Android APK Checklist
Reading time: 5 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Learn Android fundamentals
Static Analysis
- Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
- Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
-
Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
- Special attention to firebase APIs.
-
Read the manifest:
- Check if the application is in debug mode and try to "exploit" it
- Check if the APK allows backups
- Exported Activities
- Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
- Is the application saving data insecurely internally or externally?
- Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
- All the libraries compiled using the PIE flag?
- Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
-
android:exported
mandatory on Android 12+ – misconfigured exported components can lead to external intent invocation. -
Review Network Security Config (
networkSecurityConfig
XML) forcleartextTrafficPermitted="true"
or domain-specific overrides. - Look for calls to Play Integrity / SafetyNet / DeviceCheck – determine whether custom attestation can be hooked/bypassed.
-
Inspect App Links / Deep Links (
android:autoVerify
) for intent-redirection or open-redirect issues. -
Identify usage of WebView.addJavascriptInterface or
loadData*()
that may lead to RCE / XSS inside the app. -
Analyse cross-platform bundles (Flutter
libapp.so
, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:flutter-packer
,fluttersign
,rn-differ
- Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng, etc.).
- Evaluate SEMgrep Mobile rules, Pithus and the latest MobSF ≥ 3.9 AI-assisted scan results for additional findings.
Dynamic Analysis
- Prepare the environment (online, local VM or physical)
- Is there any unintended data leakage (logging, copy/paste, crash logs)?
- Confidential information being saved in SQLite dbs?
- Exploitable exposed Activities?
- Exploitable Content Providers?
- Exploitable exposed Services?
- Exploitable Broadcast Receivers?
- Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
-
Inspect HTTP/HTTPS traffic
- This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
- Check for possible Android Client Side Injections (probably some static code analysis will help here)
- Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
- Test for Tapjacking / Animation-driven attacks (TapTrap 2025) even on Android 15+ (no overlay permission required).
- Attempt overlay / SYSTEM_ALERT_WINDOW clickjacking and Accessibility Service abuse for privilege escalation.
-
Check if
adb backup
/bmgr backupnow
can still dump app data (apps that forgot to disableallowBackup
). - Probe for Binder-level LPEs (e.g., CVE-2023-20963, CVE-2023-20928); use kernel fuzzers or PoCs if permitted.
-
If Play Integrity / SafetyNet is enforced, try runtime hooks (
Frida Gadget
,MagiskIntegrityFix
,Integrity-faker
) or network-level replay. -
Instrument with modern tooling:
- Objection > 2.0, Frida 17+, NowSecure-Tracer (2024)
- Dynamic system-wide tracing with
perfetto
/simpleperf
.
Some obfuscation/Deobfuscation information
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.