Android Security and Penetration Testing

3.

Static Analysis (SAST)

3.1.

Deconstructing the APK File

3.1.1.

Understanding the APK Structure

3.1.1.1.

AndroidManifest.xml

3.1.1.2.

3.1.1.3.

3.1.1.4.

3.1.1.5.

3.1.1.6.

3.1.1.7.

META-INF/ Folder

3.1.2.

Extracting APK Contents

3.1.2.1.

3.1.2.2.

3.1.2.3.

File System Analysis

3.2.

Decompiling and Disassembling

3.2.1.

Using APKTool for Disassembly

3.2.1.1.

Smali Code Analysis

3.2.1.2.

Resource Extraction

3.2.1.3.

Rebuilding APKs

3.2.2.

Converting DEX to JAR

3.2.2.1.

3.2.2.2.

Handling Multiple DEX Files

3.2.3.

Decompiling JAR to Java Source

3.2.3.1.

3.2.3.2.

3.2.3.3.

Handling Obfuscated Code

3.3.

Analyzing the Android Manifest

3.3.1.

Identifying App Components

3.3.1.1.

3.3.1.1.1.

Exported Activities

3.3.1.1.2.

3.3.1.2.

3.3.1.2.1.

Exported Services

3.3.1.2.2.

3.3.1.3.

Broadcast Receivers

3.3.1.3.1.

Exported Receivers

3.3.1.3.2.

3.3.1.4.

Content Providers

3.3.1.4.1.

Exported Providers

3.3.1.4.2.

3.3.2.

Reviewing Permissions

3.3.2.1.

Dangerous Permissions

3.3.2.2.

Unused Permissions

3.3.2.3.

Custom Permissions

3.3.3.

Checking for Exported Components

3.3.3.1.

Exported Attribute Analysis

3.3.3.2.

Security Risks of Exported Components

3.3.3.3.

Intent Filter Vulnerabilities

3.3.4.

Identifying Hardcoded API Keys and Secrets

3.3.4.1.

Manifest Inspection

3.3.4.2.

Resource File Analysis

3.3.4.3.

String Resource Examination

3.3.5.

Analyzing URL Schemes

3.3.5.1.

Custom Scheme Registration

3.3.5.2.

Intent Filter Analysis

3.3.5.3.

Deep Link Security

3.4.

Source Code and Resource Analysis

3.4.1.

Searching for Hardcoded Credentials and Sensitive Information

3.4.1.1.

3.4.1.2.

3.4.1.3.

3.4.1.4.

Database Credentials

3.4.2.

Identifying Insecure Cryptographic Implementations

3.4.2.1.

Weak Algorithms

3.4.2.2.

3.4.2.3.

Poor Key Management

3.4.2.4.

Insecure Random Number Generation

3.4.3.

Reviewing Native Libraries for Vulnerabilities

3.4.3.1.

Buffer Overflows

3.4.3.2.

Unsafe JNI Usage

3.4.3.3.

Memory Corruption Issues

3.4.4.

Checking for Debugging Code and Logs

3.4.4.1.

3.4.4.2.

Logging Sensitive Data

3.4.4.3.

Test Code in Production

3.4.5.

Analyzing WebView Usage

3.4.5.1.

JavaScript Enabled

3.4.5.2.

File Access Settings

3.4.5.3.

Mixed Content Handling

3.5.

Automated Static Analysis

3.5.1.

Using MobSF for Automated Scanning

3.5.1.1.

Upload and Analysis Process

3.5.1.2.

Configuration Options

3.5.2.

Interpreting Automated Analysis Reports

3.5.2.1.

Identifying False Positives

3.5.2.2.

Prioritizing Findings

3.5.2.3.

Understanding Severity Levels

3.5.3.

Custom Rule Development

3.5.3.1.

SAST Rule Creation

3.5.3.2.

Pattern Matching

3.5.4.

Integration with CI/CD Pipelines

Previous

2. Setting Up a Penetration Testing Environment

Go to top

Next

4. Dynamic Analysis (DAST)