Static Analysis

AndroidManifest.xml

• AndroidManifest.xml of an example app:

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    <!-- The package name, which is the unique identifier for the app in the Android ecosystem. -->
    package="com.example.app"

    <!-- The version of the Android SDK used to compile the app. -->
    android:compileSdkVersion="34"

    <!-- The codename for the compile SDK version (e.g., "14" for Android 14). -->
    android:compileSdkVersionCodename="14"

    <!-- The internal version code of the platform used to build the app. -->
    platformBuildVersionCode="34"

    <!-- The version name of the platform used to build the app, corresponding to the codename of the Android version. -->
    platformBuildVersionName="14">

    <!-- Permissions required by the app -->
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />

    <!-- Declaring minimum and target SDK versions -->
    <uses-sdk android:minSdkVersion="29" android:targetSdkVersion="34" />

    <!-- Declaring features required by the app -->
    <uses-feature android:name="android.hardware.camera" android:required="true" />
    <uses-feature android:name="android.hardware.location.gps" android:required="false" />

    <!-- Main application block -->
    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:networkSecurityConfig="@xml/network_security_config"
        android:theme="@style/AppTheme">

        <!-- Main launcher activity -->
        <activity android:name=".MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>

        <!-- Another activity with an intent filter -->
        <activity android:name=".DeepLinkActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="https" android:host="www.example.com" android:pathPrefix="/deeplink" />
            </intent-filter>
        </activity>

        <!-- Service example -->
        <service android:name=".MyService"
            android:enabled="true"
            android:exported="false">
        </service>

        <!-- Broadcast receiver example -->
        <receiver android:name=".MyBroadcastReceiver"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>

        <!-- Content provider example -->
        <provider
            android:name=".MyContentProvider"
            android:authorities="com.example.app.provider"
            android:enabled="true"
            android:exported="true" />

        <!-- Meta-data example -->
        <meta-data
            android:name="com.google.android.geo.API_KEY"
            android:value="your_google_maps_api_key_here" />

    </application>
</manifest>

aapt utility

• Dump all permissions

aapt dump permissions app.apk

• Dump all strings

aapt dump strings app.apk

• Dump all intent-filters

NOTE: Make you sure file AndroidManifest.xml is in the same directory as you execute aapt when dump data from any AndroidManifest.xml.

aapt dump xmltree app.apk AndroidManifest.xml | grep -A 4 "intent-filter"

• Tip: Use grep command to find interesting strings like passwords, leaked tokens, URLs and endpoints, IP addresses, etc...

Getting the APK / APKS directly from the Google Play Store

1. Download the App from the Google Play Store

2. List the users present on the Android Device

adb shell 'pm list users'

1. List the path/s for the APK / APKs (i.e.: base.apk, split_config.arm64_v8a.apk, etc...)

adb shell 'pm list packages --user 0 | grep <package-name>'

1. Pull the APK / APKs from the Android Device through ADB shell with the following commands:

adb pull '/data/app/~PvKK31sTyxNMbIGXtM-sKQ==/com.example.app-35LyFLmPuDftQjAVCgCP0w==/base.apk'
adb pull '/data/app/~~PvKK31sTyxNMbIGXtM-sKQ==/com.example.app-35LyFLmPuDftQjAVCgCP0w==/split_config.arm64_v8a.apk'

Decompiling APK

Use tools like JADX or APKTool to decompile the APK and analyze the source code.

With APKtool (decompiled files)

apktool d app.apk -o app_output_directory

Decompiling without resources folder (faster method)

apktool d -r app.apk -o app_output_directory

Unzip APK (original files)

unzip app.apk -d app_output_directory

Structure of an APK package when you unzip it

File/Folder	Description
assets	Pictures / Sounds / Certificates / External files
lib	Libraries (check to see if emulator "x86" is supported)
META-INF	Code Signature (signing)
res	App Icon
AndroidManifest.xml	Configuration file in binary format (not readable by unzipping an app)
classes.dex	Dalvik Bytecode of all classes
resources.arsc	Compiled resources (Strings / Color etc.)

Differences between Unzip and Decompiled APKs

# Unzip / Apktool
- "assets / assets"
- "com / unknown"
- "lib / lib"
- "META-INF / original"
- "res / res"
- "resources.arsc / res/values"
- "classes.dex / smali"
- "AndroidManifest.xml / AndroidManifest.xml"

Useful ADB commands

- "adb devices": 
 - "Show connected devices"
- "adb root": 
 - "Get a root shell - Works only on certain images. Example: LineageOS."
- "adb reboot bootloader": 
 - "Reboot the device into the boot loader mode"
- "adb shell install -r": 
 - "Install a new package (overwrite existing one)"
- "adb push <local> <remote>": 
 - "Upload a file from the laptop to the phone"
- "adb pull <remote> <local>": 
 - "Download a file from the phone to the laptop"
- "adb shell dumpsys iphonesybinfo": 
 - "Get the IMEI"
- "adb get-serialno": 
 - "Serial number of the device"
- "adb shell pm list features": 
 - "List the features of the smartphone"
- "adb shell screencap -p \"/Path/To/Save/Image.png\"": 
 - "Take a screenshot"
- "adb shell screen record \"/Path/CaptureRecord.mp4\"": 
 - "Capture a video of the device screen"
- "adb shell am start -W -c android.intent.category.HOME -a android.intent.action.MAIN": 
 - "Simulating pressing the Home Button"
- "adb shell am start|startservice|broadcast <INTENT>": 
 - "Start an Intent / service / broadcast receiver"
- "adb logcat": 
 - "System log information"
- "adb bugreport": 
 - "Dump the whole device information like dumpstate, dumpsys and logcat output. Important to get the Bluetooth Low Energy log!"
- "adb backup": 
 - "Backup all applications that have the 'backup=true' in their Manifest.xml"
- "fastboot devices": 
 - "List available devices in fastboot mode"
- "adb shell pm reset-permissions -p your.app.package": 
 - "Resets all the permissions of an app"
- "adb shell pm path <package name>": 
 - "Shows the path to the APK which can be downloaded (see adb pull) even without root permissions."
- "adb input touch <x> <y>": 
 - "Perform a touch event at the given coordinates"

DEX Files

• Use dex2jar to convert .dex files in .jar files.

d2j-dex2jar classes.dex -o classes.jar

• Then analyze it with Jadx-gui

Using Nuclei to automate the proccess of finding endpoints and hidden information

1. Extract APK with APKtool

apktool d app.apk -o app_output_directory

1. Run Nuclei and find secrets keys and vulnerabilities

echo app_output_directory/ | nuclei -t /path/to/nuclei-templates/files/keys
echo app_output_directory/ | nuclei -t /path/to/nuclei-templates/files/android

1. Run Nuclei with official Project Discovery templates

echo app_output_directory/ | nuclei -tags android,permissions,misconfig,storage,exposure,aws,amazon,azure,firebase

Extract Activities exported as "True"

1. Extract APK with APKtool

apktool d app.apk -o app_output_directory

1. Extract with UNIX commands the Activities which are exported="true"

cat app_output_directory/AndroidManifest.xml | grep 'exported="true"' | grep activity

Finding Secrets in APKs with Trufflehog

1. Extract APK with APKtool

apktool d app.apk -o app_output_directory

1. Run Trufflehog

docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest filesystem /path/to/app_output_directory/

MobSF (Mobile Security Security Framework)

1. Quick installation:

docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

1. Upload the APK and then analyze the results

2. Use MobSF to scan the source code and identify insecure coding practices, hardcoded credentials, insecure data storage, etc.

3. After read the analysis, print a PDF Report and save it.

---