HackTricksOrodha ya Ukaguzi ya Android APK
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Jifunze misingi ya Android
- Basics
- Dalvik & Smali
- Entry points
- Activities
- URL Schemes
- Content Providers
- Services
- Broadcast Receivers
- Intents
- Intent Filter
- Other components
- How to use ADB
- How to modify Smali
Uchambuzi wa Static
- Angalia matumizi ya obfuscation, ukague kama programu inabaini kama simu ime-root, ikiwa emulator inatumika na ukaguzi wa anti-tampering. Read this for more info.
- Programu zenye nyeti (kama bank apps) zinapaswa kukagua kama simu ime-root na kuchukua hatua zinazofaa.
- Tafuta strings za kuvutia (nenosiri, URLs, API, encryption, backdoors, tokens, Bluetooth uuids…).
- Tathmini kwa makini APIs za firebase .
- Read the manifest:
- Angalia kama application iko katika debug mode na jaribu “kuifanyia exploit”
- Angalia kama APK inaruhusu backups
- Exported Activities
- Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a
unityCLI extras bridge. Test-xrsdk-pre-init-library <abs-path>for pre-initdlopen()RCE. See Intent Injection → Unity Runtime. - Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
- Je, application inahifadhi data kwa njia isiyo salama ndani au nje? saving data insecurely internally or externally
- Je, kuna nenosiri iliyowekwa ndani ya code au kuhifadhiwa kwenye disk? Je, app inatumia algorithms za crypto zisizo salama?
- Maktaba zote zimejengwa kwa kutumia PIE flag?
- Usisahau kwamba kuna orodha ya static Android Analyzers ambazo zinaweza kukusaidia sana katika hatua hii.
-
android:exportedni muhimu kwenye Android 12+ – components zilizosanifiwa vibaya zinaweza kuruhusu invocation ya intent kutoka nje. - Kagua Network Security Config (
networkSecurityConfigXML) kwacleartextTrafficPermitted="true"au overrides maalum za domain. - Tafuta antcall kwa Play Integrity / SafetyNet / DeviceCheck – tambua kama attestation ya custom inaweza kushikwa/kupitwa.
- Chunguza App Links / Deep Links (
android:autoVerify) kwa intent-redirection au matatizo ya open-redirect. - Tambua matumizi ya WebView.addJavascriptInterface au
loadData*()ambayo yanaweza kusababisha RCE / XSS ndani ya app. - Tengeneza uchambuzi wa bundles za cross-platform (Flutter
libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Zana maalum: flutter-packer,fluttersign,rn-differ- Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng, etc.).
- Tathmini matokeo ya skani ya AI kwa kutumia SEMgrep Mobile rules, Pithus na toleo la hivi karibuni la MobSF ≥ 3.9 kwa uvumbuzi zaidi.
Uchambuzi wa Dynamic
- Andaa mazingira (online, local VM or physical)
- Je, kuna unintended data leakage (logging, copy/paste, crash logs)?
- Confidential information being saved in SQLite dbs?
- Exploitable exposed Activities?
- Exploitable Content Providers?
- Exploitable exposed Services?
- Exploitable Broadcast Receivers?
- Je, application inatuma taarifa kwa clear text/ikitumia algorithms dhaifu? Je, MitM inawezekana? (transmitting information in clear text/using weak algorithms)
- Inspect HTTP/HTTPS traffic
- Hii ni muhimu sana, kwa sababu ukishafanikiwa kukamata trafiki ya HTTP unaweza kutafuta udhaifu wa kawaida za Web (Hacktricks ina habari nyingi kuhusu Web vulns).
- Angalia uwezekano wa Android Client Side Injections (labda uchambuzi wa static wa code utakusaidia hapa)
- Frida: Tumia Frida kupata data za dynamic kutoka kwa application (labda baadhi ya nenosiri…)
- Jaribu kwa Tapjacking / Animation-driven attacks (TapTrap 2025) hata kwenye Android 15+ (hakuna ruhusa ya overlay inahitajika).
- Jaribu overlay / SYSTEM_ALERT_WINDOW clickjacking na Accessibility Service abuse kwa ajili ya kuongezeka kwa mamlaka.
- Angalia kama
adb backup/bmgr backupnowbado zinaweza kudump data za app (apps zilizokosa kuzimaallowBackup). - Chunguza kwa Binder-level LPEs (mfano, CVE-2023-20963, CVE-2023-20928); tumia kernel fuzzers au PoCs ikiwa imekubaliwa.
- Ikiwa Play Integrity / SafetyNet inatekelezwa, jaribu runtime hooks (
Frida Gadget,MagiskIntegrityFix,Integrity-faker) au replay ya kiwango cha network. - Changanisha na zana za kisasa:
- Objection > 2.0, Frida 17+, NowSecure-Tracer (2024)
- Dynamic system-wide tracing with
perfetto/simpleperf.
Some obfuscation/Deobfuscation information
References
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.