HackTricks
Android APK Lista provere
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Learn Android fundamentals
- Basics
- Dalvik & Smali
- Entry points
- Activities
- URL Schemes
- Content Providers
- Services
- Broadcast Receivers
- Intents
- Intent Filter
- Other components
- How to use ADB
- How to modify Smali
Static Analysis
- Proverite upotrebu obfuscation, proverite da li je uređaj rooted, da li se koristi emulator i anti-tampering provere. Read this for more info.
- Osetljive aplikacije (npr. bankarske) bi trebalo da provere da li je uređaj rooted i da postupe u skladu s tim.
- Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids…).
- Posvetite posebnu pažnju firebase APIs.
- Read the manifest:
- Proverite da li je aplikacija u debug modu i pokušajte da je “exploit“ujete
- Proverite da li APK dozvoljava backups
- Exported Activities
- Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a
unityCLI extras bridge. Test-xrsdk-pre-init-library <abs-path>for pre-initdlopen()RCE. See Intent Injection → Unity Runtime. - Content Providers
- Exposed services
- Broadcast Receivers
- URL Schemes
- Is the application saving data insecurely internally or externally?
- Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
- All the libraries compiled using the PIE flag?
- Ne zaboravite da postoji gomila static Android Analyzers koji vam mogu mnogo pomoći u ovoj fazi.
-
android:exportedmandatory on Android 12+ – pogrešno konfigurisane exported komponente mogu dovesti do spoljne intent invokacije. - Pregledajte Network Security Config (
networkSecurityConfigXML) zacleartextTrafficPermitted="true"ili domen-specifične override-ove. - Tražite pozive ka Play Integrity / SafetyNet / DeviceCheck – odredite da li se custom attestation može hook-ovati/bypass-ovati.
- Pregledajte App Links / Deep Links (
android:autoVerify) za intent-redirection ili open-redirect probleme. - Identifikujte upotrebu WebView.addJavascriptInterface ili
loadData*()koja može dovesti do RCE / XSS unutar aplikacije. - Analizirajte cross-platform bundle-ove (Flutter
libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling: flutter-packer,fluttersign,rn-differ- Skenirajte third-party native biblioteke za poznate CVE-ove (npr. libwebp CVE-2023-4863, libpng, itd.).
- Procijenite SEMgrep Mobile rules, Pithus i najnovije MobSF ≥ 3.9 AI-assisted scan rezultate za dodatna otkrića.
- Proverite OEM ROM dodatke (OxygenOS/ColorOS/MIUI/OneUI) za dodatne exported ContentProviders koji zaobilaze permisije; pokušajte
content query --uri content://com.android.providers.telephony/ServiceNumberProviderbezREAD_SMS(npr. OnePlus CVE-2025-10184).
Dynamic Analysis
- Pripremite okruženje (online, local VM or physical)
- Is there any unintended data leakage (logging, copy/paste, crash logs)?
- Confidential information being saved in SQLite dbs?
- Exploitable exposed Activities?
- Exploitable Content Providers?
- Exploitable exposed Services?
- Exploitable Broadcast Receivers?
- Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
- Inspect HTTP/HTTPS traffic
- Ovo je zaista važno — ako možete da presretnete HTTP saobraćaj možete pretražiti uobičajene Web ranjivosti (Hacktricks ima mnogo informacija o Web vulns).
- Proverite moguće Android Client Side Injections (verovatno će statička analiza koda pomoći ovde)
- Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords…)
- Testirajte za Tapjacking / Animation-driven attacks (TapTrap 2025) čak i na Android 15+ (bez zahteva za overlay permisijom).
- Pokušajte overlay / SYSTEM_ALERT_WINDOW clickjacking i Accessibility Service abuse za eskalaciju privilegija.
- Proverite da li
adb backup/bmgr backupnowjoš uvek mogu da isisaju podatke aplikacije (aplikacije koje su zaboravile da onemogućeallowBackup). - Probe for Binder-level LPEs (e.g., CVE-2023-20963, CVE-2023-20928); use kernel fuzzers or PoCs if permitted.
- Ako je Play Integrity / SafetyNet primenjen, pokušajte runtime hook-ove (
Frida Gadget,MagiskIntegrityFix,Integrity-faker) ili replay na mrežnom nivou. Recent Play Integrity Fix forks (≥17.x) embedplaycurl—focus on ZygiskNext + PIF + ZygiskAssistant/TrickyStore combinations to regain DEVICE/STRONG verdicts. - Instrumentujte sa modernim alatima:
- Objection > 2.0, Frida 17+ (Android 16 support, ART offset fixes), NowSecure-Tracer (2024)
- Dynamic system-wide tracing with
perfetto/simpleperf. - Za OEM telephony/provider bug-ove (npr. OxygenOS CVE-2025-10184), pokušajte permission-less SMS read/send preko
contentCLI ili in-appContentResolver; testirajte blind SQLi uupdate()za eksfiltraciju redova.
Some obfuscation/Deobfuscation information
References
- CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)
- Rapid7: CVE-2025-10184 OnePlus OxygenOS Telephony provider permission bypass
- TapTrap animation-based tapjacking research (TU Wien)
Tip
Učite i vežbajte AWS Hacking:
Učite i vežbajte GCP Hacking:Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.