search

Static analysis

CREDIT - TCM security

hashtag
Jadx

JADXwww.briskinfosec.comchevron-right

We can decompile code to JAVA using jadx.

hashtag
Qark

https://github.com/linkedin/qarkarrow-up-right

hashtag
MobSF

https://github.com/MobSF/Mobile-Security-Framework-MobSFarrow-up-right

hashtag
Online website

https://mobsf.live/mobsf.livechevron-right

hashtag
Docker install

hashtag
Grep process

For ease of static analysis (since there are many files), we can have few keywords and grep those words to see how many files are intresting to lookout for.

example
exmaple

hashtag
Few things too look out

hashtag
Allowbackup=true

This is considered a security issue because people could backup your app via ADB and then get private data of your app into their PC.

  1. Shared preference.

  2. directory returned by getFilesDir().

  3. getDataBase(path) also includes files created by SQLiteOpenHelper.

  4. files in directories created with getDir(Sring, int).

  5. files on external storage returned by getExternalFilesDir (String type).

hashtag
exported=true

We can basically export that activity from anywhere inside android, creating new app & calling the activity there or using adb to call that activity.

E.g: There's a mobile app that uses OTP (2AUTH) ... but the home screen/dashboard activity is exported=true. You can start the dashboard activity & can bypass the OTP screen.

Logoandroid:exported Β |Β  Security Β |Β  Android DevelopersAndroid Developerschevron-right

hashtag
debuggable=true

This allows attacker to hook their debugger in the app (similar work in Dynamic Analysis)

hashtag
uses-permission

This basically teslls what permission the app requires for running/app ask to end user.

PreviousPull & PatchNextHardcoded strings

Last updated