From 0f5849369be803516ad5df4473f562190b55382c Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 6 Aug 2025 16:29:50 +0000 Subject: [PATCH 1/3] Add content from: Research Update: Enhanced src/mobile-pentesting/android-chec... --- src/mobile-pentesting/android-checklist.md | 32 ++++++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/src/mobile-pentesting/android-checklist.md b/src/mobile-pentesting/android-checklist.md index f430aaa11..f3706dff8 100644 --- a/src/mobile-pentesting/android-checklist.md +++ b/src/mobile-pentesting/android-checklist.md @@ -38,6 +38,18 @@ - [ ] All the libraries compiled using the PIE flag? - [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/index.html#automatic-analysis) that can help you a lot during this phase. +#### 2023-2025 specific checks + +- [ ] `android:exported` **mandatory on Android 12+** – misconfigured exported components can lead to external intent invocation. +- [ ] Review **Network Security Config** (`networkSecurityConfig` XML) for `cleartextTrafficPermitted="true"` or domain-specific overrides. +- [ ] Look for calls to **Play Integrity / SafetyNet / DeviceCheck** – determine whether custom attestation can be hooked/bypassed. +- [ ] Inspect **App Links / Deep Links** (`android:autoVerify`) for intent-redirection or open-redirect issues. +- [ ] Identify usage of **WebView.addJavascriptInterface** or `loadData*()` that may lead to RCE / XSS inside the app. +- [ ] Analyse cross-platform bundles (Flutter `libapp.so`, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling: + - `flutter-packer`, `fluttersign`, `rn-differ` +- [ ] Scan third-party native libraries for known CVEs (e.g., **libwebp CVE-2023-4863**, **libpng**, etc.). +- [ ] Evaluate **SEMgrep Mobile rules**, **Pithus** and the latest **MobSF ≥ 3.9** AI-assisted scan results for additional findings. + ### [Dynamic Analysis](android-app-pentesting/index.html#dynamic-analysis) - [ ] Prepare the environment ([online](android-app-pentesting/index.html#online-dynamic-analysis), [local VM or physical](android-app-pentesting/index.html#local-dynamic-analysis)) @@ -53,12 +65,26 @@ - [ ] Check for possible [Android Client Side Injections](android-app-pentesting/index.html#android-client-side-injections-and-others) (probably some static code analysis will help here) - [ ] [Frida](android-app-pentesting/index.html#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...) +#### 2023-2025 attack surface additions + +- [ ] Test for **Tapjacking / Animation-driven attacks (TapTrap 2025)** even on Android 15+ (no overlay permission required). +- [ ] Attempt **overlay / SYSTEM_ALERT_WINDOW clickjacking** and **Accessibility Service abuse** for privilege escalation. +- [ ] Check if `adb backup` / `bmgr backupnow` can still dump app data (apps that forgot to disable `allowBackup`). +- [ ] Probe for **Binder-level LPEs** (e.g., **CVE-2023-20963, CVE-2023-20928**); use kernel fuzzers or PoCs if permitted. +- [ ] If Play Integrity / SafetyNet is enforced, try runtime hooks (`Frida Gadget`, `MagiskIntegrityFix`, `Integrity-faker`) or network-level replay. +- [ ] Instrument with modern tooling: + - **Objection > 2.0**, **Frida 17+**, **NowSecure-Tracer (2024)** + - Dynamic system-wide tracing with `perfetto` / `simpleperf`. + ### Some obfuscation/Deobfuscation information - [ ] [Read here](android-app-pentesting/index.html#obfuscating-deobfuscating-code) + + +## References + +- [TapTrap: Animation-Driven Tapjacking on Android – USENIX Security 2025](https://www.usenix.org/conference/usenixsecurity25/presentation/beer) +- [NVD: CVE-2023-20963 – Android WorkSource parcel mismatch local privilege escalation](https://nvd.nist.gov/vuln/detail/CVE-2023-20963) {{#include ../banners/hacktricks-training.md}} - - - From ca8bc4e345939a57dd93583e521b1d43b2be2b87 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sun, 10 Aug 2025 14:35:53 +0200 Subject: [PATCH 2/3] Update android-checklist.md --- src/mobile-pentesting/android-checklist.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/mobile-pentesting/android-checklist.md b/src/mobile-pentesting/android-checklist.md index f3706dff8..fae6a5381 100644 --- a/src/mobile-pentesting/android-checklist.md +++ b/src/mobile-pentesting/android-checklist.md @@ -37,9 +37,6 @@ - [ ] Is there any [password hard coded or saved in disk](android-app-pentesting/index.html#poorkeymanagementprocesses)? Is the app [using insecurely crypto algorithms](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)? - [ ] All the libraries compiled using the PIE flag? - [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/index.html#automatic-analysis) that can help you a lot during this phase. - -#### 2023-2025 specific checks - - [ ] `android:exported` **mandatory on Android 12+** – misconfigured exported components can lead to external intent invocation. - [ ] Review **Network Security Config** (`networkSecurityConfig` XML) for `cleartextTrafficPermitted="true"` or domain-specific overrides. - [ ] Look for calls to **Play Integrity / SafetyNet / DeviceCheck** – determine whether custom attestation can be hooked/bypassed. @@ -64,9 +61,6 @@ - [ ] This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns). - [ ] Check for possible [Android Client Side Injections](android-app-pentesting/index.html#android-client-side-injections-and-others) (probably some static code analysis will help here) - [ ] [Frida](android-app-pentesting/index.html#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...) - -#### 2023-2025 attack surface additions - - [ ] Test for **Tapjacking / Animation-driven attacks (TapTrap 2025)** even on Android 15+ (no overlay permission required). - [ ] Attempt **overlay / SYSTEM_ALERT_WINDOW clickjacking** and **Accessibility Service abuse** for privilege escalation. - [ ] Check if `adb backup` / `bmgr backupnow` can still dump app data (apps that forgot to disable `allowBackup`). From 5a63066cdb0bbf50cdc8bfec380629fd84ff6f0b Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sun, 10 Aug 2025 14:36:11 +0200 Subject: [PATCH 3/3] Update android-checklist.md --- src/mobile-pentesting/android-checklist.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/mobile-pentesting/android-checklist.md b/src/mobile-pentesting/android-checklist.md index fae6a5381..0b4da25ef 100644 --- a/src/mobile-pentesting/android-checklist.md +++ b/src/mobile-pentesting/android-checklist.md @@ -75,10 +75,4 @@ - [ ] [Read here](android-app-pentesting/index.html#obfuscating-deobfuscating-code) - - -## References - -- [TapTrap: Animation-Driven Tapjacking on Android – USENIX Security 2025](https://www.usenix.org/conference/usenixsecurity25/presentation/beer) -- [NVD: CVE-2023-20963 – Android WorkSource parcel mismatch local privilege escalation](https://nvd.nist.gov/vuln/detail/CVE-2023-20963) {{#include ../banners/hacktricks-training.md}}