📔
HackTricks - Boitatech
  • HackTricks
  • About the author
  • Getting Started in Hacking
  • Pentesting Methodology
  • External Recon Methodology
    • Github Leaked Secrets
  • Phishing Methodology
    • Clone a Website
    • Detecting Phising
    • Phishing Documents
  • Exfiltration
  • Tunneling and Port Forwarding
  • Brute Force - CheatSheet
  • Search Exploits
  • Shells
    • Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Shells - Windows
      • Shells - Linux
      • Full TTYs
  • Linux/Unix
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • PAM - Pluggable Authentication Modules
      • SELinux
      • Logstash
      • AppArmor
      • Containerd (ctr) Privilege Escalation
      • Docker Breakout
      • electron/CEF/chromium debugger abuse
      • Escaping from Jails
      • Cisco - vmanage
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Interesting Groups - Linux PE
        • lxd/lxc Group - Privilege escalation
      • ld.so exploit example
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Payloads to execute
      • RunC Privilege Escalation
      • Seccomp
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Socket Command Injection
      • Wildcards Spare tricks
    • Useful Linux Commands
      • Bypass Bash Restrictions
    • Linux Environment Variables
  • MacOS
    • MacOS Security & Privilege Escalation
      • Mac OS Architecture
      • MacOS MDM
        • Enrolling Devices in Other Organisations
      • MacOS Protocols
      • MacOS Red Teaming
      • MacOS Serial Number
      • MacOS Apps - Inspecting, debugging and Fuzzing
  • Windows
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • DPAPI - Extracting Passwords
      • SeImpersonate from High To System
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • Dll Hijacking
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JAWS
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • PowerUp
      • Privilege Escalation Abusing Tokens
      • Privilege Escalation with Autoruns
      • RottenPotato
      • Seatbelt
      • SeDebug + SeImpersonate copy token
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
      • AD information in printers
      • ASREPRoast
      • BloodHound
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • DSRM Credentials
      • Golden Ticket
      • Kerberos Authentication
      • Kerberoast
      • MSSQL Trusted Links
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying
      • Force NTLM Privileged Authentication
      • Privileged Accounts and Token Privileges
      • Resource-based Constrained Delegation
      • Security Descriptors
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • NTLM
      • Places to steal NTLM creds
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WmicExec
      • AtExec / SchtasksExec
      • WinRM
    • Stealing Credentials
      • Credentials Protections
      • Mimikatz
    • Authentication, Credentials, UAC and EFS
    • Basic CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView
    • AV Bypass
  • Mobile Apps Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Burp Suite Configuration for Android
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable applciation
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Inspeckage Tutorial
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • Basic iOS Testing Operations
      • Burp Suite Configuration for iOS
      • Extracting Entitlements From Compiled Application
      • Frida Configuration in iOS
      • iOS App Extensions
      • iOS Basics
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
  • Pentesting
    • Pentesting Network
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
      • Wifi Attacks
        • Evil Twin EAP-TLS
      • Pentesting IPv6
      • Nmap Summary (ESP)
      • Network Protocols Explained (ESP)
      • IDS and IPS Evasion
      • DHCPv6
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
      • Accounting bypass
      • Buffer Overflows
      • Credentials Disclosure / Brute-Force
      • Cross-Site Printing
      • Document Processing
      • Factory Defaults
      • File system access
      • Firmware updates
      • Memory Access
      • Physical Damage
      • Software packages
      • Transmission channel
      • Print job manipulation
      • Print Job Retention
      • Scanner and Fax
    • Pentesting SAP
    • Pentesting Kubernetes
      • Enumeration from a Pod
      • Hardening Roles/ClusterRoles
      • Pentesting Kubernetes from the outside
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Apache
      • Artifactory Hacking guide
      • Buckets
        • Firebase Database
        • AWS-S3
      • CGI
      • Code Review Tools
      • Drupal
      • Flask
      • Git
      • Golang
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • JBOSS
      • Jenkins
      • JIRA
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • PHP Tricks (SPA)
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
      • Python
      • Special HTTP headers
      • Spring Actuators
      • Symphony
      • Tomcat
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • Web API Pentesting
      • WebDav
      • werkzeug
      • Wordpress
      • XSS to RCE Electron Desktop Apps
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
      • Oracle Pentesting requirements installation
      • TNS Poison
      • Remote stealth pass brute force
      • Oracle RCE & more
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS)
    • 5432,5433 - Pentesting Postgresql
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8089 - Splunkd
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
    • 15672 - Pentesting RabbitMQ Management
    • 27017,27018 - Pentesting MongoDB
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/OTP Bypass
    • Abusing hop-by-hop headers
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Command Injection
    • Content Security Policy (CSP) Bypass
    • Cookies Hacking
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • Cross-site WebSocket hijacking (CSWSH)
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
    • Domain/Subdomain takeover
    • Email Header Injection
    • File Inclusion/Path traversal
      • phar:// deserialization
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula Injection
    • HTTP Request Smuggling / HTTP Desync Attack
    • H2C Smuggling
    • IDOR
    • JWT Vulnerabilities (Json Web Tokens)
    • NoSQL injection
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • OAuth to Account takeover
    • Open Redirect
    • Parameter Pollution
    • PostMessage Vulnerabilities
    • Race Condition
    • Rate Limit Bypass
    • Registration Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MSSQL Injection
      • Oracle injection
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Extensions
      • MySQL injection
        • Mysql SSRF
      • SQLMap - Cheetsheat
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
    • Reverse Tab Nabbing
    • Unicode Normalization vulnerability
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • PDF Injection
      • DOM XSS
      • Server Side XSS (Dynamic PDF)
      • XSS Tools
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search
  • Forensics
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Adquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • EXT
        • File/Data Carving & Recovery Tools
        • NTFS
      • Pcap Inspection
        • DNSCat pcap analysis
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • .pyc
        • Browser Artifacts
        • Desofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Windows Processes
        • Interesting Windows Registry Keys
  • A.I. Exploiting
    • BRA.I.NSMASHER Presentation
      • Basic Bruteforcer
      • Basic Captcha Breaker
      • BIM Bruteforcer
      • Hybrid Malware Classifier Part 1
  • Blockchain
    • Blockchain & Crypto Currencies
  • Courses and Certifications Reviews
    • INE Courses and eLearnSecurity Certifications Reviews
  • Cloud Security
    • Cloud security review
    • AWS Security
  • Physical attacks
    • Physical Attacks
    • Escaping from KIOSKs
      • Show file extensions
  • Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Word Macros
  • Exploiting
    • Linux Exploiting (Basic) (SPA)
      • Format Strings Template
      • ROP - call sys_execve
      • ROP - Leaking LIBC address
        • ROP - Leaking LIBC template
      • Bypassing Canary & PIE
      • Ret2Lib
      • Fusion
    • Exploiting Tools
      • PwnTools
    • Windows Exploiting (Basic Guide - OSCP lvl)
  • Cryptography
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
  • BACKDOORS
    • Merlin
    • Empire
    • Salseo
    • ICMPsh
  • Stego
    • Stego Tricks
    • Esoteric languages
  • MISC
    • Basic Python
      • venv
      • Bypass Python sandboxes
      • Magic Methods
      • Web Requests
      • Bruteforce hash (few chars)
    • Other Big References
  • TODO
    • More Tools
    • MISC
    • Pentesting DNS
  • Burp Suite
  • Other Web Tricks
  • Interesting HTTP
  • Emails Vulnerabilities
  • Android Forensics
  • TR-069
  • 6881/udp - Pentesting BitTorrent
  • CTF Write-ups
    • challenge-0521.intigriti.io
    • Try Hack Me
      • hc0n Christmas CTF - 2019
      • Pickle Rick
  • 1911 - Pentesting fox
  • Online Platforms with API
  • Stealing Sensitive Information Disclosure from a Web
  • Post Exploitation
Powered by GitBook
On this page
  • Android Applications Basics
  • ADB (Android Debug Bridge)
  • Smali
  • Other interesting tricks
  • Static Analysis
  • Looking for interesting Info
  • Basic understanding of the application - Manifest.xml, strings.xml
  • Tapjacking
  • Task Hijacking
  • Insecure data storage
  • Broken TLS
  • Broken Cryptography
  • Other checks
  • React Native Application
  • Xamarin Applications
  • Other interesting functions
  • Other tricks
  • Dynamic Analysis
  • Online Dynamic analysis
  • Local Dynamic Analysis
  • Unintended Data Leakage
  • SQLite DBs
  • Drozer (Exploit Activities, Content Providers and Services)
  • Exploiting exported Activities
  • Exploiting Content Providers - Accessing and manipulating sensitive information
  • Exploiting Services
  • Exploiting Broadcast Receivers
  • Exploiting Schemes / Deep links
  • Insufficient Transport Layer Protection
  • Inspecting HTTP traffic
  • Frida
  • Android Application Analyzer
  • Intent Injection
  • Android Client Side Injections and others
  • Automatic Analysis
  • MobSF
  • Assisted Dynamic analysis with MobSF
  • Assisted Dynamic Analysis with Inspeckage
  • Yaazhini
  • Qark
  • ReverseAPK
  • SUPER Android Analyzer
  • StaCoAn
  • AndroBugs
  • Androwarn
  • MARA Framework
  • Koodous
  • Obfuscating/Deobfuscating code
  • ProGuard
  • DeGuard
  • Simplify
  • APKiD
  • Manual
  • Labs
  • Androl4b
  • OWASP
  • Git Repos
  • References
  • To Test

Was this helpful?

  1. Mobile Apps Pentesting

Android Applications Pentesting

PreviousAndroid APK ChecklistNextAndroid Applications Basics

Last updated 3 years ago

Was this helpful?

Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the , or follow me on Twitter . If you want to share some tricks with the community you can also submit pull requests to that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Android Applications Basics

It's highly recommended to start reading this page to know about the most important parts related to Android security and the most dangerous components in an Android application:

ADB (Android Debug Bridge)

This is the main tool you need to connect to an android device (emulated or physical). It allows you to control your device over USB or Network from a computer, copy files back and forth, install and uninstall apps, run shell commands, perform backups, read logs and more.

Take a look to the following list of _**_to learn how to use adb.

Smali

Sometimes it is interesting to modify the application code to access hidden information (maybe well obfuscated passwords or flags). Then, it could be interesting to decompile the apk, modify the code and recompile it. . This could be very useful as an alternative for several tests during the dynamic analysis that are going to presented. Then, keep always in mid this possibility.

Other interesting tricks

  • Download APKs: , , ,

Static Analysis

Looking for interesting Info

Firebase

Basic understanding of the application - Manifest.xml, strings.xml

  • First of all, check if the application is debuggeable. A production APK shouldn't be (or others will be able to connect to it). You can check if an application is debbugeable looking in the manifest for the attribute debuggable="true" inside the tag <application Example: <application theme="@2131296387" debuggable="true"

  • Backup: The android:allowBackup attribute defines whether application data can be backed up and restored by a user who has enabled usb debugging. If backup flag is set to true, it allows an attacker to take the backup of the application data via adb even if the device is not rooted. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting explicitly set to false because by default it is set to true to prevent such risks.

    • <application android:allowBackup="false"

  • NetworkSecurity: The application network security can be overwritten the defaults values with android:networkSecurityConfig="@xml/network_security_config". A file with that name may be put in res/xml. This file will configure important security settings like certificate pins or if it allows HTTP traffic. You can read here more information about all the things that can be configure, but check this example about how to configure HTTP traffic for some domains:

    • <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">formation-software.co.uk </domain></domain-config>

  • minSdkVersion, targetSDKVersion, maxSdkVersion: They indicate the versions of Android the app will run on. It's important to keep them in mind because from a security perspective, supporting old version will allow known vulnerable versions of android to run it.

Reading resources.arsc/strings.xml you can find some interesting info:

  • API Keys

  • Custom schemas

  • Other interesting info developers save in this file

Tapjacking

Tapjacking is an attack where a malicious application is launched and positions itself on top of a victim application. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app. In effect, it is blinding the user from knowing they are actually performing actions on the victim app.

In order to detect apps vulnerable to this attacked you should search for exported activities in the android manifest (note that an activity with an intent-filter is automatically exported by default). Once you have found the exported activities, check if they require any permission. This is because the malicious application will need that permission also. Finally, it's important to check the code for possible setFilterTouchesWhenObscured configurations. If set to true, a button can be automatically disabled if it is obscured:

<Button android:text="Button"
android:id="@+id/button1"
android:layout_width="wrap_content"
android:layout_height="wrap_content" 
android:filterTouchesWhenObscured=** "true"**>
</Button>

Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement. Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view. As a remedy, the framework offers a touch filtering mechanism that can be used to improve the security of views that provide access to sensitive functionality.

Task Hijacking

Insecure data storage

Internal Storage

External Storage

External storage can be accessed in /storage/emulated/0 , /sdcard , /mnt/sdcard

Starting with Android 4.4 (API 17), the SD card has a directory structure which limits access from an app to the directory which is specifically for that app. This prevents malicious application from gaining read or write access to another app's files.

Sensitive data stored in clear-text

  • Shared preferences: Android allow to each application to easily save xml files in the path /data/data/<packagename>/shared_prefs/ and sometimes it's possible to find sensitive information in clear-text in that folder.

  • Databases: Android allow to each application to easily save sqlite databases in the path /data/data/<packagename>/databases/ and sometimes it's possible to find sensitive information in clear-text in that folder.

Broken TLS

Accept All Certificates

For some reason sometimes developers accept all the certificates even if for example the hostname does not match with lines of code like the following one:

SSLSocketFactory sf = new cc(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

A good way to test this is to try to capture the traffic using some proxy like Burp without authorising Burp CA inside the device. Also, you can generate with Burp a certificate for a different hostname and use it.

Broken Cryptography

Poor Key Management Processes

Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information.

Use of Insecure and/or Deprecated Algorithms

Developers shouldn't use deprecated algorithms to perform authorisation checks, store or send data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If hashes are used to store passwords for example, hashes brute-force resistant should be used with salt.

Other checks

  • It's recommended to obfuscate the APK to difficult the reverse engineer labour to attackers.

  • If the app is sensitive (like bank apps), it should perform it's own checks to see if the mobile is rooted and act in consequence.

  • If the app is sensitive (like bank apps), it should check if an emulator is being used.

  • If the app is sensitive (like bank apps), it should check it's own integrity before executing it to check if it was modified.

React Native Application

Read the following page to learn how to easily access javascript code of React applications:

Xamarin Applications

Xamarin apps are written in C#, in order to access the C# code decompressed, you need to get the files from the apk:

7z r app.apk #Or any other zip decompression cmd
python3 xamarin-decompress.py -o /path/to/decompressed/apk

Other interesting functions

  • Code execution: Runtime.exec(), ProcessBuilder(), native code:system()

  • Send SMSs: sendTextMessage, sendMultipartTestMessage

  • Native functions declared as native: public native, System.loadLibrary, System.load

Other tricks

Dynamic Analysis

First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.

Online Dynamic analysis

You can even see the logs of your application in the web and connect through adb.

Thanks to the ADB connection you can use Drozer and Frida inside the emulators.

Local Dynamic Analysis

You can use some emulator like:

    • If you want to try to install an image and then you want to delete it you can do that on Windows:C:\Users\<User>\AppData\Local\Android\sdk\system-images\ or Mac: /Users/myeongsic/Library/Android/sdk/system-image

When creating a new emulator on any platform remember that the bigger the screen is, the slower the emulator will run. So select small screens if possible.

As most people will use Genymotion, note this trick. To install google services (like AppStore) you need to click on the red marked button of the following image:

Also, notice that in the configuration of the Android VM in Genymotion you can select Bridge Network mode (this will be useful if you will be connecting to the Android VM from a different VM with the tools).

Or you could use a physical device (you need to activate the debugging options and it will be cool if you can root it):

  1. Settings.

  2. (FromAndroid 8.0) Select System.

  3. Select About phone.

  4. Press Build number 7 times.

  5. Go back and you will find the Developer options.

Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it. I will suggest to perform this initial dynamic analysis using MobSF dynamic analysis + pidcat, so will will be able to learn how the application works while MobSF capture a lot of interesting data you can review later on.

Unintended Data Leakage

Logging

Note that from later versions that Android 4.0, applications are only able to access their own logs. So applications cannot access other apps logs. Anyway, it's still recommended to not log sensitive information.

Copy/Paste Buffer Caching

Android provides clipboard-based framework to provide copy-paste function in android applications. But this creates serious issue when some other application can access the clipboard which contain some sensitive data. Copy/Paste function should be disabled for sensitive part of the application. For example, disable copying credit card details.

Crash Logs

If an application crashes during runtime and it saves logs somewhere then those logs can be of help to an attacker especially in cases when android application cannot be reverse engineered. Then, avoid creating logs when applications crashes and if logs are sent over the network then ensure that they are sent over an SSL channel. As pentester, try to take a look to these logs.

Analytics Data Sent To 3rd Parties

Most of the application uses other services in their application like Google Adsense but sometimes they leak some sensitive data or the data which is not required to sent to that service. This may happen because of the developer not implementing feature properly. You can look by intercepting the traffic of the application and see whether any sensitive data is sent to 3rd parties or not.

SQLite DBs

Most of the applications will use internal SQLite databases to save information. During the pentest take a look to the databases created, the names of tables and columns and all the data saved because you could find sensitive information (which would be a vulnerability). Databases should be located in /data/data/the.package.name/databases like /data/data/com.mwr.example.sieve/databases

If the database is saving confidential information and is encrypted but you can find the password inside the application it's still a vulnerability.

Enumerate the tables using .tables and enumerate the columns of the tables doing .schema <table_name>

Drozer (Exploit Activities, Content Providers and Services)

Exploiting exported Activities

Authorisation bypass

You can also start an exported activity from adb:

  • PackageName is com.example.demo

  • Exported ActivityName is com.example.test.MainActivity

adb shell am start -n com.example.demo/com.example.test.MainActivity

Note that an authorisation bypass is not always a vulnerability, it would depend on how the bypass works and which information is exposed.

Sensitive information leakage

Activities can also return results. If you manage to find an exported and unprotected activity calling the setResult method and returning sensitive information, there is a sensitive information leakage.

Exploiting Content Providers - Accessing and manipulating sensitive information

Exploiting Services

Exploiting Broadcast Receivers

Exploiting Schemes / Deep links

adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]

Note that you can omit the package name and the mobile will automatically call the app that should open that link.

<!-- Browser regular link -->
<a href="scheme://hostname/path?param=value">Click me</a>
<!-- fallback in your url you could try the intent url -->
<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>

Code executed

In order to find the code that will be executed in the App, go to the activity called by the deeplink and search the function onNewIntent.

Sensitive info

Every time you find a deep link check that it's not receiving sensitive data (like passwords) via URL parameters, because any other application could impersonate the deep link and steal that data!

Parameters in path

More examples

Insufficient Transport Layer Protection

  • Lack of Certificate Inspection: Android Application fails to verify the identity of the certificate presented to it. Most of the application ignore the warnings and accept any self-signed certificate presented. Some Application instead pass the traffic through an HTTP connection.

  • Weak Handshake Negotiation: Application and server perform an SSL/TLS handshake but use an insecure cipher suite which is vulnerable to MITM attacks. So any attacker can easily decrypt that connection.

  • Privacy Information Leakage: Most of the times it happens that Applications do authentication through a secure channel but rest all connection through non-secure channel. That doesn’t add to security of application because rest sensitive data like session cookie or user data can be intercepted by an malicious user.

SSL Pinning

By default, when making an SSL connection, the client(android app) checks that the server’s certificate has a verifiable chain of trust back to a trusted (root) certificate and matches the requested hostname. This lead to problem of Man in the Middle Attacks(MITM). In certificate Pinnning, an Android Application itself contains the certificate of server and only transmit data if the same certificate is presented. It's recommended to apply SSL Pinning for the sites where sensitive information is going to be sent.

Inspecting HTTP traffic

For applications targeting API Level 24+ it isn't enough to install the Burp CA certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can **[read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device](make-apk-accept-ca-certificate.md).**

SSL Pinning

We have already discuss what is SSL Pinning just 2 paragraphs before. When it's implemented in an application you will need to bypass it to inspect the HTTPS traffic or you won't see it. Here I'm going to present a few options I've used to bypass this protection:

  • You can also try to automatically bypass SSL Pinning using MobSF dynamic analysis (explained below)

Common Web vulnerabilities

Note that in this step you should look for common web vulnerabilities. A lot of information about web vulnerabilities be found in this book so I'm not going to mention them here.

Frida

Android Application Analyzer

Intent Injection

This vulnerability resembles Open Redirect in web security. Since class Intent is Parcelable, objects belonging to this class can be passed as extra data in another Intent object. Many developers make use of this feature and create proxy components (activities, broadcast receivers and services) that take an embedded Intent and pass it to dangerous methods like startActivity(...), sendBroadcast(...), etc. This is dangerous because an attacker can force the app to launch a non-exported component that cannot be launched directly from another app, or to grant the attacker access to its content providers. WebView also sometimes changes a URL from a string to an Intent object, using the Intent.parseUri(...) method, and passes it to startActivity(...).

Android Client Side Injections and others

Probably you know about this kind of vulnerabilities from the Web. You have to be specially careful with this vulnerabilities in an Android application:

  • SQL Injection: When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.

  • Eternal cookies: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk

Automatic Analysis

Static analysis

Vulnerability assessment of the application using a nice web-based frontend. You can also perform dynamic analysis (but you need to prepare the environment).

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Notice that MobSF can analyse Android(apk), IOS(ipa) and Windows(apx) applications (Windows applications must be analyzed from a MobSF installed in a Windows host). Also, if you create a ZIP file with the source code if an Android or an IOS app (go to the root folder of the application, select everything and create a ZIPfile), it will be able to analyse it also.

MobSF also allows you to diff/Compare analysis and to integrate VirusTotal (you will need to set your API key in MobSF/settings.py and enable it: VT_ENABLED = TRUE VT_API_KEY = <Your API key> VT_UPLOAD = TRUE). You can also set VT_UPLOAD to False, then the hash will be upload instead of the file.

Assisted Dynamic analysis with MobSF

MobSF can also be very helpful for dynamic analysis in Android, but in that case you will need to install MobSF and genymotion in your host (a VM or Docker won't work). Note: You need to start first a VM in genymotion and then MobSF. The MobSF dynamic analyser can:

  • Dump application data (URLs, logs, clipboard, screenshots made by you, screenshots made by "Exported Activity Tester", emails, SQLite databases, XML files, and other created files). All of this is done automatically except for the screenshots, you need to press when you want a screenshot or you need to press "Exported Activity Tester" to obtain screenshots of all the exported activities.

  • Capture HTTPS traffic

  • Use Frida to obtain runtime information

From android versions > 5, it will automatically start Frida and will set global proxy settings to capture traffic. It will only capture traffic from the tested application.

Frida

By default, it will also use some Frida Scripts to bypass SSL pinning, root detection and debugger detection and to monitor interesting APIs. MobSF can also invoke exported activities, grab screenshots of them and save them for the report.

To start the dynamic testing press the green bottom: "Start Instrumentation". Press the "Frida Live Logs" to see the logs generated by the Frida scripts and "Live API Monitor" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation"). MobSF also allows you to load your own Frida scripts (to send the results of your Friday scripts to MobSF use the function send()). It also has several pre-written scripts you can load (you can add more in MobSF/DynamicAnalyzer/tools/frida_scripts/others/), just select them, press "Load" and press "Start Instrumentation" (you will be able to see the logs of that scripts inside "Frida Live Logs").

Moreover, you have some Auxiliary Frida functionalities:

  • Enumerate Loaded Classes: It will print all the loaded classes

  • Capture Strings: It will print all the capture strings while using the application (super noisy)

  • Capture String Comparisons: Could be very useful. It will show the 2 strings being compared and if the result was True or False.

  • Enumerate Class Methods: Put the class name (like "java.io.File") and it will print all the methods of the class.

  • Search Class Pattern: Search classes by pattern

  • Trace Class Methods: Trace a whole class (see inputs and outputs of all methods of th class). Remember that by default MobSF traces several interesting Android Api methods.

Once you have selected the auxiliary module you want to use you need to press "Start Intrumentation" and you will see all the outputs in "Frida Live Logs".

Shell

Mobsf also brings you a shell with some adb commands, MobSF commands, and common shell commands at the bottom of the dynamic analysis page. Some interesting commands:

help
shell ls
activities
exported_activities
services
receivers

HTTP tools

Once you finish the dynamic analysis with MobSF you can press on "Start Web API Fuzzer" to fuzz http requests an look for vulnerabilities.

After performing a dynamic analysis with MobSF the proxy settings me be misconfigured and you won't be able to fix them from the GUI. You can fix the proxy settings by doing:

adb shell settings put global http_proxy :0

Assisted Dynamic Analysis with Inspeckage

This is a great tool to perform static analysis with a GUI

This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating a "Proof-of-Concept" deployable APK and ADB commands, to exploit some of the found vulnerabilities (Exposed activities, intents, tapjacking...). As with Drozer, there is no need to root the test device.

pip3 install --user qark  # --user is only needed if not using a virtualenv
qark --apk path/to/my.apk
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java
  • Displays all extracted files for easy reference

  • Automatically decompile APK files to Java and Smali format

  • Analyze AndroidManifest.xml for common vulnerabilities and behavior

  • Static source code analysis for common vulnerabilities and behavior

    • Device info

    • Intents

    • Command execution

    • SQLite references

    • Logging references

    • Content providers

    • Broadcast recievers

    • Service references

    • File references

    • Crypto references

    • Hardcoded secrets

    • URL's

    • Network connections

    • SSL references

    • WebView references

reverse-apk relative/path/to/APP.apk

SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.

All rules are centered in a rules.json file, and each company or tester could create its own rules to analyze what they need.

super-analyzer {apk_file}

The concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.

./stacoan
python androbugs.py -f [APK file]
androbugs.exe -f [APK file]

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

This tool looks for common behavior of "bad" applications like: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...

python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.

It is able to:

  • Extract Java and Smali code using different tools

  • Extract private information from the APK using regexps.

  • Analyze the Manifest.

Koodous

Obfuscating/Deobfuscating code

Note that depending the service and configuration you use to obfuscate the code. Secrets may or may not ended obfuscated.

ProGuard is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.

ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.

DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.

You can upload an obfuscated APK to their platform.

It is a generic android deobfuscator. Simplify virtually executes an app to understand its behavior and then tries to optimize the code so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.

Manual

Labs

AndroL4b is an Android security virtual machine based on ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis.

OWASP

Git Repos

References

For more information visit:

To Test

First of all, for analysing an APK you should take a look to the to the Java code using a decompiler. Please, .

Just taking a look to the strings of the APK you can search for passwords, URLs (), api keys, encryption, bluetooth uuids, tokens and anything interesting... look even for code execution backdoors or authentication backdoors (hardcoded admin credentials to the app).

Pay special attention to firebase URLs and check if it is bad configured.

Using any of the decompilers mentioned you will be able to read the Manifest.xml. You could also rename the apk file extension to .zip and unzip it. Reading the manifest you can find vulnerabilities:

how to find debuggeable applications in a phone and exploit them

Exported activities: Check for exported activities inside the manifest as this could be dangerous. Later in the dynamic analysis it will be explained how .

Content Providers: If an exported provider is being exposed, you could b able to access/modify interesting information. In dynamic analysis .

Check for FileProviders configurations inside the attribute android:name="android.support.FILE_PROVIDER_PATHS". .

Exposed Services: Depending on what the service is doing internally vulnerabilities could be exploited. In dynamic analysis .

Broadcast Receivers: during the dynamic analysis.

URL scheme: Read the code of the activity managing the schema and look for vulnerabilities managing the input of the user. More info about .

You can use with the --exploit-apk parameter to create a malicious application to test for possible Tapjacking vulnerabilities. A example project implementing this kind of feature can be fund in .

The mitigation is relatively simple as the developer may choose not to receive touch events when a view is covered by another. Using the :

To enable touch filtering, call or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.

Files created on internal storage are accessible only by the app. This protection is implemented by Android and is sufficient for most applications. But developers often use MODE_WORLD_READBALE & MODE_WORLD_WRITABLE to give access to those files to a different application, but this doesn’t limit other apps(malicious) from accessing them. During the static analysis check for the use of those modes, during the dynamic analysis check the permissions of the files created (maybe some of them are worldwide readable/writable).

Files created on external storage, such as SD Cards, are globally readable and writable. Because external storage can be removed by the user and also modified by any application, you should not store sensitive information using external storage. As with data from any untrusted source, you should perform input validation when handling data from external storage. We strongly recommend that you not store executables or class files on external storage prior to dynamic loading. If your app does retrieve executable files from external storage, the files should be signed and cryptographically verified prior to dynamic loading. Info taken from .

Use to check which compiler/packer/obfuscator was used to build the APK

Then, decompress all the DLsL using :

and finally you can use to read C# code from the DLLs.

You can create a free account in: . This platform allows you to upload and execute APKs, so it is useful to see how an apk is behaving.

(You can create x86 and arm devices, and according to latest x86 versions support ARM libraries without needing an slow arm emulator).

This is the main emulator I recommend to use and you can.

**** **(_Free version: Personal Edition, you need to create an account**._)

**** (Free, but it doesn't support Frida or Drozer).

Often Developers leave debugging information publicly. So any application with READ_LOGS permission can access those logs and can gain sensitive information through that. While navigating through the application use (Recommended, it's easier to use and read) or to read the created logs and look for sensitive information.

Drozer allows you to assume the role of an Android app and interact with other apps. It can do anything that an installed application can do, such as make use of Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. From . Drozer is s useful tool to exploit exported activities, exported services and Content Providers as you will learn in the following sections.

**** _**_Also remember that the code of an activity starts with the onCreate method.

When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with sensitive information is exported you could bypass the authentication mechanisms to access it. ****

NOTE: MobSF will detect as malicious the use of singleTask/singleInstance as android:launchMode in an activity, but due to , apparently this is only dangerous on old versions (API versions < 21).

**** Content providers are basically used to share data. If an app has available content providers you may be able to extract sensitive data from them. It also interesting to test possible SQL injections and Path Traversals as they could be vulnerable. ****

_**_Remember that a the actions of a Service start in the method onStartCommand.

As service is basically something that can receive data, process it and returns (or not) a response. Then, if an application is exporting some services you should check the code to understand what is it doing and test it dynamically for extracting confidential info, bypassing authentication measures... ****

_**_Remember that a the actions of a Broadcast Receiver start in the method onReceive.

A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.

You can look for deep links manually, using tools like MobSF or scripts like . You can open a declared scheme using adb or a browser:

You must check also if any deep link is using a parameter inside the path of the URL like: https://api.example.com/v1/users/{username} , in that case you can force a path traversal accessing something like: example://app/users?username=../../unwanted-endpoint%3fparam=value . Note that if you find the correct endpoints inside the application you may be able to cause a Open Redirect (if part of the path is used as domain name), account takeover (if you can modify users details without CSRF token and the vuln endpoint used the correct method) and any other vuln. More .

An about links (/.well-known/assetlinks.json).

From the 3 scenarios presented we are going to discuss how to verify the identity of the certificate. The other 2 scenarios depends on the TLS configuration of the server and if the application sends unencrypted data. The pentester should check by it's own the TLS configuration of the server () and detect if any confidential information is sent by an unencrypted/vulnerable channel . More information about how to discover and fix these kind of vulnerabilities .

First of all, you should (must) install the certificate of the proxy tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy. Please, .

Automatically modify the apk to bypass SSLPinning with . The best pro of this option, is that you won't need root to bypass the SSL Pinning, but you will need to delete the application and reinstall the new one, and this won't always work.

You could use Frida (discussed below) to bypass this protection. Here you have a guide to use Burp+Frida+Genymotion:

You can also try to automatically bypass SSL Pinning using : objection --gadget com.package.app explore --startup-command "android sslpinning disable"

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at . It's amazing, you can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code... If you want to pentest Android applications you need to know how to use Frida.

Learn how to use Frida: Some "GUI" for actions with Frida: Some other abstractions based on Frida: , You can find some Awesome Frida scripts here: ****

This tool could help you managing different tools during the dynamic analysis:

JavaScript Injection (XSS): Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). .

Local File Inclusion: Verify that File System Access is disabled for any WebViews (enabled by default) (webview.getSettings().setAllowFileAccess(false);). .

****

When http traffic is capture you can see an ugly view of the captured traffic on "HTTP(S) Traffic" bottom or a nicer view in "Start HTTPTools" green bottom. From the second option, you can send the captured requests to proxies like Burp or Owasp ZAP. To do so, power on Burp --> turn off Intercept --> in MobSB HTTPTools select the request --> press "Send to Fuzzer" --> select the proxy address (.

You can get the tool from . This tool with use some Hooks to let you know what is happening in the application while you perform a dynamic analysis.

Download the latest binaries from in the

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing on mobile applications*.

Download:

AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.

The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali, with the library.

Analyze APKs using: , , , ,

Analyze found domains using: , and

Deobfuscate APK via

Useful to detect malware:

From:

APKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It's for Android.

****

It is a great list of resources

Android quick course

Support Hacktricks through github sponsors
💬
telegram group
🐦
@carlospolopm
https://github.com/carlospolop/hacktricks
Android Applications Basics
ADB Commands
In this tutorial you can learn how to decompile and APK, modify Smali code and recompile the APK with the new functionality
Spoofing your location in Play Store
https://apps.evozi.com/apk-downloader/
https://apkpure.com/es/
https://www.apkmirror.com/
https://apkcombo.com/es-es/apk-downloader/
read here to find information about different available decompilers
https://github.com/ndelphit/apkurlgrep
More information about whats is FIrebase and how to exploit it here.
here
qark
FloatingWindowApp
Android Developer’s Reference
setFilterTouchesWhenObscured(boolean)
Android Task Hijacking
More information about this vulnerability and how to fix it here.
here
APKiD
React Native Application
xamarin-decompress
Read this to learn how to reverse native functions
content:// protocol
https://appetize.io/
Android Studio
this
learn to set it up in this page
Genymotion
Nox
Drozer Guide
this
this one
info about this here
interesting bug bounty report
read this guide to learn how to do install a custom CA certificate
apk-mitm
https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/
objection
www.frida.re
Frida tutorial
https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security
https://github.com/sensepost/objection
https://github.com/dpnishant/appmon
https://codeshare.frida.re/
https://github.com/NotSoSecure/android_application_analyzer
MobSF
http://127.0.0.1:8080\
Inspeckage
Inspeckage Tutorial
Yaazhini
Qark
ReverseAPK
SUPER Android Analyzer
download page
StaCoAn
static code analysis
latest release
AndroBugs
Windows releases
Androwarn
androguard
MARA Framework
smalisca
ClassyShark
androbugs
androwarn
APKiD
pyssltest
testssl
whatweb
apk-deguard.com
https://koodous.com/
ProGuard
https://en.wikipedia.org/wiki/ProGuard_(software)
DeGuard
Simplify
APKiD
PEiD
Read this tutorial to learn some tricks on how to reverse custom obfuscation
Androl4b
https://github.com/riddhi-shree/nullCommunity/tree/master/Android
https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec
https://appsecwiki.com/#/
https://maddiestone.github.io/AndroidAppRE/
https://manifestsecurity.com/android-application-security/
https://github.com/Ralireza/Android-Security-Teryaagh
https://www.vegabird.com/yaazhini/
https://github.com/abhi-r3v0/Adhrit
you can abuse this behaviour
you will learn how to abuse them
Read here to learn more about FileProviders
you will learn how to abuse them
You will learn how you can possibly exploit them
what is an URL scheme here
Learn how to exploit Broadcast Receivers with Drozer.
https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communicationgithub.com
here
here
More info here
More info here
pidcat
adb logcat
Learn here
Learn how to exploit exported activities with Drozer.
Learn how to exploit Services with Drozer.
these recommended tools
Learn how to exploit Content Providers with Drozer.
Read this if you want to remind what is an Android Activity.
Read this if you want to remind what is a Content Provider.
Read this if you want to remind what is a Service.
Read this if you want to remind what is a Broadcast Receiver.
Secure Flag in cookies