# Android APK Checklist {{#include ../banners/hacktricks-training.md}} ### [Learn Android fundamentals](android-app-pentesting/index.html#2-android-application-fundamentals) - [ ] [Basics](android-app-pentesting/index.html#fundamentals-review) - [ ] [Dalvik & Smali](android-app-pentesting/index.html#dalvik--smali) - [ ] [Entry points](android-app-pentesting/index.html#application-entry-points) - [ ] [Activities](android-app-pentesting/index.html#launcher-activity) - [ ] [URL Schemes](android-app-pentesting/index.html#url-schemes) - [ ] [Content Providers](android-app-pentesting/index.html#services) - [ ] [Services](android-app-pentesting/index.html#services-1) - [ ] [Broadcast Receivers](android-app-pentesting/index.html#broadcast-receivers) - [ ] [Intents](android-app-pentesting/index.html#intents) - [ ] [Intent Filter](android-app-pentesting/index.html#intent-filter) - [ ] [Other components](android-app-pentesting/index.html#other-app-components) - [ ] [How to use ADB](android-app-pentesting/index.html#adb-android-debug-bridge) - [ ] [How to modify Smali](android-app-pentesting/index.html#smali) ### [Static Analysis](android-app-pentesting/index.html#static-analysis) - [ ] Check for the use of [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. [Read this for more info](android-app-pentesting/index.html#other-checks). - [ ] Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence. - [ ] Search for [interesting strings](android-app-pentesting/index.html#looking-for-interesting-info) (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...). - [ ] Special attention to [firebase ](android-app-pentesting/index.html#firebase)APIs. - [ ] [Read the manifest:](android-app-pentesting/index.html#basic-understanding-of-the-application-manifest-xml) - [ ] Check if the application is in debug mode and try to "exploit" it - [ ] Check if the APK allows backups - [ ] Exported Activities - [ ] Content Providers - [ ] Exposed services - [ ] Broadcast Receivers - [ ] URL Schemes - [ ] Is the application s[aving data insecurely internally or externally](android-app-pentesting/index.html#insecure-data-storage)? - [ ] Is there any [password hard coded or saved in disk](android-app-pentesting/index.html#poorkeymanagementprocesses)? Is the app [using insecurely crypto algorithms](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)? - [ ] All the libraries compiled using the PIE flag? - [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/index.html#automatic-analysis) that can help you a lot during this phase. ### [Dynamic Analysis](android-app-pentesting/index.html#dynamic-analysis) - [ ] Prepare the environment ([online](android-app-pentesting/index.html#online-dynamic-analysis), [local VM or physical](android-app-pentesting/index.html#local-dynamic-analysis)) - [ ] Is there any [unintended data leakage](android-app-pentesting/index.html#unintended-data-leakage) (logging, copy/paste, crash logs)? - [ ] [Confidential information being saved in SQLite dbs](android-app-pentesting/index.html#sqlite-dbs)? - [ ] [Exploitable exposed Activities](android-app-pentesting/index.html#exploiting-exported-activities-authorisation-bypass)? - [ ] [Exploitable Content Providers](android-app-pentesting/index.html#exploiting-content-providers-accessing-and-manipulating-sensitive-information)? - [ ] [Exploitable exposed Services](android-app-pentesting/index.html#exploiting-services)? - [ ] [Exploitable Broadcast Receivers](android-app-pentesting/index.html#exploiting-broadcast-receivers)? - [ ] Is the application [transmitting information in clear text/using weak algorithms](android-app-pentesting/index.html#insufficient-transport-layer-protection)? is a MitM possible? - [ ] [Inspect HTTP/HTTPS traffic](android-app-pentesting/index.html#inspecting-http-traffic) - [ ] This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns). - [ ] Check for possible [Android Client Side Injections](android-app-pentesting/index.html#android-client-side-injections-and-others) (probably some static code analysis will help here) - [ ] [Frida](android-app-pentesting/index.html#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...) ### Some obfuscation/Deobfuscation information - [ ] [Read here](android-app-pentesting/index.html#obfuscating-deobfuscating-code) {{#include ../banners/hacktricks-training.md}}