[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page

Was this helpful?

  1. 3. MANUAL DYNAMIC ANALYSIS

3.1 Install application & use it

adb install path/to/app_name.apk

  • In case it does not work:

    • copy apk to phone and install it directly: adb push app_name.apk /sdcard/

    • download apk on phone and install it

------------------------------------------------------------
!!!!!INTERCEPT THE WHOLE TRAFFIC FROM THE BEGINNING ON!!!!!!
------------------------------------------------------------

  • Log in -> Browse around -> load content & so on ...

  • Look for:

    • File up/download

      • try to bypass fileupload/-filter (often there is only a client-side validation)

    • Activity behavior & functionality

    • ANYTHING which indicates a communication to a backend/api or might be stored locally

  • Check your proxy and look for suspicious behavior, requests, new/different endpoints & so on ...

Previous3. MANUAL DYNAMIC ANALYSISNext3.2 Bypass detections

Last updated 5 years ago

Was this helpful?