# Mobile

## Static Analysis

* jdgui <http://java-decompiler.github.io/>
* apktool <https://ibotpeaches.github.io/Apktool/>
* dex2jar <https://github.com/pxb1988/dex2jar>
* jadx <https://github.com/skylot/jadx>

## Dynamic Analysis

Set a proxy Install the certificate and you are ready to go

## System level certificate installation

* Export your Burp Certificate Proxy > Options > CA Certificate > Export in DER format
* Convert it to PEM `openssl x509 -inform der -in cacert.der -out burp.pem`
* Rename it with its checksum `mv burp.pem $(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1)".0"`
* Mount a writeable system `adb shell "mount -o rw,remount /system"`
* Upload the certificate `adb push <generated.0> /system/etc/security/cacerts/` `adb push 9a5ba575.0 /system/etc/security/cacerts/`
* Reboot the vm `adb reboot`

## Setting up proxy using ADB

Setting up a proxy

* `adb shell settings put global http_proxy <proxy ip>:<proxy port>`&#x20;

Flushing the proxy setting&#x20;

* `adb shell settings delete global http_proxy`

## Currently focused activity

```bash
vbox86p:/ # dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp'
  mCurrentFocus=Window{dbfa51e u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity}
  mFocusedApp=AppWindowToken{f6705a0 token=Token{2e6bea3 ActivityRecord{4b7dd2 u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity t10}}}
```

```
vbox86p:/ # dumpsys window displays | grep -E "mCurrentFocus"
  mCurrentFocus=Window{36941bb u0 com.block.juggle/org.cocos2dx.javascript.AppActivity}
```

## Focusing / Starting another activity

`am start -n com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity`

## List activities of an APK

```bash
127|vbox86p:/ # dumpsys package | grep -Eo "^[[:space:]]+[0-9a-f]+[[:space:]]+com.mailchimp.mailchimp/[^[:space:]]+" | grep -oE "[^[:space:]]+$" | sort -u
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.RescheduleReceiver
com.mailchimp.mailchimp/com.google.firebase.iid.FirebaseInstanceIdReceiver
com.mailchimp.mailchimp/com.google.firebase.messaging.FirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseInstanceIDService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.splash.SplashActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetProvider
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetProvider
com.mailchimp.mailchimp/io.branch.referral.InstallListener
```

```bash
morph3 ➜ /tmp/ λ aapt list -a $wd/../Downloads/mailchimp-marketing-crm-to-grow-your-business_5.47.0\(21380\).apk | sed -n '/ activity /{:loop n;s/^.*android:name.*="\([^"]\{1,\}\)".*/\1/;T loop;p;t}' | sort -u
com.google.android.gms.auth.api.signin.internal.SignInHubActivity
com.google.android.gms.common.api.GoogleApiActivity
com.google.android.libraries.places.widget.AutocompleteActivity
com.jakewharton.processphoenix.ProcessPhoenix
com.mailchimp.android.mcm.LocalApiKeyActivity
com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.android.mcm.ui.NewTaskSingleFragmentActivity
com.mailchimp.android.mcm.ui.SingleFragmentActivity
com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity
com.mailchimp.android.mcm.ui.auth.splash.AsyncSplashActivity
com.mailchimp.android.mcm.ui.auth.splash.IntroActivity
com.mailchimp.android.mcm.ui.home.detail.ad.AdEditingActivity
com.mailchimp.android.mcm.ui.neapolitan.MobileNeapolitanActivity
com.mailchimp.android.mcm.ui.signup.SignUpActivity
com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.android.mcm.widgets.AccountVerificationForwardingActivity
com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.yalantis.ucrop.UCropActivity
```

## Mobile Vulnerabilities & What to check

## OWASP Top 10

* M1 Improper Platform Usage
  * Misconfigurations in AndroidManifest.xml
* M2 Insecure Data Storage
  * If an app storages a data on the external storage insecurely. SQL Databases, XML files, Log files, Cookie storages, Binary Data etc.
* M3 Insecure Communication
  * Clear text communication, communication without SSL
* M4 Insecure Authentication
  * Insecure 2FA implementations, 2FA bypass.
  * If you can access to an API without authorization.
  * OTP bypass, Client side bypasses. For example you can manipulate the response of the server and bypass the 2FA or OTP.
* M5 Insufficient Cryptography
  * Incorrent encryption, using encoding.
* M6 Insecure Authorization
  * IDORs
* M7 Client Code Quality
  * Client side sql injection, buffer overflows, XSS.
* M8 Code Tampering
  * For example, cracking a free aplication to a premium one.
* M9 Reverse Engineering
  * Sensitive informations, strings etc.
* M10 Extraneous Functionality
  * For example, developer forgots an external functionality on the app.
  * Leftover backdoor, debug parameter etc.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.morph3.blog/mobile.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.