Android APK Checklist

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Learn Android fundamentals

Static Analysis

  • Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
  • Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
  • Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
  • Read the manifest:
    • Check if the application is in debug mode and try to "exploit" it
    • Check if the APK allows backups
    • Exported Activities
    • Content Providers
    • Exposed services
    • Broadcast Receivers
    • URL Schemes
  • Is the application saving data insecurely internally or externally?
  • Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
  • All the libraries compiled using the PIE flag?
  • Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
  • android:exported mandatory on Android 12+ – misconfigured exported components can lead to external intent invocation.
  • Review Network Security Config (networkSecurityConfig XML) for cleartextTrafficPermitted="true" or domain-specific overrides.
  • Look for calls to Play Integrity / SafetyNet / DeviceCheck – determine whether custom attestation can be hooked/bypassed.
  • Inspect App Links / Deep Links (android:autoVerify) for intent-redirection or open-redirect issues.
  • Identify usage of WebView.addJavascriptInterface or loadData*() that may lead to RCE / XSS inside the app.
  • Analyse cross-platform bundles (Flutter libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:
    • flutter-packer, fluttersign, rn-differ
  • Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng, etc.).
  • Evaluate SEMgrep Mobile rules, Pithus and the latest MobSF ≥ 3.9 AI-assisted scan results for additional findings.

Dynamic Analysis

Some obfuscation/Deobfuscation information

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks