Static analysis
Jadx
We can decompile code to JAVA using jadx.
Qark
https://github.com/linkedin/qark
MobSF
https://github.com/MobSF/Mobile-Security-Framework-MobSF
Online website
Docker install
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latestGrep process
For ease of static analysis (since there are many files), we can have few keywords and grep those words to see how many files are intresting to lookout for.
Few things too look out
╰─➤ cat resources/AndroidManifest.xml | grep -i backup
android:allowBackup="true"
╰─➤ cat resources/AndroidManifest.xml | grep -iE 'exported="true"' 1 ↵
android:exported="true"
╰─➤ cat resources/AndroidManifest.xml | grep -iE 'debuggable' --color 1 ↵
android:debuggable="true"
╰─➤ cat resources/AndroidManifest.xml | grep -i 'android.permission' --color
<uses-permission android:name="android.permission.INTERNET"/>Allowbackup=true
This is considered a security issue because people could backup your app via ADB and then get private data of your app into their PC.
Shared preference.
directory returned by getFilesDir().
getDataBase(path) also includes files created by SQLiteOpenHelper.
files in directories created with getDir(Sring, int).
files on external storage returned by getExternalFilesDir (String type).
exported=true
We can basically export that activity from anywhere inside android, creating new app & calling the activity there or using adb to call that activity.
E.g: There's a mobile app that uses OTP (2AUTH) ... but the home screen/dashboard activity is exported=true. You can start the dashboard activity & can bypass the OTP screen.
debuggable=true
This allows attacker to hook their debugger in the app (similar work in Dynamic Analysis)
uses-permission
This basically teslls what permission the app requires for running/app ask to end user.
Last updated