Android APK Checklist

Reading time: 5 minutes

Learn Android fundamentals

• Basics
• Dalvik & Smali
• Entry points
  • Activities
  • URL Schemes
  • Content Providers
  • Services
  • Broadcast Receivers
  • Intents
  • Intent Filter
• Other components
• How to use ADB
• How to modify Smali

Static Analysis

• Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
• Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
• Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
  • Special attention to firebase APIs.
• Read the manifest:
  • Check if the application is in debug mode and try to "exploit" it
  • Check if the APK allows backups
  • Exported Activities
  • Content Providers
  • Exposed services
  • Broadcast Receivers
  • URL Schemes
• Is the application saving data insecurely internally or externally?
• Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
• All the libraries compiled using the PIE flag?
• Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
• android:exported mandatory on Android 12+ – misconfigured exported components can lead to external intent invocation.
• Review Network Security Config (networkSecurityConfig XML) for cleartextTrafficPermitted="true" or domain-specific overrides.
• Look for calls to Play Integrity / SafetyNet / DeviceCheck – determine whether custom attestation can be hooked/bypassed.
• Inspect App Links / Deep Links (android:autoVerify) for intent-redirection or open-redirect issues.
• Identify usage of WebView.addJavascriptInterface or loadData*() that may lead to RCE / XSS inside the app.
• Analyse cross-platform bundles (Flutter libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:
  • flutter-packer, fluttersign, rn-differ
• Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng, etc.).
• Evaluate SEMgrep Mobile rules, Pithus and the latest MobSF ≥ 3.9 AI-assisted scan results for additional findings.

Dynamic Analysis

• Prepare the environment (online, local VM or physical)
• Is there any unintended data leakage (logging, copy/paste, crash logs)?
• Confidential information being saved in SQLite dbs?
• Exploitable exposed Activities?
• Exploitable Content Providers?
• Exploitable exposed Services?
• Exploitable Broadcast Receivers?
• Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
• Inspect HTTP/HTTPS traffic
  • This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
• Check for possible Android Client Side Injections (probably some static code analysis will help here)
• Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
• Test for Tapjacking / Animation-driven attacks (TapTrap 2025) even on Android 15+ (no overlay permission required).
• Attempt overlay / SYSTEM_ALERT_WINDOW clickjacking and Accessibility Service abuse for privilege escalation.
• Check if adb backup / bmgr backupnow can still dump app data (apps that forgot to disable allowBackup).
• Probe for Binder-level LPEs (e.g., CVE-2023-20963, CVE-2023-20928); use kernel fuzzers or PoCs if permitted.
• If Play Integrity / SafetyNet is enforced, try runtime hooks (Frida Gadget, MagiskIntegrityFix, Integrity-faker) or network-level replay.
• Instrument with modern tooling:
  • Objection > 2.0, Frida 17+, NowSecure-Tracer (2024)
  • Dynamic system-wide tracing with perfetto / simpleperf.

Some obfuscation/Deobfuscation information

• Read here