debuggable="true"
inside the tag <application Example: <application theme="@2131296387" debuggable="true"
android:allowBackup
attribute defines whether application data can be backed up and restored by a user who has enabled usb debugging. If backup flag is set to true, it allows an attacker to take the backup of the application data via adb even if the device is not rooted. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting explicitly set to false because by default it is set to true to prevent such risks.<application android:allowBackup="false"
android:networkSecurityConfig="@xml/network_security_config"
. A file with that name may be put in res/xml. This file will configure important security settings like certificate pins or if it allows HTTP traffic. You can read here more information about all the things that can be configure, but check this example about how to configure HTTP traffic for some domains:<domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">formation-software.co.uk </domain></domain-config>
android:name="android.support.FILE_PROVIDER_PATHS"
. Read here to learn more about FileProviders.setFilterTouchesWhenObscured
configurations. If set to true
, a button can be automatically disabled if it is obscured:--exploit-apk
parameter to create a malicious application to test for possible Tapjacking vulnerabilities.
A example project implementing this kind of feature can be fund in FloatingWindowApp.Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement. Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view. As a remedy, the framework offers a touch filtering mechanism that can be used to improve the security of views that provide access to sensitive functionality.To enable touch filtering, callsetFilterTouchesWhenObscured(boolean)
or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.
MODE_WORLD_READBALE
& MODE_WORLD_WRITABLE
to give access to those files to a different application, but this doesn’t limit other apps(malicious) from accessing them.
During the static analysis check for the use of those modes, during the dynamic analysis check the permissions of the files created (maybe some of them are worldwide readable/writable).
More information about this vulnerability and how to fix it here./storage/emulated/0
, /sdcard
, /mnt/sdcard
/data/data/<packagename>/shared_prefs/
and sometimes it's possible to find sensitive information in clear-text in that folder./data/data/<packagename>/databases/
and sometimes it's possible to find sensitive information in clear-text in that folder.Runtime.exec(), ProcessBuilder(), native code:system()
sendTextMessage, sendMultipartTestMessage
native
: public native, System.loadLibrary, System.load
First of all, you need an environment where you can install the application and all the environment (Burp CA cert, Drozer and Frida mainly). Therefore, a rooted device (emulated or not) is extremely recommended.
C:\Users\<User>\AppData\Local\Android\sdk\system-images\
or Mac: /Users/myeongsic/Library/Android/sdk/system-image
Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it. I will suggest to perform this initial dynamic analysis using MobSF dynamic analysis + pidcat, so will will be able to learn how the application works while MobSF capture a lot of interesting data you can review later on.
READ_LOGS
permission can access those logs and can gain sensitive information through that.
While navigating through the application use pidcat(Recommended, it's easier to use and read) or adb logcat to read the created logs and look for sensitive information./data/data/the.package.name/databases
like /data/data/com.mwr.example.sieve/databases
.tables
and enumerate the columns of the tables doing .schema <table_name>
onCreate
method.android:launchMode
in an activity, but due to this, apparently this is only dangerous on old versions (API versions < 21).setResult
method and returning sensitive information, there is a sensitive information leakage.onStartCommand
.onReceive
.onNewIntent
.https://api.example.com/v1/users/{username}
, in that case you can force a path traversal accessing something like: example://app/users?username=../../unwanted-endpoint%3fparam=value
.
Note that if you find the correct endpoints inside the application you may be able to cause a Open Redirect (if part of the path is used as domain name), account takeover (if you can modify users details without CSRF token and the vuln endpoint used the correct method) and any other vuln. More info about this here.objection --gadget com.package.app explore --startup-command "android sslpinning disable"
Intent
is Parcelable
, objects belonging to this class can be passed as extra data in another Intent
object.
Many developers make use of this feature and create proxy components (activities, broadcast receivers and services) that take an embedded Intent and pass it to dangerous methods like startActivity(...)
, sendBroadcast(...)
, etc.
This is dangerous because an attacker can force the app to launch a non-exported component that cannot be launched directly from another app, or to grant the attacker access to its content providers. WebView
also sometimes changes a URL from a string to an Intent
object, using the Intent.parseUri(...)
method, and passes it to startActivity(...)
.(webview.getSettings().setAllowFileAccess(false);)
. More info here.VT_ENABLED = TRUE
VT_API_KEY = <Your API key>
VT_UPLOAD = TRUE
). You can also set VT_UPLOAD
to False
, then the hash will be upload instead of the file.send()
). It also has several pre-written scripts you can load (you can add more in MobSF/DynamicAnalyzer/tools/frida_scripts/others/
), just select them, press "Load" and press "Start Instrumentation" (you will be able to see the logs of that scripts inside "Frida Live Logs").rules.json
file, and each company or tester could create its own rules to analyze what they need.androguard
library.loadDex
method.