hacktricks/mobile-pentesting/android-checklist.md

Android APK Checklist

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Learn Android fundamentals

• Βασικά
• Dalvik & Smali
• Σημεία εισόδου
• Δραστηριότητες
• URL Schemes
• Content Providers
• Υπηρεσίες
• Broadcast Receivers
• Intents
• Intent Filter
• Άλλα συστατικά
• Πώς να χρησιμοποιήσετε το ADB
• Πώς να τροποποιήσετε το Smali

Static Analysis

• Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Διαβάστε αυτό για περισσότερες πληροφορίες.
• Ευαίσθητες εφαρμογές (όπως οι τραπεζικές εφαρμογές) θα πρέπει να ελέγχουν αν το κινητό είναι rooted και να ενεργούν αναλόγως.
• Search for interesting strings (κωδικοί πρόσβασης, URLs, API, κρυπτογράφηση, backdoors, tokens, Bluetooth uuids...).
• Special attention to firebase APIs.
• Διαβάστε το manifest:
• Check if the application is in debug mode and try to "exploit" it
• Check if the APK allows backups
• Exported Activities
• Content Providers
• Exposed services
• Broadcast Receivers
• URL Schemes
• Is the application saving data insecurely internally or externally?
• Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
• All the libraries compiled using the PIE flag?
• Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.

Dynamic Analysis

• Prepare the environment (online, local VM or physical)
• Is there any unintended data leakage (logging, copy/paste, crash logs)?
• Confidential information being saved in SQLite dbs?
• Exploitable exposed Activities?
• Exploitable Content Providers?
• Exploitable exposed Services?
• Exploitable Broadcast Receivers?
• Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
• Inspect HTTP/HTTPS traffic
• This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
• Check for possible Android Client Side Injections (probably some static code analysis will help here)
• Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)

Some obfuscation/Deobfuscation information

• Διαβάστε εδώ

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}