Static Analysis
Android
JADX-GUI
https://github.com/skylot/jadx Produces java source code from Android Dex and APK files for static analysis.
In Kali,
sudo apt-get install default-jdk jadx
Android Manifest
- minSDKVersion
- Permissions
- what data and hardware components the app needs (or have) access to
- full list: https://developer.android.com/reference/android/Manifest.permission
- Activities
- UI elements / different “screens” in the application
- protected activities performed through intent-filters
exported="True"activity can be accessed from outside the application
- Content Providers
- serve data to other applications, e.g. for sharing of data with other apps
- if exported, can be dangerous as it exposes data to any user or app on the device
Common Application Strings
- Look for hardcoded strings
- in
resources/strings.xml - in Activity Source Code
- in
Automated Static Analysis (MobSF)
iOS
Dynamic Analysis
Android
SSL Pinning
Used to ensure application traffic is not being intercepted.
- some mobile apps verify that the received traffic is coming from KNOWN certificate
- a certificate imported into the phone as root/user certificate still might not be trusted by the application
- as a result, the application might crash when we try to intercept the network traffic