Android Analysis CheatSheet

Android, Mobile

Application permission

  • check permission in AndroidManifest.xml

Authentication

  • stateless or stateful

Insecure Data Storage

  • sensitive information in code
  • database
  • log
  • cookies
  • cache

Sensitive Data sent to third party

  • check third party libray in code
  • intercept request

scan content provider URI

1
2
dz > run app.provider.info -a com.iapps.ssc
dz > run scanner.provider.finduris -a com.iapps.ssc

Check Backup for Sensitive Data

  • android:allowBackup=”true”
1
2
3
$> adb backup -apk -nosystem com.iapps.ssc
$> dd if=backup.ab bs=24 skip=1 |openssl zlib -d > backup.tar
$> java -jar abe.jar unpack back.ab

Auto Generate for sensitive Data

Check Memory for Sensitive Data

  • dynamic analysis dump memory

Testing the Device-Access-Security Policy

  • USB Debuggin activation
  • Root Detection

Test Random Number

Local Authentication

Network API

Certificate Pinning

  • check value “android:networkSecurityConfig” in AndroidManifest.xml

default network Config

  • Android API Permission

    • Normal (android.permission.INTERNET)
    • Dangerous (android.permission.RECORD AUDIO)
    • Signature (android.permission.ACCESS_MOCK_LOCATION)
    • SystemOrSignature (android.permission.ACCESS_DOWNLOAD_MANAGER) 
      1
      2
      dz > run app.package.info -a com.kth.test
      dz > run app.provider.finduri com.kth.test

  • service info

1
2
3
dz > run app.service.info -a com.kth.test
dz > run app.broadcast.info -a com.kth.test
dz > run app.broadcast.sniff -a com.kth.test
  • Check Application Sign
1
2
apksigner verify --verbose Desktop/example.apk
jarverify -verify -verbose -certs example.apk
  • Check Webview XSS
    • search code in setJavaScriptEnable(true)
  • Static Analysis with Mobfs
1
2
3
4
5
6
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
pip3 install virtualenv
virtualenv -p python3 venv
source venv/bin/activate
pip3 install -r requirements.txt