[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page
  • THINGS TO REPORT
  • MORE DETAILS

Was this helpful?

  1. 1. MANUAL STATIC ANALYSIS

1.2 Check certificate

openssl pkcs7 -inform DER -in META-INF/*.RSA -noout -print_certs -text

or (optional)

jarsigner -verify -verbose -certs app_name.apk

  • jarsigner --> huge output (each file gets validated)

  • cert location:

    • unzip.apk --> META-INF/*.RSA

    • jadx app_name.apk --> resources/META-INF/*.RSA

  • custom CAs may be definded: res/xml/network_security_config.xml (or similar name)

    • also cert-pinning info available there (i.e expiration)

THINGS TO REPORT

  • CN=Android Debug (=debug cert -> public known private key)

  • Cert is already expired

  • The CA that issued the server certificate was unknown

  • Cert was self signed

  • The server configuration is missing an intermediate CA

  • No cert-pinning (public key pinning) enabled (if you are able to route traffic through a proxy)

  • cleartext Traffic is allowed (until Android 8.1):

    • <base-config cleartextTrafficPermitted="true">

    • <domain-config cleartextTrafficPermitted="true">

MORE DETAILS

  • Manifest permissions

  • SSL common problems

  • ssltest

Previous1.1 Decompile APKNext1.3 Analyze AndroidManifest.xml

Last updated 5 years ago

Was this helpful?