---
title: Auditing Android Applications
categories: [cheatsheets]
tags: [mobile]
---


# Auditing Android Source Code

## Things to check

* [ ] Check Activities & Permissions
* [ ] Check Intents & Intent Filters
* [ ] Check WebView + Javascript combinations (rg "JavascriptInterface")
* [ ] PendingIntents (e.g. for notifications) that are passed to another app. (1)
* [ ] Are all outgoing network connections secured? (Https + Public Key Pinning) (rg TrustManager) (2)

## Malware Tricks

* Use Native Code (in /lib/armeabi-v7a) and call it with: System.loadLibrary('name')
* Start the webbrowser via the Intent ACTION_VIEW to bypass Internet permission.
* Use Java Reflection to call methods by strings and obfuscate strings.
* Permission: ACTION_NOTIFICATION_LISTENER_SETTINGS lets an app get notified when a notification is posted (by any other app)
* Act as NotificationListener to get Pending Intents




## More Notes

(1) When giving a PendingIntent to another application, this app can
perform the operation specified (with the same permissions & identity)
Common Mistake: specifiy private activity in the pending intent
More @ MOBISEC ~ Set 11, Page 53

(2) No Public Key Pinning and no HSTS? -> SSL Stripping

(3) SSL pinning bypass using Frida:  https://techblog.mediaservice.net/2018/11/universal-android-ssl-pinning-bypass-2/