Static Analysis
Last updated
Was this helpful?
Last updated
Was this helpful?
Check for :
Cryptography : Look for any use of encryption algorithms and verify that they are implemented correctly. Check for any hardcoded keys, weak encryption methods, or use of insecure cryptographic algorithms.
Code Obfuscation : Check for obfuscation techniques used to hide the code and make it difficult to understand. Obfuscation techniques make it harder for reverse engineering, but it can also hide any malicious code.
API Usage : Verify that the application does not use any insecure APIs or APIs with known vulnerabilities. Look for any APIs that allow unauthorized access or data leakage.
Reflection : Check for reflection, a feature that allows dynamic code execution. Verify that reflection is not used in a way that can allow an attacker to inject malicious code.
Dynamic Code Loading : Check for dynamic code loading, a feature that allows an application to load code at runtime. Verify that the application does not load code from untrusted sources or execute any code that is not verified.
Access Control : Verify that the application has implemented proper access control to sensitive functionality and data. Look for any hardcoded credentials or access tokens.
Hardcoded sensitive information : Check for any insecure storage of sensitive data such as passwords, user credentials, or personal information. Search for harcoded database(SQL queries), password, keys, sensitive information,URLs.
External Libraries : Verify that the application does not use any insecure third-party libraries or libraries with known vulnerabilities.
Integrity Checks : Look for any integrity checks that the application performs to ensure that the code has not been tampered with.
Native Code : If the application uses native code, verify that the native code is compiled securely and does not contain any vulnerabilities.
Web View related checks :
setJavaScriptEnabled(): This method enables or disables the use of JavaScript in a web view. If this method is set to true, the web view can execute JavaScript code, which can be used to manipulate the web page or to communicate with the native Android code. However, if the application does not properly validate the input data sent to the web view, it could allow an attacker to inject malicious JavaScript code.
setAllowFileAccess(): This method allows or denies access to local files in the device file system from the web view. If this method is set to true, the web view can access local files, which can be useful for displaying local HTML files or accessing data stored in the device file system. However, if the application does not properly validate the input data sent to the web view, it could allow an attacker to access or modify local files.
setAllowUniversalAccessFromFileURLs : if this option is set to true , it can allow attackers to load their files inside WebViews.
addJavascriptInterface(): This method allows JavaScript code in the web view to access the native Android code by exposing a Java object to JavaScript. This feature can be used to provide additional functionality or to interact with the native Android code. However, if the application does not properly validate the input data sent to the web view, it could allow an attacker to execute arbitrary Java code.
runtime.exec(): This method is used to execute shell commands on the device. If an attacker can inject malicious input data into a web view and exploit an application vulnerability, it could allow the attacker to execute arbitrary shell commands on the device.
onReceivedSslError : it tells the WebView to ignore SSL errors and proceed with the connection. Can be used by attackers to read or completely change the content being displayed to users.
SQLite related checks :
openOrCreateDatabase() : function, it's used by SQLCipher to store key to encrypt DB. SQLiteDatabase database = SQLiteDatabase. **openOrCreateDatabase** (databaseFile, "test123", null);
Proxified activities :
(((android:targetActivity)))=".someactivity"
TapJacking ;
filterTouchesWhenObscured to find if vulnerable to tapjacking or not.
Root Detection Implementation details
SSL Pinning Implementation details
Exported Preference Activities
Apps which enable backups
Apps which are debuggable
App Permissions.
Firebase Instance(s) / AWS
The Android Manifest is an XML file which contains important metadata about the Android app. This includes the package name, activity names, main activity (the entry point to the app), Android version support, hardware features support, permissions, and other configurations.
Check for :
Permissions: Check if the application requests any sensitive permissions like camera, microphone, location, SMS, or call logs. If the app is requesting unnecessary permissions, it could be a red flag for privacy violations or potential security risks.
Components: Android components like activities, services, receivers, and providers can be exploited by attackers to gain unauthorized access or to launch attacks. Check if any of the components are exposed to other applications or if they are exported with overly permissive access.
android:exported: The default value of the attribute is true. (should be set to false)
Intents: Intents are messages used by different Android components to communicate with each other. They can be used to launch activities, services, or broadcast messages. Check if the app is using any implicit intents that could be intercepted or manipulated by attackers.
Allow debugable: true β Without a rooted phone it is possible to extract the data or run an arbitrary code using application permission (Should be false). The default value is βfalseβ.
Allow backup: true β The default value of this attribute is true. This setting defines whether application data can be backed up and restored by a user who has enabled usb debugging.(Should be false)
Application information: Check if the application has any hard-coded credentials, sensitive information, or debugging features that could be exploited by attackers.
Malware signatures: Check if the application has any malware signatures that could indicate that the app is malicious or potentially harmful.
Target SDK version: Check if the app is targeting an older version of the Android SDK. If the app is not targeting the latest version, it could be vulnerable to known security vulnerabilities.
NOTE: All the permissions that the application requests should be reviewed to ensure that they donβt introduce a security risk.
This file stores the string resources for the application. Itβs a good place to look for hardcoded secrets and info leaks.
Look for these files to see what information is shipped along with the application. This is an easy source of secrets and info leaks.
Find permissions and dependencies used by an Android application.
Search in strings.xml for AWS key : <string name="aws_Identify_pool_ID">$key</string>
Extract data with this AWS key :
Enumerate permissions :
Get content :
Go to browser : https://xyz.firebaseio.com/.json
If "Permission Denied" : you cannot access it => well configured
Else, "null" or json data => db is public and you have at least read access
Check for writing privileges :
APKHunt is a comprehensive static code analysis tool for Android applications, based on OWASP's MASVS. It can be used to identify and address potential security vulnerabilities in application code.
How to :
Sensitive information, such as API keys, passwords, and other credentials, are directly coded into the app's source code instead of being stored securely in a separate configuration file or database.
Often hardcoded strings can be found in resources/strings.xml and also in activity source code.
Sensitive information, such as user credentials, personal information, and other sensitive data, is stored in an insecure manner. This information can be stored locally on the device or remotely on a server or in the cloud.
