mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #1249 from HackTricks-wiki/research_update_src_mobile-pentesting_android-checklist_20250806_162616
Research Update Enhanced src/mobile-pentesting/android-check...
This commit is contained in:
SirBroccoli
GitHub
commit
72a280a50b
@ -37,6 +37,15 @@
|
||||
- [ ] Is there any [password hard coded or saved in disk](android-app-pentesting/index.html#poorkeymanagementprocesses)? Is the app [using insecurely crypto algorithms](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)?
|
||||
- [ ] All the libraries compiled using the PIE flag?
|
||||
- [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/index.html#automatic-analysis) that can help you a lot during this phase.
|
||||
- [ ] `android:exported` **mandatory on Android 12+** – misconfigured exported components can lead to external intent invocation.
|
||||
- [ ] Review **Network Security Config** (`networkSecurityConfig` XML) for `cleartextTrafficPermitted="true"` or domain-specific overrides.
|
||||
- [ ] Look for calls to **Play Integrity / SafetyNet / DeviceCheck** – determine whether custom attestation can be hooked/bypassed.
|
||||
- [ ] Inspect **App Links / Deep Links** (`android:autoVerify`) for intent-redirection or open-redirect issues.
|
||||
- [ ] Identify usage of **WebView.addJavascriptInterface** or `loadData*()` that may lead to RCE / XSS inside the app.
|
||||
- [ ] Analyse cross-platform bundles (Flutter `libapp.so`, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:
|
||||
- `flutter-packer`, `fluttersign`, `rn-differ`
|
||||
- [ ] Scan third-party native libraries for known CVEs (e.g., **libwebp CVE-2023-4863**, **libpng**, etc.).
|
||||
- [ ] Evaluate **SEMgrep Mobile rules**, **Pithus** and the latest **MobSF ≥ 3.9** AI-assisted scan results for additional findings.
|
||||
|
||||
### [Dynamic Analysis](android-app-pentesting/index.html#dynamic-analysis)
|
||||
|
||||
@ -52,6 +61,14 @@
|
||||
- [ ] This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
|
||||
- [ ] Check for possible [Android Client Side Injections](android-app-pentesting/index.html#android-client-side-injections-and-others) (probably some static code analysis will help here)
|
||||
- [ ] [Frida](android-app-pentesting/index.html#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
|
||||
- [ ] Test for **Tapjacking / Animation-driven attacks (TapTrap 2025)** even on Android 15+ (no overlay permission required).
|
||||
- [ ] Attempt **overlay / SYSTEM_ALERT_WINDOW clickjacking** and **Accessibility Service abuse** for privilege escalation.
|
||||
- [ ] Check if `adb backup` / `bmgr backupnow` can still dump app data (apps that forgot to disable `allowBackup`).
|
||||
- [ ] Probe for **Binder-level LPEs** (e.g., **CVE-2023-20963, CVE-2023-20928**); use kernel fuzzers or PoCs if permitted.
|
||||
- [ ] If Play Integrity / SafetyNet is enforced, try runtime hooks (`Frida Gadget`, `MagiskIntegrityFix`, `Integrity-faker`) or network-level replay.
|
||||
- [ ] Instrument with modern tooling:
|
||||
- **Objection > 2.0**, **Frida 17+**, **NowSecure-Tracer (2024)**
|
||||
- Dynamic system-wide tracing with `perfetto` / `simpleperf`.
|
||||
|
||||
### Some obfuscation/Deobfuscation information
|
||||
|
||||
@ -59,6 +76,3 @@
|
||||
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user