maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-checklist.md

79 lines
6.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Android APK Checklist
{{#include ../banners/hacktricks-training.md}}
### [Leer Android basiese beginsels](android-app-pentesting/index.html#2-android-application-fundamentals)
- [ ] [Basiese beginsels](android-app-pentesting/index.html#fundamentals-review)
- [ ] [Dalvik & Smali](android-app-pentesting/index.html#dalvik--smali)
- [ ] [Toegangspunte](android-app-pentesting/index.html#application-entry-points)
- [ ] [Aktiwiteite](android-app-pentesting/index.html#launcher-activity)
- [ ] [URL Skemas](android-app-pentesting/index.html#url-schemes)
- [ ] [Inhoud Verskaffers](android-app-pentesting/index.html#services)
- [ ] [Dienste](android-app-pentesting/index.html#services-1)
- [ ] [Uitzend Ontvangers](android-app-pentesting/index.html#broadcast-receivers)
- [ ] [Intents](android-app-pentesting/index.html#intents)
- [ ] [Intent Filter](android-app-pentesting/index.html#intent-filter)
- [ ] [Ander komponente](android-app-pentesting/index.html#other-app-components)
- [ ] [Hoe om ADB te gebruik](android-app-pentesting/index.html#adb-android-debug-bridge)
- [ ] [Hoe om Smali te wysig](android-app-pentesting/index.html#smali)
### [Statiese Analise](android-app-pentesting/index.html#static-analysis)
- [ ] Kontroleer vir die gebruik van [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), kontroleer of die mobiele toestel ge-root is, of 'n emulator gebruik word en anti-tampering kontroles. [Lees dit vir meer inligting](android-app-pentesting/index.html#other-checks).
- [ ] Sensitiewe toepassings (soos banktoepassings) moet kontroleer of die mobiele toestel ge-root is en moet gevolglik optree.
- [ ] Soek na [interessante stringe](android-app-pentesting/index.html#looking-for-interesting-info) (wagwoorde, URL's, API, enkripsie, agterdeure, tokens, Bluetooth uuids...).
- [ ] Spesiale aandag aan [firebase ](android-app-pentesting/index.html#firebase)APIs.
- [ ] [Lees die manifest:](android-app-pentesting/index.html#basic-understanding-of-the-application-manifest-xml)
- [ ] Kontroleer of die toepassing in debug-modus is en probeer om dit te "ontgin"
- [ ] Kontroleer of die APK rugsteun toelaat
- [ ] Geverifieerde Aktiwiteite
- [ ] Inhoud Verskaffers
- [ ] Blootgestelde dienste
- [ ] Uitzend Ontvangers
- [ ] URL Skemas
- [ ] Is die toepassing s[aving data insecurely internally or externally](android-app-pentesting/index.html#insecure-data-storage)?
- [ ] Is daar enige [wagwoord hard gekodeer of op skyf gestoor](android-app-pentesting/index.html#poorkeymanagementprocesses)? Gebruik die app [insecurely crypto algorithms](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)?
- [ ] Alle biblioteke gecompileer met die PIE-vlag?
- [ ] Moet nie vergeet dat daar 'n klomp [statiese Android Analyzers](android-app-pentesting/index.html#automatic-analysis) is wat jou baie kan help tydens hierdie fase nie.
- [ ] `android:exported` **verpligtend op Android 12+** verkeerd geconfigureerde geexporteerde komponente kan lei tot eksterne intent aanroep.
- [ ] Hersien **Netwerk Sekuriteit Konfig** (`networkSecurityConfig` XML) vir `cleartextTrafficPermitted="true"` of domein-spesifieke oorskrywing.
- [ ] Soek na oproepe na **Play Integrity / SafetyNet / DeviceCheck** bepaal of pasgemaakte attestering gekoppel/omseil kan word.
- [ ] Ondersoek **App Links / Deep Links** (`android:autoVerify`) vir intent-herleiding of oop-herleiding probleme.
- [ ] Identifiseer gebruik van **WebView.addJavascriptInterface** of `loadData*()` wat kan lei tot RCE / XSS binne die app.
- [ ] Analiseer kruis-platform bundels (Flutter `libapp.so`, React-Native JS bundels, Capacitor/Ionic bates). Toegewyde gereedskap:
- `flutter-packer`, `fluttersign`, `rn-differ`
- [ ] Skandeer derdeparty inheemse biblioteke vir bekende CVEs (bv. **libwebp CVE-2023-4863**, **libpng**, ens.).
- [ ] Evalueer **SEMgrep Mobile rules**, **Pithus** en die nuutste **MobSF ≥ 3.9** KI-geassisteerde skandeer resultate vir addisionele bevindings.
### [Dinamiese Analise](android-app-pentesting/index.html#dynamic-analysis)
- [ ] Berei die omgewing voor ([aanlyn](android-app-pentesting/index.html#online-dynamic-analysis), [lokale VM of fisies](android-app-pentesting/index.html#local-dynamic-analysis))
- [ ] Is daar enige [onbedoelde data lekkasie](android-app-pentesting/index.html#unintended-data-leakage) (logging, kopie/plak, crash logs)?
- [ ] [Vertroulike inligting wat in SQLite dbs gestoor word](android-app-pentesting/index.html#sqlite-dbs)?
- [ ] [Eksploiteerbare blootgestelde Aktiwiteite](android-app-pentesting/index.html#exploiting-exported-activities-authorisation-bypass)?
- [ ] [Eksploiteerbare Inhoud Verskaffers](android-app-pentesting/index.html#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
- [ ] [Eksploiteerbare blootgestelde Dienste](android-app-pentesting/index.html#exploiting-services)?
- [ ] [Eksploiteerbare Uitzend Ontvangers](android-app-pentesting/index.html#exploiting-broadcast-receivers)?
- [ ] Is die toepassing [inligting in duidelike teks oordra/gebruik swak algoritmes](android-app-pentesting/index.html#insufficient-transport-layer-protection)? Is 'n MitM moontlik?
- [ ] [Ondersoek HTTP/HTTPS verkeer](android-app-pentesting/index.html#inspecting-http-traffic)
- [ ] Hierdie een is regtig belangrik, want as jy die HTTP verkeer kan vang, kan jy soek na algemene Web kwesbaarhede (Hacktricks het baie inligting oor Web kwesbaarhede).
- [ ] Kontroleer vir moontlike [Android Klientkant Injekties](android-app-pentesting/index.html#android-client-side-injections-and-others) (waarskynlik sal 'n paar statiese kode analise hier help)
- [ ] [Frida](android-app-pentesting/index.html#frida): Net Frida, gebruik dit om interessante dinamiese data van die toepassing te verkry (miskien 'n paar wagwoorde...)
- [ ] Toets vir **Tapjacking / Animasiestuurde aanvalle (TapTrap 2025)** selfs op Android 15+ (geen oortjie toestemming benodig).
- [ ] Probeer **oortjie / SYSTEM_ALERT_WINDOW clickjacking** en **Toeganklikheidsdiens misbruik** vir voorregverhoging.
- [ ] Kontroleer of `adb backup` / `bmgr backupnow` steeds app data kan dump (apps wat vergeet het om `allowBackup` te deaktiveer).
- [ ] Probeer vir **Binder-niveau LPEs** (bv. **CVE-2023-20963, CVE-2023-20928**); gebruik kern fuzzers of PoCs indien toegelaat.
- [ ] As Play Integrity / SafetyNet afgedwing word, probeer runtime hooks (`Frida Gadget`, `MagiskIntegrityFix`, `Integrity-faker`) of netwerkvlak herhaling.
- [ ] Instrumenteer met moderne gereedskap:
- **Objection > 2.0**, **Frida 17+**, **NowSecure-Tracer (2024)**
- Dinamiese stelselsgewys opsporing met `perfetto` / `simpleperf`.
### Sommige obfuscation/Deobfuscation inligting
- [ ] [Lees hier](android-app-pentesting/index.html#obfuscating-deobfuscating-code)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink