6.2 KiB
Android APK Checklist
{% hint style="warning" %} Support HackTricks and get benefits!
Do you want to have access the latest version of Hacktricks and PEASS, obtain a PDF copy of Hacktricks, and more? Discover the brand new SUBSCRIPTION PLANS for individuals and companies.
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag****
Join the 💬 **** Discord group or the telegram group **** or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo. {% endhint %}
Learn Android fundamentals
Static Analysis
- Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
- Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
- Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
- Special attention to firebase APIs.
- Read the manifest:
- Check if the application is in debug mode and try to "exploit" it
- Check if the APK allows backups
- Exported Activities
- Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
- Is the application saving data insecurely internally or externally?
- Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
- All the libraries compiled using the PIE flag?
- Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
Dynamic Analysis
- Prepare the environment (online, local VM or physical)
- Is there any unintended data leakage (logging, copy/paste, crash logs)?
- Confidential information being saved in SQLite dbs?
- Exploitable exposed Activities?
- Exploitable Content Providers?
- Exploitable exposed Services?
- Exploitable Broadcast Receivers?
- Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
- Inspect HTTP/HTTPS traffic
- This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
- Check for possible Android Client Side Injections (probably some static code analysis will help here)
- Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
Some obfuscation/Deobfuscation information
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬 Discord group or the telegram group, or follow me on Twitter 🐦@carlospolopm.
****If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.
Buy me a coffee here****