maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-checklist.md

79 lines
6.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Android APK Checklist
{{#include ../banners/hacktricks-training.md}}
### [Learn Android fundamentals](android-app-pentesting/index.html#2-android-application-fundamentals)
- [ ] [Misingi](android-app-pentesting/index.html#fundamentals-review)
- [ ] [Dalvik & Smali](android-app-pentesting/index.html#dalvik--smali)
- [ ] [Nukta za kuingia](android-app-pentesting/index.html#application-entry-points)
- [ ] [Shughuli](android-app-pentesting/index.html#launcher-activity)
- [ ] [Mipango ya URL](android-app-pentesting/index.html#url-schemes)
- [ ] [Watoa maudhui](android-app-pentesting/index.html#services)
- [ ] [Huduma](android-app-pentesting/index.html#services-1)
- [ ] [Vipokezi vya matangazo](android-app-pentesting/index.html#broadcast-receivers)
- [ ] [Mawasiliano](android-app-pentesting/index.html#intents)
- [ ] [Filita ya Mawasiliano](android-app-pentesting/index.html#intent-filter)
- [ ] [Vipengele vingine](android-app-pentesting/index.html#other-app-components)
- [ ] [Jinsi ya kutumia ADB](android-app-pentesting/index.html#adb-android-debug-bridge)
- [ ] [Jinsi ya kubadilisha Smali](android-app-pentesting/index.html#smali)
### [Static Analysis](android-app-pentesting/index.html#static-analysis)
- [ ] Angalia matumizi ya [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), angalia kama simu imekuwa rooted, kama emulator inatumika na ukaguzi wa kupambana na uharibifu. [Soma hii kwa maelezo zaidi](android-app-pentesting/index.html#other-checks).
- [ ] Programu nyeti (kama programu za benki) zinapaswa kuangalia kama simu imekuwa rooted na zinapaswa kuchukua hatua kwa mujibu wa hilo.
- [ ] Tafuta [nyuzi za kuvutia](android-app-pentesting/index.html#looking-for-interesting-info) (nywila, URLs, API, usimbuaji, milango ya nyuma, tokeni, Bluetooth uuids...).
- [ ] Kipaumbele maalum kwa [firebase ](android-app-pentesting/index.html#firebase)APIs.
- [ ] [Soma hati ya maombi:](android-app-pentesting/index.html#basic-understanding-of-the-application-manifest-xml)
- [ ] Angalia kama programu iko katika hali ya debug na jaribu "kuikabili"
- [ ] Angalia kama APK inaruhusu nakala za akiba
- [ ] Shughuli zilizotolewa
- [ ] Watoa maudhui
- [ ] Huduma zilizofichuliwa
- [ ] Vipokezi vya matangazo
- [ ] Mipango ya URL
- [ ] Je, programu inas[aidia kuhifadhi data kwa njia isiyo salama ndani au nje](android-app-pentesting/index.html#insecure-data-storage)?
- [ ] Je, kuna [nywila iliyowekwa kwa nguvu au kuhifadhiwa kwenye diski](android-app-pentesting/index.html#poorkeymanagementprocesses)? Je, programu [inatumia algorithimu za usimbuaji zisizo salama](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)?
- [ ] Je, maktaba zote zimeundwa kwa kutumia bendera ya PIE?
- [ ] Usisahau kwamba kuna kundi la [analyzer za Android za statiki](android-app-pentesting/index.html#automatic-analysis) ambazo zinaweza kukusaidia sana katika hatua hii.
- [ ] `android:exported` **ni lazima kwenye Android 12+** vipengele vilivyowekwa vibaya vinaweza kusababisha mwito wa nia za nje.
- [ ] Kagua **Mipango ya Usalama wa Mtandao** (`networkSecurityConfig` XML) kwa `cleartextTrafficPermitted="true"` au marekebisho maalum ya kikoa.
- [ ] Tafuta simu za **Play Integrity / SafetyNet / DeviceCheck** thibitisha ikiwa uthibitisho wa kawaida unaweza kuunganishwa/kupitishwa.
- [ ] Kagua **Viungo vya Programu / Viungo vya Kina** (`android:autoVerify`) kwa masuala ya kuelekeza nia au kuelekeza wazi.
- [ ] Tambua matumizi ya **WebView.addJavascriptInterface** au `loadData*()` ambayo yanaweza kusababisha RCE / XSS ndani ya programu.
- [ ] Changanua vifurushi vya cross-platform (Flutter `libapp.so`, React-Native JS bundles, Capacitor/Ionic assets). Zana maalum:
- `flutter-packer`, `fluttersign`, `rn-differ`
- [ ] Scan maktaba za asili za wahusika wengine kwa CVEs zinazojulikana (mfano, **libwebp CVE-2023-4863**, **libpng**, n.k.).
- [ ] Kadiria **SEMgrep Mobile rules**, **Pithus** na matokeo ya hivi karibuni ya **MobSF ≥ 3.9** yaliyosaidiwa na AI kwa matokeo ya ziada.
### [Dynamic Analysis](android-app-pentesting/index.html#dynamic-analysis)
- [ ] Andaa mazingira ([mtandaoni](android-app-pentesting/index.html#online-dynamic-analysis), [VM ya ndani au ya kimwili](android-app-pentesting/index.html#local-dynamic-analysis))
- [ ] Je, kuna [kuvuja kwa data zisizokusudiwa](android-app-pentesting/index.html#unintended-data-leakage) (kuandika, nakala/paste, kumbukumbu za ajali)?
- [ ] [Taarifa za siri zinahifadhiwa katika hifadhidata za SQLite](android-app-pentesting/index.html#sqlite-dbs)?
- [ ] [Shughuli zilizofichuliwa zinazoweza kutumika](android-app-pentesting/index.html#exploiting-exported-activities-authorisation-bypass)?
- [ ] [Watoa maudhui wanaoweza kutumika](android-app-pentesting/index.html#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
- [ ] [Huduma zilizofichuliwa zinazoweza kutumika](android-app-pentesting/index.html#exploiting-services)?
- [ ] [Vipokezi vya matangazo vinavyoweza kutumika](android-app-pentesting/index.html#exploiting-broadcast-receivers)?
- [ ] Je, programu [inasambaza taarifa kwa maandiko wazi/kutumia algorithimu dhaifu](android-app-pentesting/index.html#insufficient-transport-layer-protection)? Je, MitM inawezekana?
- [ ] [Kagua trafiki ya HTTP/HTTPS](android-app-pentesting/index.html#inspecting-http-traffic)
- [ ] Hii ni muhimu sana, kwa sababu ikiwa unaweza kukamata trafiki ya HTTP unaweza kutafuta udhaifu wa kawaida wa Mtandao (Hacktricks ina habari nyingi kuhusu udhaifu wa Mtandao).
- [ ] Angalia uwezekano wa [Mingiliano ya upande wa mteja wa Android](android-app-pentesting/index.html#android-client-side-injections-and-others) (labda uchambuzi wa msimbo wa statiki utaweza kusaidia hapa)
- [ ] [Frida](android-app-pentesting/index.html#frida): Frida tu, itumie kupata data ya kuvutia ya dynamic kutoka kwa programu (labda nywila zingine...)
- [ ] Jaribu **Tapjacking / Mashambulizi yanayoendeshwa na Animation (TapTrap 2025)** hata kwenye Android 15+ (hakuna ruhusa ya overlay inahitajika).
- [ ] Jaribu **overlay / SYSTEM_ALERT_WINDOW clickjacking** na **kudhulumu Huduma za Urahisi** kwa ajili ya kupandisha hadhi.
- [ ] Angalia kama `adb backup` / `bmgr backupnow` bado inaweza kutupa data ya programu (programu ambazo zilisahau kuzima `allowBackup`).
- [ ] Chunguza **Binder-level LPEs** (mfano, **CVE-2023-20963, CVE-2023-20928**); tumia fuzzers za kernel au PoCs ikiwa inaruhusiwa.
- [ ] Ikiwa Play Integrity / SafetyNet inatekelezwa, jaribu vidokezo vya wakati wa kukimbia (`Frida Gadget`, `MagiskIntegrityFix`, `Integrity-faker`) au upya wa kiwango cha mtandao.
- [ ] Panga na zana za kisasa:
- **Objection > 2.0**, **Frida 17+**, **NowSecure-Tracer (2024)**
- Ufuatiliaji wa mfumo mzima wa dynamic na `perfetto` / `simpleperf`.
### Some obfuscation/Deobfuscation information
- [ ] [Soma hapa](android-app-pentesting/index.html#obfuscating-deobfuscating-code)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink