Mobile
Static Analysis
jdgui http://java-decompiler.github.io/
apktool https://ibotpeaches.github.io/Apktool/
dex2jar https://github.com/pxb1988/dex2jar
jadx https://github.com/skylot/jadx
Dynamic Analysis
Set a proxy Install the certificate and you are ready to go
System level certificate installation
Export your Burp Certificate Proxy > Options > CA Certificate > Export in DER format
Convert it to PEM
openssl x509 -inform der -in cacert.der -out burp.pem
Rename it with its checksum
mv burp.pem $(openssl x509 -inform PEM -subject_hash_old -in burp.pem | head -1)".0"
Mount a writeable system
adb shell "mount -o rw,remount /system"
Upload the certificate
adb push <generated.0> /system/etc/security/cacerts/
adb push 9a5ba575.0 /system/etc/security/cacerts/
Reboot the vm
adb reboot
Setting up proxy using ADB
Setting up a proxy
adb shell settings put global http_proxy <proxy ip>:<proxy port>
Flushing the proxy setting
adb shell settings delete global http_proxy
Currently focused activity
vbox86p:/ # dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp'
mCurrentFocus=Window{dbfa51e u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity}
mFocusedApp=AppWindowToken{f6705a0 token=Token{2e6bea3 ActivityRecord{4b7dd2 u0 com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity t10}}}
vbox86p:/ # dumpsys window displays | grep -E "mCurrentFocus"
mCurrentFocus=Window{36941bb u0 com.block.juggle/org.cocos2dx.javascript.AppActivity}
Focusing / Starting another activity
am start -n com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity
List activities of an APK
127|vbox86p:/ # dumpsys package | grep -Eo "^[[:space:]]+[0-9a-f]+[[:space:]]+com.mailchimp.mailchimp/[^[:space:]]+" | grep -oE "[^[:space:]]+$" | sort -u
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
com.mailchimp.mailchimp/androidx.work.impl.background.systemalarm.RescheduleReceiver
com.mailchimp.mailchimp/com.google.firebase.iid.FirebaseInstanceIdReceiver
com.mailchimp.mailchimp/com.google.firebase.messaging.FirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseInstanceIDService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.fcm.MCMFirebaseMessagingService
com.mailchimp.mailchimp/com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.auth.splash.SplashActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetProvider
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.mailchimp.mailchimp/com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetProvider
com.mailchimp.mailchimp/io.branch.referral.InstallListener
morph3 ➜ /tmp/ λ aapt list -a $wd/../Downloads/mailchimp-marketing-crm-to-grow-your-business_5.47.0\(21380\).apk | sed -n '/ activity /{:loop n;s/^.*android:name.*="\([^"]\{1,\}\)".*/\1/;T loop;p;t}' | sort -u
com.google.android.gms.auth.api.signin.internal.SignInHubActivity
com.google.android.gms.common.api.GoogleApiActivity
com.google.android.libraries.places.widget.AutocompleteActivity
com.jakewharton.processphoenix.ProcessPhoenix
com.mailchimp.android.mcm.LocalApiKeyActivity
com.mailchimp.android.mcm.shortcut.ShortcutLauncherActivity
com.mailchimp.android.mcm.ui.NewTaskSingleFragmentActivity
com.mailchimp.android.mcm.ui.SingleFragmentActivity
com.mailchimp.android.mcm.ui.auth.onboarding.OnboardingActivity
com.mailchimp.android.mcm.ui.auth.splash.AsyncSplashActivity
com.mailchimp.android.mcm.ui.auth.splash.IntroActivity
com.mailchimp.android.mcm.ui.home.detail.ad.AdEditingActivity
com.mailchimp.android.mcm.ui.neapolitan.MobileNeapolitanActivity
com.mailchimp.android.mcm.ui.signup.SignUpActivity
com.mailchimp.android.mcm.ui.upload.FileUploadActivity
com.mailchimp.android.mcm.widgets.AccountVerificationForwardingActivity
com.mailchimp.android.mcm.widgets.addsubscribers.AddSubscriberWidgetConfigureActivity
com.mailchimp.android.mcm.widgets.recentcampaign.RecentCampaignWidgetConfigureActivity
com.yalantis.ucrop.UCropActivity
Mobile Vulnerabilities & What to check
OWASP Top 10
M1 Improper Platform Usage
Misconfigurations in AndroidManifest.xml
M2 Insecure Data Storage
If an app storages a data on the external storage insecurely. SQL Databases, XML files, Log files, Cookie storages, Binary Data etc.
M3 Insecure Communication
Clear text communication, communication without SSL
M4 Insecure Authentication
Insecure 2FA implementations, 2FA bypass.
If you can access to an API without authorization.
OTP bypass, Client side bypasses. For example you can manipulate the response of the server and bypass the 2FA or OTP.
M5 Insufficient Cryptography
Incorrent encryption, using encoding.
M6 Insecure Authorization
IDORs
M7 Client Code Quality
Client side sql injection, buffer overflows, XSS.
M8 Code Tampering
For example, cracking a free aplication to a premium one.
M9 Reverse Engineering
Sensitive informations, strings etc.
M10 Extraneous Functionality
For example, developer forgots an external functionality on the app.
Leftover backdoor, debug parameter etc.
Last updated