- 0xduraki
Official Google Android-related Security Checklist are present on developer.android.com
website, click on “Guides” tab in the sidebar, and then click " Understand common security risks" menu.
Android Vulnerability Checklist
Manifest Exploration & Static Analysis
AndroidManifest.xml
contains: <interesting_info>
, basically a blueprint of the applicationAndroidManifest.xml
contains: android:allowBackup = TRUE
AndroidManifest.xml
contains: android:debuggable = TRUE
AndroidManifest.xml
contains: android:exported = TRUE
(or not set), allowing external apps to access dataAndroidManifest.xml
contains: android:permission.READ|WRITE_EXTERNAL_STORAGE
, only if sensitive data was stored/read externally, resulting in:inApp
), however requires “android.permission.INTERNET
” indicating incorrect usage of permissions (ie. over-privileged)android:protectionLevel
was not set properly (ie. <permission android:name="my_custom_permission_name" android:protectionLevel="signature"/>
)android:permission
(permission tags limiting exposure to other apps)MODE_WORLD_READABLE
/ MODE_WORLD_WRITEABLE
(other apps/users are able to read/write the file)resources.arsc/strings.xml
res/xml/file_paths.xml
BuildConfig
filesfirebase.io
/https://*.firebase.io/.json
getString(R.string.<stringResourceLabel>)
)strings.xml
fileAndroidManifest.xml
onCreate()
content://
in decompiled source codeandroid:exported="TRUE"
flaghttp
and https
schemas, but custom schemas can be implemented by developersscheme://
, host://
and parameters are validatedautoVerify="true"
is not present in AndroidManifest.xml
addJavaScriptInterface(...)
/setJavascriptEnabled(true)
appschema://app/goto?file=[...]
/data/data/<package_name>/
adb backup com.example.app
to backup the allowed app. datalogcat
when user tries to Log-inlogcat
on other actions performed/sdcard/android/data/<com.example.app>/
directoryMD5
or equivalent hashing algorithm that may be vulnerable to collisionsjava.util.Random
functionadb shell
run-as
command: run-as <com.example.app>
in adbadb exec-out run-as com.example.app cat databases/AppName > AppNameDB-COPY
appscheme://webview?url=https://google.com
appscheme://webview?url=javascript:document.write(document.domain)
Public Disclosures