katika kampuni ya usalama wa mtandao? Unataka kuona kampuni yako ikionyeshwa kwenye HackTricks? au unataka kupata upatikanaji wa toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF? Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00			`* Jiunge na [💬](https://emojipedia.org/speech-balloon/) [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au nifuata kwenye Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 13:37:52 +00:00			`* Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa [repo ya hacktricks](https://github.com/carlospolop/hacktricks) and [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud).`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-24 12:32:36 +00:00
			`</details>`