Android APK チェックリスト

Tip

AWSハッキングを学び、実践する:HackTricks Training AWS Red Team Expert (ARTE)
GCPハッキングを学び、実践する:HackTricks Training GCP Red Team Expert (GRTE) Azureハッキングを学び、実践する:HackTricks Training Azure Red Team Expert (AzRTE)

HackTricksをサポートする

Android の基本を学ぶ

Static Analysis

  • Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
  • 機微なアプリ(銀行アプリ等)は mobile が rooted かどうかを確認し、その結果に応じた対処を行うべきです。
  • 興味深い文字列を検索する(パスワード、URLs、API、暗号化、backdoors、tokens、Bluetooth uuids…)。詳しくは looking for interesting info を参照。
  • 特に firebase APIs に注意。
  • マニフェストを読む:
  • アプリが debug モードかどうかを確認し、可能なら「悪用」してみる。
  • APK が backups を許可しているか確認する。
  • Exported Activities を確認する。
  • Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a unity CLI extras bridge. Test -xrsdk-pre-init-library <abs-path> for pre-init dlopen() RCE. See Intent Injection → Unity Runtime.
  • Content Providers を確認する。
  • Exposed services を確認する。
  • Broadcast Receivers を確認する。
  • URL Schemes を確認する。
  • Is the application saving data insecurely internally or externally?
  • Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
  • All the libraries compiled using the PIE flag?
  • 静的 Android アナライザが多数あることを忘れないでください(static Android Analyzers)。このフェーズで大いに役立ちます。
  • android:exported mandatory on Android 12+ – misconfigured exported components can lead to external intent invocation.
  • Review Network Security Config (networkSecurityConfig XML) for cleartextTrafficPermitted="true" or domain-specific overrides.
  • Look for calls to Play Integrity / SafetyNet / DeviceCheck – determine whether custom attestation can be hooked/bypassed.
  • Inspect App Links / Deep Links (android:autoVerify) for intent-redirection or open-redirect issues.
  • Identify usage of WebView.addJavascriptInterface or loadData*() that may lead to RCE / XSS inside the app.
  • Analyse cross-platform bundles (Flutter libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:
  • flutter-packer, fluttersign, rn-differ
  • Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng, etc.).
  • Evaluate SEMgrep Mobile rules, Pithus and the latest MobSF ≥ 3.9 AI-assisted scan results for additional findings.
  • Check OEM ROM add-ons (OxygenOS/ColorOS/MIUI/OneUI) for extra exported ContentProviders that bypass permissions; try content query --uri content://com.android.providers.telephony/ServiceNumberProvider without READ_SMS (e.g., OnePlus CVE-2025-10184).

Dynamic Analysis

  • Prepare the environment (online, local VM or physical)
  • Is there any unintended data leakage (logging, copy/paste, crash logs)?
  • Confidential information being saved in SQLite dbs?
  • Exploitable exposed Activities?
  • Exploitable Content Providers?
  • Exploitable exposed Services?
  • Exploitable Broadcast Receivers?
  • Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
  • Inspect HTTP/HTTPS traffic
  • これは非常に重要です。HTTP トラフィックをキャプチャできれば、Web の一般的な脆弱性を探せます(Hacktricks は Web 脆弱性に関する情報を多数保持しています)。
  • Check for possible Android Client Side Injections (probably some static code analysis will help here)
  • Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords…)
  • Test for Tapjacking / Animation-driven attacks (TapTrap 2025) even on Android 15+ (no overlay permission required).
  • Attempt overlay / SYSTEM_ALERT_WINDOW clickjacking and Accessibility Service abuse for privilege escalation.
  • Check if adb backup / bmgr backupnow can still dump app data (apps that forgot to disable allowBackup).
  • Probe for Binder-level LPEs (e.g., CVE-2023-20963, CVE-2023-20928); use kernel fuzzers or PoCs if permitted.
  • If Play Integrity / SafetyNet is enforced, try runtime hooks (Frida Gadget, MagiskIntegrityFix, Integrity-faker) or network-level replay. Recent Play Integrity Fix forks (≥17.x) embed playcurl—focus on ZygiskNext + PIF + ZygiskAssistant/TrickyStore combinations to regain DEVICE/STRONG verdicts.
  • Instrument with modern tooling:
  • Objection > 2.0, Frida 17+ (Android 16 support, ART offset fixes), NowSecure-Tracer (2024)
  • Dynamic system-wide tracing with perfetto / simpleperf.
  • For OEM telephony/provider bugs (e.g., OxygenOS CVE-2025-10184), attempt permission-less SMS read/send via the content CLI or in-app ContentResolver; test blind SQLi in update() to exfiltrate rows.

Some obfuscation/Deobfuscation information

参考

Tip

AWSハッキングを学び、実践する:HackTricks Training AWS Red Team Expert (ARTE)
GCPハッキングを学び、実践する:HackTricks Training GCP Red Team Expert (GRTE) Azureハッキングを学び、実践する:HackTricks Training Azure Red Team Expert (AzRTE)

HackTricksをサポートする