# Android APK Checklist {{#include ../banners/hacktricks-training.md}} ### [Learn Android fundamentals](android-app-pentesting/index.html#2-android-application-fundamentals) - [ ] [Misingi](android-app-pentesting/index.html#fundamentals-review) - [ ] [Dalvik & Smali](android-app-pentesting/index.html#dalvik--smali) - [ ] [Nukta za kuingia](android-app-pentesting/index.html#application-entry-points) - [ ] [Shughuli](android-app-pentesting/index.html#launcher-activity) - [ ] [Mipango ya URL](android-app-pentesting/index.html#url-schemes) - [ ] [Watoa maudhui](android-app-pentesting/index.html#services) - [ ] [Huduma](android-app-pentesting/index.html#services-1) - [ ] [Vipokezi vya matangazo](android-app-pentesting/index.html#broadcast-receivers) - [ ] [Mawasiliano](android-app-pentesting/index.html#intents) - [ ] [Filita ya Mawasiliano](android-app-pentesting/index.html#intent-filter) - [ ] [Vipengele vingine](android-app-pentesting/index.html#other-app-components) - [ ] [Jinsi ya kutumia ADB](android-app-pentesting/index.html#adb-android-debug-bridge) - [ ] [Jinsi ya kubadilisha Smali](android-app-pentesting/index.html#smali) ### [Static Analysis](android-app-pentesting/index.html#static-analysis) - [ ] Angalia matumizi ya [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), angalia kama simu imekuwa rooted, kama emulator inatumika na ukaguzi wa kupambana na uharibifu. [Soma hii kwa maelezo zaidi](android-app-pentesting/index.html#other-checks). - [ ] Programu nyeti (kama programu za benki) zinapaswa kuangalia kama simu imekuwa rooted na zinapaswa kuchukua hatua kwa mujibu wa hilo. - [ ] Tafuta [nyuzi za kuvutia](android-app-pentesting/index.html#looking-for-interesting-info) (nywila, URLs, API, usimbuaji, milango ya nyuma, tokeni, Bluetooth uuids...). - [ ] Kipaumbele maalum kwa [firebase ](android-app-pentesting/index.html#firebase)APIs. - [ ] [Soma hati ya maombi:](android-app-pentesting/index.html#basic-understanding-of-the-application-manifest-xml) - [ ] Angalia kama programu iko katika hali ya debug na jaribu "kuikabili" - [ ] Angalia kama APK inaruhusu nakala za akiba - [ ] Shughuli zilizotolewa - [ ] Watoa maudhui - [ ] Huduma zilizofichuliwa - [ ] Vipokezi vya matangazo - [ ] Mipango ya URL - [ ] Je, programu inas[aidia kuhifadhi data kwa njia isiyo salama ndani au nje](android-app-pentesting/index.html#insecure-data-storage)? - [ ] Je, kuna [nywila iliyowekwa kwa nguvu au kuhifadhiwa kwenye diski](android-app-pentesting/index.html#poorkeymanagementprocesses)? Je, programu [inatumia algorithimu za usimbuaji zisizo salama](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)? - [ ] Je, maktaba zote zimeundwa kwa kutumia bendera ya PIE? - [ ] Usisahau kwamba kuna kundi la [analyzer za Android za statiki](android-app-pentesting/index.html#automatic-analysis) ambazo zinaweza kukusaidia sana katika hatua hii. - [ ] `android:exported` **ni lazima kwenye Android 12+** – vipengele vilivyowekwa vibaya vinaweza kusababisha mwito wa nia za nje. - [ ] Kagua **Mipango ya Usalama wa Mtandao** (`networkSecurityConfig` XML) kwa `cleartextTrafficPermitted="true"` au marekebisho maalum ya kikoa. - [ ] Tafuta simu za **Play Integrity / SafetyNet / DeviceCheck** – thibitisha ikiwa uthibitisho wa kawaida unaweza kuunganishwa/kupitishwa. - [ ] Kagua **Viungo vya Programu / Viungo vya Kina** (`android:autoVerify`) kwa masuala ya kuelekeza nia au kuelekeza wazi. - [ ] Tambua matumizi ya **WebView.addJavascriptInterface** au `loadData*()` ambayo yanaweza kusababisha RCE / XSS ndani ya programu. - [ ] Changanua vifurushi vya cross-platform (Flutter `libapp.so`, React-Native JS bundles, Capacitor/Ionic assets). Zana maalum: - `flutter-packer`, `fluttersign`, `rn-differ` - [ ] Scan maktaba za asili za wahusika wengine kwa CVEs zinazojulikana (mfano, **libwebp CVE-2023-4863**, **libpng**, n.k.). - [ ] Kadiria **SEMgrep Mobile rules**, **Pithus** na matokeo ya hivi karibuni ya **MobSF ≥ 3.9** yaliyosaidiwa na AI kwa matokeo ya ziada. ### [Dynamic Analysis](android-app-pentesting/index.html#dynamic-analysis) - [ ] Andaa mazingira ([mtandaoni](android-app-pentesting/index.html#online-dynamic-analysis), [VM ya ndani au ya kimwili](android-app-pentesting/index.html#local-dynamic-analysis)) - [ ] Je, kuna [kuvuja kwa data zisizokusudiwa](android-app-pentesting/index.html#unintended-data-leakage) (kuandika, nakala/paste, kumbukumbu za ajali)? - [ ] [Taarifa za siri zinahifadhiwa katika hifadhidata za SQLite](android-app-pentesting/index.html#sqlite-dbs)? - [ ] [Shughuli zilizofichuliwa zinazoweza kutumika](android-app-pentesting/index.html#exploiting-exported-activities-authorisation-bypass)? - [ ] [Watoa maudhui wanaoweza kutumika](android-app-pentesting/index.html#exploiting-content-providers-accessing-and-manipulating-sensitive-information)? - [ ] [Huduma zilizofichuliwa zinazoweza kutumika](android-app-pentesting/index.html#exploiting-services)? - [ ] [Vipokezi vya matangazo vinavyoweza kutumika](android-app-pentesting/index.html#exploiting-broadcast-receivers)? - [ ] Je, programu [inasambaza taarifa kwa maandiko wazi/kutumia algorithimu dhaifu](android-app-pentesting/index.html#insufficient-transport-layer-protection)? Je, MitM inawezekana? - [ ] [Kagua trafiki ya HTTP/HTTPS](android-app-pentesting/index.html#inspecting-http-traffic) - [ ] Hii ni muhimu sana, kwa sababu ikiwa unaweza kukamata trafiki ya HTTP unaweza kutafuta udhaifu wa kawaida wa Mtandao (Hacktricks ina habari nyingi kuhusu udhaifu wa Mtandao). - [ ] Angalia uwezekano wa [Mingiliano ya upande wa mteja wa Android](android-app-pentesting/index.html#android-client-side-injections-and-others) (labda uchambuzi wa msimbo wa statiki utaweza kusaidia hapa) - [ ] [Frida](android-app-pentesting/index.html#frida): Frida tu, itumie kupata data ya kuvutia ya dynamic kutoka kwa programu (labda nywila zingine...) - [ ] Jaribu **Tapjacking / Mashambulizi yanayoendeshwa na Animation (TapTrap 2025)** hata kwenye Android 15+ (hakuna ruhusa ya overlay inahitajika). - [ ] Jaribu **overlay / SYSTEM_ALERT_WINDOW clickjacking** na **kudhulumu Huduma za Urahisi** kwa ajili ya kupandisha hadhi. - [ ] Angalia kama `adb backup` / `bmgr backupnow` bado inaweza kutupa data ya programu (programu ambazo zilisahau kuzima `allowBackup`). - [ ] Chunguza **Binder-level LPEs** (mfano, **CVE-2023-20963, CVE-2023-20928**); tumia fuzzers za kernel au PoCs ikiwa inaruhusiwa. - [ ] Ikiwa Play Integrity / SafetyNet inatekelezwa, jaribu vidokezo vya wakati wa kukimbia (`Frida Gadget`, `MagiskIntegrityFix`, `Integrity-faker`) au upya wa kiwango cha mtandao. - [ ] Panga na zana za kisasa: - **Objection > 2.0**, **Frida 17+**, **NowSecure-Tracer (2024)** - Ufuatiliaji wa mfumo mzima wa dynamic na `perfetto` / `simpleperf`. ### Some obfuscation/Deobfuscation information - [ ] [Soma hapa](android-app-pentesting/index.html#obfuscating-deobfuscating-code) {{#include ../banners/hacktricks-training.md}}