HackTricksAndroid APK Checklist
Reading time: 6 minutes
tip
Leer en oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Leer en oefen Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die π¬ Discord groep of die telegram groep of volg ons op Twitter π¦ @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.
Learn Android fundamentals
- Basics
- Dalvik & Smali
- Entry points
- Activities
- URL Schemes
- Content Providers
- Services
- Broadcast Receivers
- Intents
- Intent Filter
- Other components
- How to use ADB
- How to modify Smali
Static Analysis
- Kontroleer die gebruik van obfuscation, en kyk of die toestel geroot is, of 'n emulator gebruik word, plus anti-tampering kontroles. Read this for more info.
- Gevoelige toepassings (soos bank-apps) moet nagaan of die toestel geroot is en toepaslike maatreΓ«ls tref.
- Soek vir interesting strings (wagwoorde, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
- Spesiale aandag aan firebase APIs.
- Read the manifest:
- Kontroleer of die toepassing in debug-modus is en probeer dit "exploit"
- Kontroleer of die APK backups toelaat
- Exported Activities
-
Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a
unityCLI extras bridge. Toets-xrsdk-pre-init-library <abs-path>vir pre-initdlopen()RCE. See Intent Injection β Unity Runtime. - Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
- Is the application saving data insecurely internally or externally?
- Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
- Is al die libraries compiled using the PIE flag?
- Moet nie vergeet dat daar 'n klompie static Android Analyzers is wat jou baie kan help gedurende hierdie fase nie.
-
android:exportedmandatory on Android 12+ β verkeerd geconfigureerde exported components kan lei tot eksterne intent-aanroepe. -
Hersien Network Security Config (
networkSecurityConfigXML) vircleartextTrafficPermitted="true"of domein-spesifieke overrides. - Kyk vir calls na Play Integrity / SafetyNet / DeviceCheck β bepaal of custom attestation gehook of gebypass kan word.
-
Inspekteer App Links / Deep Links (
android:autoVerify) vir intent-redirection of open-redirect probleme. -
Identifiseer gebruik van WebView.addJavascriptInterface of
loadData*()wat tot RCE / XSS binne die app kan lei. -
Analyseer cross-platform bundles (Flutter
libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling: flutter-packer,fluttersign,rn-differ- Skandeer third-party native libraries vir bekende CVEs (bv., libwebp CVE-2023-4863, libpng, ens.).
- Evalueer SEMgrep Mobile rules, Pithus en die nuutste MobSF β₯ 3.9 AI-assisted scan resultate vir addisionele bevindinge.
Dynamic Analysis
- Prepare the environment (online, local VM or physical)
- Is daar enige unintended data leakage (logging, copy/paste, crash logs)?
- Confidential information being saved in SQLite dbs?
- Exploitable exposed Activities?
- Exploitable Content Providers?
- Exploitable exposed Services?
- Exploitable Broadcast Receivers?
- Is the application transmitting information in clear text/using weak algorithms? Is 'n MitM moontlik?
- Inspect HTTP/HTTPS traffic
- Hierdie een is werklik belangrik β as jy HTTP-verkeer kan vasvang, kan jy soek na algemene Web kwetsbaarhede (Hacktricks het baie inligting oor Web vulns).
- Check for possible Android Client Side Injections (waarskynlik sal statiese kode-analise hier help)
- Frida: Net Frida β gebruik dit om interessante dinamiese data uit die toepassing te bekom (miskien sommige wagwoorde...)
- Toets vir Tapjacking / Animation-driven attacks (TapTrap 2025) selfs op Android 15+ (geen overlay permission benodig nie).
- Probeer overlay / SYSTEM_ALERT_WINDOW clickjacking en Accessibility Service abuse vir privilege escalation.
-
Kontroleer of
adb backup/bmgr backupnowsteeds app data kan dump (apps wat vergeet het omallowBackupte deaktiveer). - Onderzoek Binder-level LPEs (bv., CVE-2023-20963, CVE-2023-20928); gebruik kernel fuzzers of PoCs indien toegestaan.
-
As Play Integrity / SafetyNet afgedwing word, probeer runtime hooks (
Frida Gadget,MagiskIntegrityFix,Integrity-faker) of netwerkvlak replay. - Instrumenteer met moderne tooling:
- Objection > 2.0, Frida 17+, NowSecure-Tracer (2024)
- Dinamiese stelsel-wye tracing met
perfetto/simpleperf.
Some obfuscation/Deobfuscation information
Verwysings
tip
Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subskripsie planne!
- Sluit aan by die π¬ Discord groep of die telegram groep of volg ons op Twitter π¦ @hacktricks_live.
- Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.