Android APK Checklist

Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks? so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the , or follow me on Twitter . If you want to share some tricks with the community you can also submit pull requests to that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Some obfuscation/Deobfuscation information

PreviousAV Bypass NextAndroid Applications Pentesting

Last updated 3 years ago

Was this helpful?

Check for the use of , checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. .

Search for (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).

Special attention to APIs.

Is the application s?

Is there any ? Is the app ?

Don't forget that there is a bunch of that can help you a lot during this phase.

Prepare the environment (, )

Is there any (logging, copy/paste, crash logs)?

?

Is the application ? is a MitM possible?

Check for possible (probably some static code analysis will help here)

: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the , or follow me on Twitter . If you want to share some tricks with the community you can also submit pull requests to **[) **that will be reflected in this book. Don't forget to give ⭐ on the github** to motivate me to continue developing this book.

****

💬

PEASS & HackTricks telegram group here

🐦

@carlospolopm

https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks

Buy me a coffee here

Support Hacktricks through github sponsors

💬

telegram group

🐦

@carlospolopm

https://github.com/carlospolop/hacktricks

obfuscation

Learn Android fundamentals

Read this for more info

interesting strings

firebase

Read the manifest:

aving data insecurely internally or externally

password hard coded or saved in disk

using insecurely crypto algorithms

static Android Analyzers

Dynamic Analysis

online

local VM or physical

unintended data leakage

Confidential information being saved in SQLite dbs

Exploitable exposed Activities

Exploitable Content Providers

Exploitable exposed Services

Exploitable Broadcast Receivers

transmitting information in clear text/using weak algorithms

Inspect HTTP/HTTPS traffic

Android Client Side Injections

Frida

Read here