Android APK Checklist

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Learn Android fundamentals

Static Analysis

  • Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
  • Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
  • Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids…).
  • Read the manifest:
    • Check if the application is in debug mode and try to “exploit” it
    • Check if the APK allows backups
    • Exported Activities
      • Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a unity CLI extras bridge. Test -xrsdk-pre-init-library <abs-path> for pre-init dlopen() RCE. See Intent Injection → Unity Runtime.
    • Content Providers
    • Exposed services
    • Broadcast Receivers
    • URL Schemes
  • Is the application saving data insecurely internally or externally?
  • Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
  • All the libraries compiled using the PIE flag?
  • Don’t forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
  • android:exported mandatory on Android 12+ – misconfigured exported components can lead to external intent invocation.
  • Review Network Security Config (networkSecurityConfig XML) for cleartextTrafficPermitted="true" or domain-specific overrides.
  • Look for calls to Play Integrity / SafetyNet / DeviceCheck – determine whether custom attestation can be hooked/bypassed.
  • Inspect App Links / Deep Links (android:autoVerify) for intent-redirection or open-redirect issues.
  • Identify usage of WebView.addJavascriptInterface or loadData*() that may lead to RCE / XSS inside the app.
  • Analyse cross-platform bundles (Flutter libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:
    • flutter-packer, fluttersign, rn-differ
  • Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng, etc.).
  • Evaluate SEMgrep Mobile rules, Pithus and the latest MobSF ≥ 3.9 AI-assisted scan results for additional findings.
  • Check OEM ROM add-ons (OxygenOS/ColorOS/MIUI/OneUI) for extra exported ContentProviders that bypass permissions; try content query --uri content://com.android.providers.telephony/ServiceNumberProvider without READ_SMS (e.g., OnePlus CVE-2025-10184).

Dynamic Analysis

  • Prepare the environment (online, local VM or physical)
  • Is there any unintended data leakage (logging, copy/paste, crash logs)?
  • Confidential information being saved in SQLite dbs?
  • Exploitable exposed Activities?
  • Exploitable Content Providers?
  • Exploitable exposed Services?
  • Exploitable Broadcast Receivers?
  • Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
  • Inspect HTTP/HTTPS traffic
    • This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
  • Check for possible Android Client Side Injections (probably some static code analysis will help here)
  • Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords…)
  • Test for Tapjacking / Animation-driven attacks (TapTrap 2025) even on Android 15+ (no overlay permission required).
  • Attempt overlay / SYSTEM_ALERT_WINDOW clickjacking and Accessibility Service abuse for privilege escalation.
  • Check if adb backup / bmgr backupnow can still dump app data (apps that forgot to disable allowBackup).
  • Probe for Binder-level LPEs (e.g., CVE-2023-20963, CVE-2023-20928); use kernel fuzzers or PoCs if permitted.
  • If Play Integrity / SafetyNet is enforced, try runtime hooks (Frida Gadget, MagiskIntegrityFix, Integrity-faker) or network-level replay. Recent Play Integrity Fix forks (≥17.x) embed playcurl—focus on ZygiskNext + PIF + ZygiskAssistant/TrickyStore combinations to regain DEVICE/STRONG verdicts.
  • Instrument with modern tooling:
    • Objection > 2.0, Frida 17+ (Android 16 support, ART offset fixes), NowSecure-Tracer (2024)
    • Dynamic system-wide tracing with perfetto / simpleperf.
  • For OEM telephony/provider bugs (e.g., OxygenOS CVE-2025-10184), attempt permission-less SMS read/send via the content CLI or in-app ContentResolver; test blind SQLi in update() to exfiltrate rows.

Some obfuscation/Deobfuscation information

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks