hacktricks/mobile-pentesting/android-checklist.md

# Orodha ya Ukaguzi wa APK ya Android

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi mtaalamu wa juu na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, ungependa kuona **kampuni yako ikionekana katika HackTricks**? Au ungependa kupata ufikiaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **nifuatilie** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwenye repo ya [hacktricks](https://github.com/carlospolop/hacktricks) na repo ya [hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Pata udhaifu unaofaa zaidi ili uweze kuzirekebisha haraka. Intruder inafuatilia eneo lako la shambulio, inafanya uchunguzi wa vitisho wa kujitokeza, inapata masuala katika mfumo wako wa teknolojia mzima, kutoka kwa APIs hadi programu za wavuti na mifumo ya wingu. [**Jaribu bure**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) leo.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***

### [Jifunze msingi wa Android](android-app-pentesting/#2-android-application-fundamentals)

* [ ] [Misingi](android-app-pentesting/#fundamentals-review)
* [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali)
* [ ] [Njia za kuingia](android-app-pentesting/#application-entry-points)
* [ ] [Shughuli](android-app-pentesting/#launcher-activity)
* [ ] [URL Schemes](android-app-pentesting/#url-schemes)
* [ ] [Watoaji wa Yaliyomo](android-app-pentesting/#services)
* [ ] [Huduma](android-app-pentesting/#services-1)
* [ ] [Wapokeaji wa Matangazo](android-app-pentesting/#broadcast-receivers)
* [ ] [Nia](android-app-pentesting/#intents)
* [ ] [Chuja ya Nia](android-app-pentesting/#intent-filter)
* [ ] [Sehemu zingine](android-app-pentesting/#other-app-components)
* [ ] [Jinsi ya kutumia ADB](android-app-pentesting/#adb-android-debug-bridge)
* [ ] [Jinsi ya kubadilisha Smali](android-app-pentesting/#smali)

### [Uchambuzi Statisa](android-app-pentesting/#static-analysis)

* [ ] Angalia matumizi ya [ufichaji](android-checklist.md#some-obfuscation-deobfuscation-information), angalia ikiwa simu ya mkononi imefungwa, ikiwa emulator inatumika na ukaguzi wa kuzuia uharibifu. [Soma hii kwa maelezo zaidi](android-app-pentesting/#other-checks).
* [ ] Programu nyeti (kama programu za benki) zinapaswa kuangalia ikiwa simu ya mkononi imefungwa na kuchukua hatua kwa kuzingatia hilo.
* [ ] Tafuta [maneno muhimu](android-app-pentesting/#looking-for-interesting-info) (nywila, URL, API, encryption, backdoors, tokens, Bluetooth uuids...).
* [ ] Tahadhari maalum kwa [firebase ](android-app-pentesting/#firebase)APIs.
* [ ] [Soma hati ya maombi:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml)
* [ ] Angalia ikiwa programu iko katika hali ya kurekebisha na jaribu "kuidukua"
* [ ] Angalia ikiwa APK inaruhusu nakala rudufu
* [ ] Shughuli Zilizotolewa
* [ ] Watoaji wa Yaliyomo
* [ ] Huduma Zilizofichuliwa
* [ ] Wapokeaji wa Matangazo
* [ ] URL Schemes
* [ ] Je, programu ina[hifadhi data kwa njia isiyofaa ndani au nje](android-app-pentesting/#insecure-data-storage)?
* [ ] Je, kuna [nywila yoyote iliyoingizwa kwa nguvu au iliyohifadhiwa kwenye diski](android-app-pentesting/#poorkeymanagementprocesses)? Je, programu inatumia [algorithms za crypto zisizo salama au zilizopitwa na wakati](android-app-pentesting/#useofinsecureandordeprecatedalgorithms)?
* [ ] Maktaba zote zimekamilishwa kwa kutumia bendera ya PIE?
* [ ] Usisahau kuwa kuna[ Wachambuzi wa Android Statisa](android-app-pentesting/#automatic-analysis) ambao wanaweza kukusaidia sana katika hatua hii.

### [Uchambuzi wa Kazi](android-app-pentesting/#dynamic-analysis)

* [ ] Andaa mazingira ([mtandaoni](android-app-pentesting/#online-dynamic-analysis), [VM ya ndani au ya kimwili](android-app-pentesting/#local-dynamic-analysis))
* [ ] Je, kuna [uvujaji usio wa lazima wa data](android-app-pentesting/#unintended-data-leakage) (kuingiza kwenye kumbukumbu, kunakili/kubandika, kumbukumbu za kushindwa)?
* [ ] [Taarifa za siri zinahifadhiwa katika SQLite dbs](android-app-pentesting/#sqlite-dbs)?
* [ ] [Shughuli zilizofichuliwa zinazoweza kudukuliwa](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)?
* [ ] [Watoaji wa Yaliyomo wanaoweza kudukuliwa](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
* [ ] [Huduma zilizofichuliwa zinazoweza kudukuliwa](android-app-pentesting/#exploiting-services)?
* [ ] [Wapokeaji wa Matangazo wanaoweza kudukuliwa](android-app-pentesting/#exploiting-broadcast-receivers)?
* [ ] Je, programu inatuma taarifa kwa njia wazi/ikitumia algorithms dhaifu](android-app-pentesting/#insufficient-transport-layer-protection)? Je, shambulio la kati (MitM) linawezekana?
* [ ] [Angalia trafiki ya HTTP/HTTPS](android-app-pentesting/#inspecting-http-traffic)
* [ ] Hii ni muhimu sana, kwa sababu ikiwa unaweza kukamata trafiki ya HTTP unaweza kutafuta kasoro za kawaida za Wav
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [repo ya hacktricks](https://github.com/carlospolop/hacktricks) na [repo ya hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.

</details>