Android APK Checklist

Static Analysis - Android Static Analysis

• [ ] Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks.
  • [ ] Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
• [ ] Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
  • [ ] Special attention to cloud APIs (e.g. firebase)
• [ ] Read the manifest
  • [ ] Check if the application is in debug mode and try to "exploit" it
  • [ ] Check if the APK allows backups
  • [ ] Exported Activities
  • [ ] Content Providers
  • [ ] Exposed services
  • [ ] Broadcast Receivers
  • [ ] URL Schemes
• [ ] Is the application saving data insecurely internally or externally?
• [ ] Hard coded passwords cf.
• [ ] insecure crypto algorithms
• [ ] All the libraries compiled using the PIE flag
• [ ] Try automatic Static Android Analyzers

Dynamic Analysis - Android Dynamic Analysis

• [ ] unintended data leakage (logging, copy/paste, crash logs)
• [ ] Check local SQLite databases
• [ ] Exploitable exposed Activities
• [ ] Exploitable Content Providers
• [ ] Exploitable exposed Services
• [ ] Exploitable Broadcast Receivers
• [ ] Transmission of information in clear text or using weak algorithms
• [ ] Inspect HTTP/HTTPS traffic and search common web vulnerabilities
• [ ] Android Client Side Injections (probably some static code analysis will help here)