cheatsheets/checklists/mobile/android_audit.md

---

title: Auditing Android Applications date: 2021-01-13 categories: [cheatsheets]

tags: [mobile]

Auditing Android Source Code

Things to check

• Check Activities & Permissions
• Check Intents & Intent Filters
• Check WebView + Javascript combinations (rg "JavascriptInterface")
• PendingIntents (e.g. for notifications) that are passed to another app. (1)
• Are all outgoing network connections secured? (Https + Public Key Pinning) (rg TrustManager) (2)

Malware Tricks

• Use Native Code (in /lib/armeabi-v7a) and call it with: System.loadLibrary('name')
• Start the webbrowser via the Intent ACTION_VIEW to bypass Internet permission.
• Use Java Reflection to call methods by strings and obfuscate strings.
• Permission: ACTION_NOTIFICATION_LISTENER_SETTINGS lets an app get notified when a notification is posted (by any other app)
• Act as NotificationListener to get Pending Intents

More Notes

(1) When giving a PendingIntent to another application, this app can perform the operation specified (with the same permissions & identity) Common Mistake: specifiy private activity in the pending intent More @ MOBISEC ~ Set 11, Page 53

(2) No Public Key Pinning and no HSTS? -> SSL Stripping

(3) SSL pinning bypass using Frida: https://techblog.mediaservice.net/2018/11/universal-android-ssl-pinning-bypass-2/