
- 0xdurakiOfficial Google Android-related Security Checklist are present on developer.android.com website, click on “Guides” tab in the sidebar, and then click " Understand common security risks" menu.
Android Vulnerability Checklist
Manifest Exploration & Static Analysis
AndroidManifest.xml contains: <interesting_info>, basically a blueprint of the applicationAndroidManifest.xml contains: android:allowBackup = TRUEAndroidManifest.xml contains: android:debuggable = TRUEAndroidManifest.xml contains: android:exported = TRUE (or not set), allowing external apps to access dataAndroidManifest.xml contains: android:permission.READ|WRITE_EXTERNAL_STORAGE, only if sensitive data was stored/read externally, resulting in:inApp), however requires “android.permission.INTERNET” indicating incorrect usage of permissions (ie. over-privileged)android:protectionLevel was not set properly (ie. <permission android:name="my_custom_permission_name" android:protectionLevel="signature"/>)android:permission (permission tags limiting exposure to other apps)MODE_WORLD_READABLE / MODE_WORLD_WRITEABLE (other apps/users are able to read/write the file)resources.arsc/strings.xmlres/xml/file_paths.xmlBuildConfig filesfirebase.io/https://*.firebase.io/.jsongetString(R.string.<stringResourceLabel>))strings.xml fileAndroidManifest.xmlonCreate()content:// in decompiled source codeandroid:exported="TRUE" flaghttp and https schemas, but custom schemas can be implemented by developersscheme://, host:// and parameters are validatedautoVerify="true" is not present in AndroidManifest.xmladdJavaScriptInterface(...)/setJavascriptEnabled(true)appschema://app/goto?file=[...]/data/data/<package_name>/adb backup com.example.app to backup the allowed app. datalogcat when user tries to Log-inlogcat on other actions performed/sdcard/android/data/<com.example.app>/ directoryMD5 or equivalent hashing algorithm that may be vulnerable to collisionsjava.util.Random functionadb shellrun-as command: run-as <com.example.app> in adbadb exec-out run-as com.example.app cat databases/AppName > AppNameDB-COPYappscheme://webview?url=https://google.comappscheme://webview?url=javascript:document.write(document.domain)Public Disclosures