https://developer.android.com/reference/android/Manifest.permission https://developer.android.com/guide/topics/manifest/manifest-intro
things to look for Android manifest.xml
Unnecessary permissons activity exported = true
content providers- exported hardcoded creds
backup true debug true
decompile using apk apktool
apktool d appname.apk # -f -r
or use jadx gui
gets a decoded folder asset folders have images, spl fonts kotlin some source code is found depending on the app lib to inject objects
- .so files might have keys
original has android manifest.xml smali - has app src code
- dex to jar - smalli to human readable form
Hardcoded strings
resources/strings.xml and xmls.xml
can be found in activity source code
google api keys can cost money to people
search for keywords like
- id
- password
- api
- http
- https
- key
- clientid
- clientsecret
look for urls, buckets, keys,, secrets
use search featue of jadx
find locations of dbs
Start an exported activity
am start apppackagename/.activityname
Enumerating AWS Storage buckets
Cloud Enum Link: https://github.com/initstring/cloud_enum
AWS CLI: sudo apt-get install awscli
AWS CLI Documentation: https://aws.amazon.com/cli/
Enumeration of Firebase
Firebase Enum Github: https://github.com/Sambal0x/firebaseEnum
find endpoints and try to access url/.json endpoint
Some firebase areas may be out in the open while some is protected
Automating static analysis
MobSF Github Repo: https://github.com/MobSF/Mobile-Security-Framework-MobSF
MobSF Dependencies: https://mobsf.github.io/docs/#/requirements
wkhtmltopdf to generate PDF Reports: https://wkhtmltopdf.org/downloads.html
Whats deeplink