*Jadx - decompiler gui
jadx-gui
* Jadx - decomp cli (with deobf)
jadx -d path/to/extract/ --deobf app_name.apk
* Apkx decompiler
apkx example.apk
* Apktool
apktool d app_name.apk
- Urls and secrets https://github.com/dwisiswant0/apkleaks
$ python apkleaks.py -f ~/path/to/file.apk- Analyze URLs in apk: https://github.com/shivsahni/APKEnum
$ python APKEnum.py -p ~/Downloads/app-debug.apk- Quick wins tool (go branch) https://github.com/mzfr/slicer
$ slicer -d path/to/extact/apk- Unpack apk and find interesting strings
$ apktool d app_name.apk
$ cd apk_folder
$ grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into"
$ grep -Phro "(https?://)[\w\.-/]+[\"'\`]" | sed 's#"##g' | anew | grep -v "w3\|android\|github\|http://schemas.android\|google\|http://goo.gl"- Regex FCM Server Keys for push notification services control
AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}
AIza[0-9A-Za-z_-]{35}
- FCM Google Server Keys Validation https://github.com/adarshshetty18/fcm_server_key
$ python3 fcmserverkey.py file.apk-
Facebook Static Analysis Tool https://github.com/facebook/mariana-trench/
-
Manifest.xml findings:
android:allowBackup = TRUE
android:debuggable = TRUE
andorid:exported= TRUE or not set (within <provider>-Tag) --> allows external app to access data
android.permission.WRITE_EXTERNAL_STORAGE / READ_EXTERNAL_STORAGE (ONLY IF sensitive data was stored/read externally)
- Use of permissions
e.g. the app opens website in external browser (not inApp), however requires "android.permission.INTERNET" --> false usage of permissions. (over-privileged)
"android:protectionLevel" was not set properly (<permission android:name="my_custom_permission_name" android:protectionLevel="signature"/>)
missing android:permission (permission tags limit exposure to other apps)
https://mobexler.com/checklist.htm#android
https://developer.android.com/studio/command-line/adb?hl=es-419
adb connect IP:PORT/ID
adb devices
adb shell
adb push
adb install
adb shell pm list packages # List all installed packages
adb shell pm path xx.package.name
adb shell
settings get secure android_id
adb shell sqlite3 /data/data/com.android.providers.settings/databases/settings.db "select value from secure where name = 'android_id'"
https://github.com/frida/frida/releases
adb root
adb push /root/Downloads/frida-server-12.7.24-android-arm /data/local/tmp/. # Linux
adb push C:\Users\username\Downloads\frida-server-12.8.11-android-arm /data/local/tmp/. # Windows
adb root
adb shell "chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server &"
frida-ps -U # Check frida running correctly
frida -U -f com.vendor.app.version -l PATH\fridaScript.js --no-pause
https://github.com/dineshshetty/FridaLoader
https://github.com/sensepost/objection/wiki/Patching-Android-Applications#patching---patching-an-apk
https://codeshare.frida.re/
https://github.com/dweinstein/awesome-frida
https://rehex.ninja/posts/frida-cheatsheet/
https://github.com/androidmalware/android_frida_scripts
- Objection https://github.com/sensepost/objection
objection --gadget com.vendor.app.xx explore
android sslpinning disable
- Android Backup files (*.ab files)
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz -
- Check Info Stored
find /data/app -type f -exec grep --color -Hsiran "FINDTHIS" {} \;
find /storage/sdcard0/Android/ -maxdepth 7 -exec ls -dl \{\} \;
/data/data/com.app/database/keyvalue.db
/data/data/com.app/database/sqlite
/data/app/
/data/user/0/
/storage/emulated/0/Android/data/
/storage/emulated/0/Android/obb/
/assets
/res/raw
/target/global/Constants.java
-
Check logs during app usage https://github.com/JakeWharton/pidcat
-
Download apks https://apkpure.com https://apps.evozi.com/apk-downloader/ https://apkcombo.com/