HackTricks

HackTricks

HackTricks Afrikaans - Ht Chinese - Ht Español - Ht Français - Ht German - Ht Greek - Ht Hindi - Ht Italian - Ht Japanese - Ht Korean - Ht Polish - Ht Português - Ht Serbian - Ht Swahili - Ht Turkish - Ht Ukranian - Ht

HackTricks Training Twitter Linkedin Sponsor

👾Welcome!
🤩Generic Methodologies & Resources
🐧Linux Hardening
🍏MacOS Hardening
🪟Windows Hardening
📱Mobile Pentesting
👽Network Services Pentesting
🕸️Pentesting Web
⛈️Cloud Security
😎Hardware/Physical Access
🎯Binary Exploitation
🔩Reversing
🔮Crypto & Stego
🦂C2
✍️TODO

Powered by GitBook

Android APK Checklist

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Try Hard Security Group

Join the Try Hard Security Discord Server!Discord

Learn Android fundamentals

Basics
Dalvik & Smali
Entry points
Other components
How to use ADB
How to modify Smali

Static Analysis

Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
- Special attention to firebase APIs.
Read the manifest:
- Check if the application is in debug mode and try to "exploit" it
- Check if the APK allows backups
- Exported Activities
- Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
Is the application saving data insecurely internally or externally?
Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
All the libraries compiled using the PIE flag?
Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.

Dynamic Analysis

Prepare the environment (online, local VM or physical)
Is there any unintended data leakage (logging, copy/paste, crash logs)?
Confidential information being saved in SQLite dbs?
Exploitable exposed Activities?
Exploitable Content Providers?
Exploitable exposed Services?
Exploitable Broadcast Receivers?
Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
Inspect HTTP/HTTPS traffic
- This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
Check for possible Android Client Side Injections (probably some static code analysis will help here)
Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)

Some obfuscation/Deobfuscation information

Read here

Try Hard Security Group

Join the Try Hard Security Discord Server!Discord

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAntivirus (AV) Bypass NextAndroid Applications Pentesting

Last updated 8 days ago

On this page

Learn Android fundamentals
Static Analysis
Dynamic Analysis
Some obfuscation/Deobfuscation information

Was this helpful?

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)