5.9 KiB
Android APK Checklist
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, ****join the 💬 ****PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.
Learn Android fundamentals
Static Analysis
- Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
- Sensitive applications
like bank apps
should check if the mobile is rooted and should actuate in consequence. - Search for interesting strings
passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...
.- Special attention to firebase APIs.
- Read the manifest:
- Check if the application is in debug mode and try to "exploit" it
- Check if the APK allows backups
- Exported Activities
- Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
- Is the application saving data insecurely internally or externally?
- Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
- All the libraries compiled using the PIE flag?
- Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
Dynamic Analysis
- Prepare the environment
[online](android-app-pentesting/#online-dynamic-analysis), [local VM or physical](android-app-pentesting/#local-dynamic-analysis)
- Is there any unintended data leakage
logging, copy/paste, crash logs
? - Confidential information being saved in SQLite dbs?
- Exploitable exposed Activities?
- Exploitable Content Providers?
- Exploitable exposed Services?
- Exploitable Broadcast Receivers?
- Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
- Inspect HTTP/HTTPS traffic
- This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities
Hacktricks has a lot of information about Web vulns
.
- This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities
- Check for possible Android Client Side Injections
probably some static code analysis will help here
- Frida: Just Frida, use it to obtain interesting dynamic data from the application
maybe some passwords...
Some obfuscation/Deobfuscation information
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, ****join the 💬 ****PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.
Buy me a coffee here****