Sr.

No Title
1 Decompile APK
2 Use AttackDefense resources for test cases
3 App isntallation
4 Traffic inspection
5 Sensitive information present in shared_prefs file
6 Recommended Tools
7 SSL/TLS Weak Encryption
8 Interacting with the activity manager via ADB
9 Extracting application resources via ADB
10 Inspecting the AndroidManifest.xml file
11 Analyze component list and their permissions
12 SSL Pinning bypass
13 Information disclosure via logcat
14 Inspecting network traffic
15 Passive intent sniffing via the activity manager,Attacking
services,Attacking broadcast
Exploiting debuggable receivers,Enumerating
applications
16
vulnerable content providers,Extracting data from
17 Man-in-the-middle
vulnerable contentattacks
providers,Inserting data into content
18 Intercept SSL Traffic
19 Reverse Engineering the Application Code
20 tapjacking
21 decompile dex files
22 Cross-compiling native executables
23 Exploitation of race condition vulnerabilities
24 Stack memory corruption exploitation
25 Automated native Android fuzzing
26 Inspeckage - Android Package Inspector
27 Check if application transmits data through AES
encryption?
Hard-coded credentials on sourcecode
28
29 Insecure version of Android OS Installation Allowed
Cryptographic Based Storage Strength
30
Poor key management process
31
Unrestricted Backup file
32
33 Unencrypted Database files
Insecure Shared Storage
34
35 Insecure Application Data Storage
36 Application Backgrounding (Screenshot)
Copy/Paste Buffer Caching
37
 Remember Credentials Functionality (Persistent
38
authentication)
Client Side Based Authentication Flaws
39
Client Side Authorization Breaches
40
Insufficient WebView hardening (XSS)

41

42 Content Providers: SQL Injection and Local File Inclusion

43 Injection (SQLite Injection, XML Injection)
Local File Inclusion through Webviews
44
Abusing Android Components through IPC intents
45
("exported" and "intent-filter")
46 Abusing URL schemes
47 Unauthorized Code Modification
48 Debug the application behavior through runtime analysis
Insecure Transport Layer Protocols
49
Disable certificate validation
50
Self-signed certificate
51
Exposing Device Specific Identifiers in Attacker Visible
52
Elements
53 Excessive port opened at Firewall
Default credentials on Application Server
54
55 Exposure of Webservices through WSDL document
56 Security Misconfiguration on Webserver
57 Input validation on API
58 Information Exposure through API response message
59 Bypassing business logic flaws
Session invalidation on Backend
60
Session Timeout Protection
61
Cookie Rotation
62
Token Creation
63
64 Scan APK for automated vulnerability testing
Information disclosure using logcat
65
Application downloads any assets from HTTP resource
66
Check if whole database structure is disclosed within
67
source code
 Information disclosure through Network Miner
68
69 debugging Android apps using AndBug

70

Automated APK Native Analysis

71
APK editor

72
Runtime analysis using Appmon
73 Webview based vulnerabilities

74

Authentication Bypass
75 Memory Dump
76 Scanning APK file for URIs, endpoints & secrets.
77 Extract URL's to apk
StaCoAn is a crossplatform tool which aids developers,
78 bugbounty hunters and ethical hackers performing static code
analysis on mobile applications*.
 Android App Pentest Checklist
Summary
Decompile APK to find hardcoded secrets.
Attackdefense
App runs on emulator/rooted device
Configure burpsuite with mobile device
Checking for the sensitive info like app username and password, account numer,
credit card detials etc in shared_prefs file in andriod.

Identify SSL/TLS Encryption Algorithms

androidpermissions.com
Here are some bypasses and recommendations for SSL pinning
implementation

Disassembling and Decompiling the application, Obfuscation checking

Disassembling and Decompiling the application, Obfuscation checking

Identify "minSdkVersion" on apktool.yml, the value be set over than 17
Identify insecure/deprecated cryptographic algorithms (RC4, MD5,
SHA1) on sourcecode
Identify hardcoded key in application or Keys may be intercepted via
Binary attacks
Check "android:allowBackup" attribute which should be set to "false"

Check encryption on database files

Identify Sensitive Data on Shared Storage, SD card storage encryption,
Shared preferences MODE_WORLD_READABLE
Identify Sensitive Data in application files (application log, Cache file,
Cookie)
Identify application snapshot/screenshot backgrounding
Identify disabling Copy/Paste function for sensitive part of the
application on EditText/UITextField
Identify user's password or sessions on the device

Perform binary attacks against the mobile app in order to bypass offline
authentication
Perform binary attacks against the mobile app and try to execute
privileged functionality that should only be executable with a user of
higher privilege
Identify misconfiguration on "android.webkit.WebSettings"
(Javascript/File access/Plugins), XSS through UIWebview

1. Analyze apk and find HTML files.

2. Idenfity which function or feature calls that HTML.
3. Try XSS payload for the same.

Identify SQLi and LFI on Content provider component

Identify SQLi and XMLi on application
Check LFI on application(../ , ../../blah\0) Webviews FileAccess attack
through setAllowFileAccess
Identify android exported components

For Android: Identify URL schemes through source code or apk file
Binary attack through run-time manipulation and code modification
Identify "android:debuggable" attribute Using GDB/LLDB attach to
application
Observe the device's network traffic through a proxy that SSL is
implemented or not
Allow tester to intercept SSL traffic without Certificate installation
(checkServerTrusted with nobody)
Application accepts a certificate from any trusted CA (Burpsuite). Check
setAllowsAnyHTTPSCertificate(iOS) and
AllowAllHostnameVerifier(Android)
Observe the device's network traffic through a proxy that Device's
information (UDID) is sent during the transmission or not.
Identify opened port at Server-side URL/IP Address
Identify default credentials on Backend server (e.g. Tomcat Application
server using tomcat/tomcat, admin/tomcat)
Identify webservices help pages (*.asmx) which show methods and
structure
Identify webserver configuration (e.g. Error handling, HTTP response
banner)
Check input validation on API/Webservices
Identify sensitive information on API response message/header
Identify Missing Function Level Access Control, Negative value testing
Ensure that all session invalidation events are executed on the server
side and not just on the mobile app
Mobile app must have adequate timeout protection on the backend
components
Ensure that reset cookies is properly implemented during
authentication state changes (Anonymous<->User, User A<->User B,
Timeout)
They should be standard algorithm, sufficiently long, complex, and
pseudo-random so as to be resistant to guessing/anticipation attacks.
Scan apk using mentioned tools
Connect via facebook, twitter and check if their credentials are stored
in logcat or not
Check if application downloads any resource from enternal website
which is over HTTP
information disclosure
Sniff packets in real time, surf application check if any sensitive packets
are disclosed or not
Debug android application using andbug

Preliminary Analysis
++ arsing smali files for analysis via smalisca
++ Dump apk assets,libraries and resources
++ Extracting certificate data via openssl
++ Extract strings and app permissions via aapt
++ Identify methods and classes via ClassyShark
++ Scan for apk vulnerabilities via androbugs
++ Analyze apk for potential malicious behaviour via androwarn
++ Identify compilers, packers and obfuscators via APKiD
++ Extract execution paths, IP addresses, URL, URI, emails via regex
++ Domain SSL scan via pyssltest and testssl

* APK Manifest Analysis

++ Extract Intents
++ Extract exported activities
++ Extract receivers
++ Extract exported receivers
++ Extract Services
++ Extract exported services
++ Check if apk is debuggable
++ Check if apk allows backups
++ Check if apk allows sending of secret codes
++ Check if apk can receive binary SMS

Runtime editing of APK binary using apk editor tool

Appmon
Exploiting webviews with metasploit
Bruteforce - A brute force attack is a trial-and-error method used to
obtain information such as a user password or personal identification
number (PIN).

Brute force attack is a waste of time unless until you reduce the
outcomes, permutation and combination.

2. Try to think logically and reduce the outcomes

3. Try Brute force OTP, Verification code or any other secondary

authenticated value.

4. verification code should be checked on server side & should be send

on user cell, but sometime app get authenticated using verification
code so you can find code in HTTP response, backup, logs etc.
https://github.com/Nightbringer21/fridump
https://github.com/dwisiswant0/apkleaks
apktool d app.apk -o uberApk;grep -Phro "(https?://)[\w\.-/]+[\"'\`]" uberApk/ | sed

https://github.com/vincentcox/StaCoAn
 Rename app.apk to app.zip
Unzip and use dex2jar to view .java files
Use
Pentest Checklistany
Install java
burp debugger
certificate in to inspect or
emulator .java files (easiest
mobile for hardcoded
way to secrets
send burp cert to
use apktool to
mobile is email) decompile the application as step 1 will not always give you the
exact results How to Test
Connect mobile and laptop to same network
Configure network proxy settings on mobile and run listen on burp on laptop
Use
See jadx
here,for
howJava decompiler
to setup faster -android
https://github.com/skylot/jadx
emulator:
http://nileshkapoor.blogspot.co.nz/2016/08/setting-up-faster-android-
Check if app runs on emulator or rooted device? If yes then its low level issue
Use classyshark
emulator.html
that app does not detect if the device is rooted or emulator.
In the rooted
Android device,
Emulator, go to the path "data/data/ com.<appname>" folder , and
Genymotion
{{ Or for
look }} shared_prefs folder. Under this folder you can find the files with sensitive
AXMLPrinter2.jar
info.
Drozercheck all the info and report if anything sesitive stored ny the app.
You can use Burp Suite's mobile assistant tool mentioned here:
MobSF
https://infosecninja.blogspot.co.nz/2017/05/working-with-burpsuite-mobile-
keytool,openssl,jarsigner,testssl.sh, Qualys SSL Labs
Adb
assistant.html
adb commands
Burp Suite's mobile assistant will also help you to bypass SSL pinning
adb commands
protection.
adb commands
drozer
Android SSL Trust killer
SSlunipping
adb commands with logcat
wireshark,netcat,tcpdump
drozer
drozer,adb
ettercap, wireshark
burp(burp certificate)
dex2jar
Manual analysis in source xml file
baksmali
ndk
adb,manual
manual
radamsa,manual
Inspeckage
Manual - Source Code Review
string, jdgui, IDA, Hopper
apktool Androidmanifest.xml
jdgui, YSO, Qark, AndroBugs

jdgui, YSO, Qark, AndroBugs

apktool Androidmanifest.xml
Android Backup Extractor
adb
adb, keychaindumper

adb, Manual, Root Browser

adb
Manual
root browser, text editor

adb, Drozer, Burpsuite

adb, Drozer, Burpsuite

jdgui, Burpsuite, Manual

Drozer
adb, Burpsuite
Drozer

apktool Androidmanifest.xml

Strings
apktool
adb jdwp, jdb, GDB, LLDB
Burpsuite

jdgui, YSO, Qark, AndroBugs

jdgui, YSO, Qark, AndroBugs

Burpsuite

Nmap
Web Browser

Web Browser
Web Browser, Burpsuite
Burpsuite
Burpsuite
Burpsuite
Burpsuite

Burpsuite

Burpsuite

Burpsuite

MobSF, Androbugs
logcat
logcat-color
Source Code Manual
Application Interface
Manual
network miner

Andbug

MARA

https://play.google.com/store/apps/details?id=com.gmail.heagoo.apkeditor&hl=en

https://www.youtube.com/playlist?list=PL0JQNIEvPbfpzJK8t-JaWq9nkRAA4pcKD
Metasploit Framework

Burpsuite
Manual
Manual
Manual
Manual

Manual
- Find secrets such as passwords, encryption keys,
admin user names, server IP address, Internal server
IP address, HTTP URLs Outetc.
Come
- Also look out for the logics for Root detection or
check the logic for certificate pinning as well as
detection for the emulators
-Manual
Check manifest files for all permission requested,
exported activities, exported content providers
Manual
Search for passwords, pin, session cookie.