APK Pentesting Checklist

Resources:

• https://book.hacktricks.xyz/mobile-pentesting/android-checklist

• https://xmind.app/m/GkgaYH/

• https://mobexler.com/checklist.htm

APK Files and Information Gathering

• Get the application directly from the client.

• Download the app from the Play Store and pull it using ADB (rooted or non-rooted devices).

  • adb shell pm list packages -f | grep app_name

  • Find com.package_name

  • adb shell pm path com.package_name

  • adb pull /data/app/com.package_name..apk

• Check for application ecosystem:

  • React Native Application: com.facebook.com.react entry in AndroidManifest.xml

  • Flutter Application: io.flutter folder or flutter.embedding entry in AndroidManifest.xml

• Download APK from third-party sources (APKpure, apk-downloader, apkmirror, apk-dl, androidappsapk).

• Use PlaystoreDownloader for direct APK download from Play Store.

Installing on the Device

• Install from Play Store.

• If APK is on host system, use adb install application.apk.

• Monitor mobile device for permission pop-ups during installation.

Reverse Engineering and Analysis

• Convert .apk file to .zip file and extract.

• Read AndroidManifest.xml using Apktool:

  • Apktool d application.apk

  • cd application

  • Open AndroidManifest.xml in a text editor and analyze.

• Reverse engineering DEX bytecode:

  • Rename application.apk to application.zip and extract.

  • Use d2j-dex2jar -f classes.dex to get Java class files.

  • Use JD-GUI to read Java source code from class files.

Static Analysis (Manually and Automated)

• Analyze Java source code for hardcoded sensitive information.

• Use MobSF for static analysis.

• Check android:debuggable attribute in AndroidManifest.xml.

• Check for typos in custom permissions in AndroidManifest.xml.

• Test for exported activities:

  • Check intent-filters in AndroidManifest.xml.

  • Test execution control of non-exported activities via exported ones using adb.

• Test for exported broadcast receivers in AndroidManifest.xml.

Network Analysis

• Check for SSL pinning and its bypass:

  • Setup Burp proxy or similar.

  • Install certificates for root CA.

  • Capture app traffic.

  • Use Frida and Objection to bypass SSL pinning.

  • Test Frida server functionality with Frida-ps -Ua.

  • Disable SSL pinning with Objection.

Dynamic Analysis

• Analyze app logs using pidcat/logcat:

  • pidcat target-app-package-name

• Check if sensitive information is protected against screenshots:

  • adb shell /system/bin/screencap /sdcard/img.png

  • adb pull /sdcard/img.png

• Test for root detection mechanisms:

  • Install app on rooted device and check for alerts.

• Check shared preferences for persistent login information.

• Check keyboard cache:

  • /data/data/com.android.providers.userdictionary/databases/user_dict.db

  • Use SQLite browser to read user_dict.db.

• Test for vulnerable broadcast receivers:

  • Check for intents sent by broadcasts.

  • Analyze AndroidManifest.xml for exported broadcast receivers.

• Test for intent sniffing:

  • Search for sendBroadcast function in decompiled code.

• Test for deep linking vulnerabilities:

  • Analyze intent filters in AndroidManifest.xml.

• Test for WebView vulnerabilities:

  • Look for @JavascriptInterface, setJavaScriptEnabled, setWebViewClient in smali code.

  • Check for dangerous WebView settings like setAllowFileAccess(true).

• Test for local encryption issues:

  • Check for weak cryptographic algorithms.

  • Inspect app code for encryption configurations and keys.

• Check for storage issues from AndroidManifest.xml:

  • Look for uses-permission: android:name="android.permission.WRITE_EXTERNAL_STORAGE".

  • Check code for file permissions and storage APIs.

  • Inspect external storage for sensitive information.

• Check for secrets in res/values/strings.xml, build configs, and /data/misc/keystore/.

• Check for input validation issues:

  • Test login page for SQL injection.

  • Check URI schemes for input validation.

• Check for access control issues:

  • dentify exported components in AndroidManifest.xml.

  • Attempt to access sensitive information from outside the app using adb.