android_audit.md 1.3 KB
title: Auditing Android Applications categories: [cheatsheets]
tags: [mobile]
Auditing Android Source Code
Things to check
- Check Activities & Permissions
- Check Intents & Intent Filters
- Check WebView + Javascript combinations (rg "JavascriptInterface")
- PendingIntents (e.g. for notifications) that are passed to another app. (1)
- Are all outgoing network connections secured? (Https + Public Key Pinning) (rg TrustManager) (2)
Malware Tricks
- Use Native Code (in /lib/armeabi-v7a) and call it with: System.loadLibrary('name')
- Start the webbrowser via the Intent ACTION_VIEW to bypass Internet permission.
- Use Java Reflection to call methods by strings and obfuscate strings.
- Permission: ACTION_NOTIFICATION_LISTENER_SETTINGS lets an app get notified when a notification is posted (by any other app)
- Act as NotificationListener to get Pending Intents
More Notes
(1) When giving a PendingIntent to another application, this app can perform the operation specified (with the same permissions & identity) Common Mistake: specifiy private activity in the pending intent More @ MOBISEC ~ Set 11, Page 53
(2) No Public Key Pinning and no HSTS? -> SSL Stripping
(3) SSL pinning bypass using Frida: https://techblog.mediaservice.net/2018/11/universal-android-ssl-pinning-bypass-2/