Android APK Checklist

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬telegram group, or follow me on Twitter 🐦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give ⭐ on github to motivate me to continue developing this book.

Learn Android fundamentals

• Basics

• Dalvik & Smali

• Entry points

  • Activities

  • URL Schemes

  • Content Providers

  • Services

  • Broadcast Receivers

  • Intents

  • Intent Filter

• Other components

• How to use ADB

• How to modify Smali

Static Analysis

• Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.

• Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.

• Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).

  • Special attention to firebase APIs.

• Read the manifest:

  • Check if the application is in debug mode and try to "exploit" it

  • Check if the APK allows backups

  • Exported Activities

  • Content Providers

  • Exposed services

  • Broadcast Receivers

  • URL Schemes

• Is the application saving data insecurely internally or externally?

• Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?

• All the libraries compiled using the PIE flag?

• Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.

Dynamic Analysis

• Prepare the environment (online, local VM or physical)

• Is there any unintended data leakage (logging, copy/paste, crash logs)?

• Confidential information being saved in SQLite dbs?

• Exploitable exposed Activities?

• Exploitable Content Providers?

• Exploitable exposed Services?

• Exploitable Broadcast Receivers?

• Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?

• Inspect HTTP/HTTPS traffic

  • This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).

• Check for possible Android Client Side Injections (probably some static code analysis will help here)

• Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)

Some obfuscation/Deobfuscation information

• Read here

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬 PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to **[https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **that will be reflected in this book. Don't forget to give ⭐ on the github** to motivate me to continue developing this book.

​Buy me a coffee here****