--- title: Auditing Android Applications date: 2021-01-13 categories: [cheatsheets] tags: [mobile] --- # Auditing Android Source Code ## Things to check * [ ] Check Activities & Permissions * [ ] Check Intents & Intent Filters * [ ] Check WebView + Javascript combinations (rg "JavascriptInterface") * [ ] PendingIntents (e.g. for notifications) that are passed to another app. (1) * [ ] Are all outgoing network connections secured? (Https + Public Key Pinning) (rg TrustManager) (2) ## Malware Tricks * Use Native Code (in /lib/armeabi-v7a) and call it with: System.loadLibrary('name') * Start the webbrowser via the Intent ACTION_VIEW to bypass Internet permission. * Use Java Reflection to call methods by strings and obfuscate strings. * Permission: ACTION_NOTIFICATION_LISTENER_SETTINGS lets an app get notified when a notification is posted (by any other app) * Act as NotificationListener to get Pending Intents ## More Notes (1) When giving a PendingIntent to another application, this app can perform the operation specified (with the same permissions & identity) Common Mistake: specifiy private activity in the pending intent More @ MOBISEC ~ Set 11, Page 53 (2) No Public Key Pinning and no HSTS? -> SSL Stripping (3) SSL pinning bypass using Frida: https://techblog.mediaservice.net/2018/11/universal-android-ssl-pinning-bypass-2/