Android APK Checklist

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subskripsie planne!
• Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

Learn Android fundamentals

• Basics
• Dalvik & Smali
• Entry points
• Activities
• URL Schemes
• Content Providers
• Services
• Broadcast Receivers
• Intents
• Intent Filter
• Other components
• How to use ADB
• How to modify Smali

Static Analysis

• Kontroleer die gebruik van obfuscation, en kyk of die toestel geroot is, of ’n emulator gebruik word, plus anti-tampering kontroles. Read this for more info.
• Gevoelige toepassings (soos bank-apps) moet nagaan of die toestel geroot is en toepaslike maatreëls tref.
• Soek vir interesting strings (wagwoorde, URLs, API, encryption, backdoors, tokens, Bluetooth uuids…).
• Spesiale aandag aan firebase APIs.
• Read the manifest:
• Kontroleer of die toepassing in debug-modus is en probeer dit “exploit”
• Kontroleer of die APK backups toelaat
• Exported Activities
• Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a unity CLI extras bridge. Toets -xrsdk-pre-init-library <abs-path> vir pre-init dlopen() RCE. See Intent Injection → Unity Runtime.
• Content Providers
• Exposed services
• Broadcast Receivers
• URL Schemes
• Is the application saving data insecurely internally or externally?
• Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
• Is al die libraries compiled using the PIE flag?
• Moet nie vergeet dat daar ’n klompie static Android Analyzers is wat jou baie kan help gedurende hierdie fase nie.
• android:exported mandatory on Android 12+ – verkeerd geconfigureerde exported components kan lei tot eksterne intent-aanroepe.
• Hersien Network Security Config (networkSecurityConfig XML) vir cleartextTrafficPermitted="true" of domein-spesifieke overrides.
• Kyk vir calls na Play Integrity / SafetyNet / DeviceCheck – bepaal of custom attestation gehook of gebypass kan word.
• Inspekteer App Links / Deep Links (android:autoVerify) vir intent-redirection of open-redirect probleme.
• Identifiseer gebruik van WebView.addJavascriptInterface of loadData*() wat tot RCE / XSS binne die app kan lei.
• Analyseer cross-platform bundles (Flutter libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:
• flutter-packer, fluttersign, rn-differ
• Skandeer third-party native libraries vir bekende CVEs (bv., libwebp CVE-2023-4863, libpng, ens.).
• Evalueer SEMgrep Mobile rules, Pithus en die nuutste MobSF ≥ 3.9 AI-assisted scan resultate vir addisionele bevindinge.

Dynamic Analysis

• Prepare the environment (online, local VM or physical)
• Is daar enige unintended data leakage (logging, copy/paste, crash logs)?
• Confidential information being saved in SQLite dbs?
• Exploitable exposed Activities?
• Exploitable Content Providers?
• Exploitable exposed Services?
• Exploitable Broadcast Receivers?
• Is the application transmitting information in clear text/using weak algorithms? Is ’n MitM moontlik?
• Inspect HTTP/HTTPS traffic
• Hierdie een is werklik belangrik — as jy HTTP-verkeer kan vasvang, kan jy soek na algemene Web kwetsbaarhede (Hacktricks het baie inligting oor Web vulns).
• Check for possible Android Client Side Injections (waarskynlik sal statiese kode-analise hier help)
• Frida: Net Frida — gebruik dit om interessante dinamiese data uit die toepassing te bekom (miskien sommige wagwoorde…)
• Toets vir Tapjacking / Animation-driven attacks (TapTrap 2025) selfs op Android 15+ (geen overlay permission benodig nie).
• Probeer overlay / SYSTEM_ALERT_WINDOW clickjacking en Accessibility Service abuse vir privilege escalation.
• Kontroleer of adb backup / bmgr backupnow steeds app data kan dump (apps wat vergeet het om allowBackup te deaktiveer).
• Onderzoek Binder-level LPEs (bv., CVE-2023-20963, CVE-2023-20928); gebruik kernel fuzzers of PoCs indien toegestaan.
• As Play Integrity / SafetyNet afgedwing word, probeer runtime hooks (Frida Gadget, MagiskIntegrityFix, Integrity-faker) of netwerkvlak replay.
• Instrumenteer met moderne tooling:
• Objection > 2.0, Frida 17+, NowSecure-Tracer (2024)
• Dinamiese stelsel-wye tracing met perfetto / simpleperf.

Some obfuscation/Deobfuscation information

• Read here

Verwysings

• CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subskripsie planne!
• Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.