# Android APK Checklist

{{#include ../banners/hacktricks-training.md}}


### [Leer Android beginsels](android-app-pentesting/index.html#2-android-application-fundamentals)

- [ ] [Basiese beginsels](android-app-pentesting/index.html#fundamentals-review)
- [ ] [Dalvik & Smali](android-app-pentesting/index.html#dalvik--smali)
- [ ] [Toegangspunte](android-app-pentesting/index.html#application-entry-points)
- [ ] [Aktiwiteite](android-app-pentesting/index.html#launcher-activity)
- [ ] [URL Skemas](android-app-pentesting/index.html#url-schemes)
- [ ] [Inhoud Verskaffers](android-app-pentesting/index.html#services)
- [ ] [Dienste](android-app-pentesting/index.html#services-1)
- [ ] [Uitzend Ontvangers](android-app-pentesting/index.html#broadcast-receivers)
- [ ] [Intensies](android-app-pentesting/index.html#intents)
- [ ] [Intent Filter](android-app-pentesting/index.html#intent-filter)
- [ ] [Ander komponente](android-app-pentesting/index.html#other-app-components)
- [ ] [Hoe om ADB te gebruik](android-app-pentesting/index.html#adb-android-debug-bridge)
- [ ] [Hoe om Smali te wysig](android-app-pentesting/index.html#smali)

### [Statiese Analise](android-app-pentesting/index.html#static-analysis)

- [ ] Kontroleer vir die gebruik van [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), kontroleer of die mobiele toestel ge-root is, of 'n emulator gebruik word en anti-tampering kontrole. [Lees dit vir meer inligting](android-app-pentesting/index.html#other-checks).
- [ ] Sensitiewe toepassings (soos banktoepassings) moet kontroleer of die mobiele toestel ge-root is en moet gevolglik optree.
- [ ] Soek na [interessante stringe](android-app-pentesting/index.html#looking-for-interesting-info) (wagwoorde, URL's, API, versleuteling, agterdeure, tokens, Bluetooth uuids...).
- [ ] Spesiale aandag aan [firebase ](android-app-pentesting/index.html#firebase)APIs.
- [ ] [Lees die manifest:](android-app-pentesting/index.html#basic-understanding-of-the-application-manifest-xml)
- [ ] Kontroleer of die toepassing in debug-modus is en probeer om dit te "ontgin"
- [ ] Kontroleer of die APK rugsteun toelaat
- [ ] Geëksporteerde Aktiwiteite
- [ ] Inhoud Verskaffers
- [ ] Blootgestelde dienste
- [ ] Uitzend Ontvangers
- [ ] URL Skemas
- [ ] Is die toepassing s[aving data insecurely internally or externally](android-app-pentesting/index.html#insecure-data-storage)?
- [ ] Is daar enige [wagwoord hard gekodeer of op skyf gestoor](android-app-pentesting/index.html#poorkeymanagementprocesses)? Gebruik die app [insecurely crypto algorithms](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)?
- [ ] Alle biblioteke saamgekompileer met die PIE-vlag?
- [ ] Moet nie vergeet dat daar 'n klomp [statiese Android Analyzers](android-app-pentesting/index.html#automatic-analysis) is wat jou baie kan help tydens hierdie fase nie.

### [Dinamiese Analise](android-app-pentesting/index.html#dynamic-analysis)

- [ ] Berei die omgewing voor ([aanlyn](android-app-pentesting/index.html#online-dynamic-analysis), [lokale VM of fisies](android-app-pentesting/index.html#local-dynamic-analysis))
- [ ] Is daar enige [onbedoelde data lekkasie](android-app-pentesting/index.html#unintended-data-leakage) (logging, copy/paste, crash logs)?
- [ ] [Vertroulike inligting wat in SQLite dbs gestoor word](android-app-pentesting/index.html#sqlite-dbs)?
- [ ] [Eksploiteerbare geëksporteerde Aktiwiteite](android-app-pentesting/index.html#exploiting-exported-activities-authorisation-bypass)?
- [ ] [Eksploiteerbare Inhoud Verskaffers](android-app-pentesting/index.html#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
- [ ] [Eksploiteerbare blootgestelde Dienste](android-app-pentesting/index.html#exploiting-services)?
- [ ] [Eksploiteerbare Uitzend Ontvangers](android-app-pentesting/index.html#exploiting-broadcast-receivers)?
- [ ] Is die toepassing [inligting in duidelike teks oordra/gebruik swak algoritmes](android-app-pentesting/index.html#insufficient-transport-layer-protection)? Is 'n MitM moontlik?
- [ ] [Inspekteer HTTP/HTTPS verkeer](android-app-pentesting/index.html#inspecting-http-traffic)
- [ ] Hierdie een is regtig belangrik, want as jy die HTTP-verkeer kan vang, kan jy soek na algemene Web kwesbaarhede (Hacktricks het baie inligting oor Web kwesbaarhede).
- [ ] Kontroleer vir moontlike [Android Client Side Injections](android-app-pentesting/index.html#android-client-side-injections-and-others) (waarskynlik sal 'n bietjie statiese kode analise hier help)
- [ ] [Frida](android-app-pentesting/index.html#frida): Net Frida, gebruik dit om interessante dinamiese data van die toepassing te verkry (miskien 'n paar wagwoorde...)

### Sommige obfuscation/Deobfuscation inligting

- [ ] [Lees hier](android-app-pentesting/index.html#obfuscating-deobfuscating-code)


{{#include ../banners/hacktricks-training.md}}