Android APK Checklist

{{#include ../banners/hacktricks-training.md}}

Learn Android fundamentals

• [ ] Basics
• [ ] Dalvik & Smali
• [ ] Entry points
• [ ] Activities
• [ ] URL Schemes
• [ ] Content Providers
• [ ] Services
• [ ] Broadcast Receivers
• [ ] Intents
• [ ] Intent Filter
• [ ] Other components
• [ ] How to use ADB
• [ ] How to modify Smali

Static Analysis

• [ ] Check for the use of obfuscation, checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. Read this for more info.
• [ ] Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
• [ ] Search for interesting strings (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
• [ ] Special attention to firebase APIs.
• [ ] Read the manifest:
• [ ] Check if the application is in debug mode and try to "exploit" it
• [ ] Check if the APK allows backups
• [ ] Exported Activities
  • [ ] Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a unity CLI extras bridge. Test -xrsdk-pre-init-library <abs-path> for pre-init dlopen() RCE. See Intent Injection → Unity Runtime.
• [ ] Content Providers
• [ ] Exposed services
• [ ] Broadcast Receivers
• [ ] URL Schemes
• [ ] Is the application saving data insecurely internally or externally?
• [ ] Is there any password hard coded or saved in disk? Is the app using insecurely crypto algorithms?
• [ ] All the libraries compiled using the PIE flag?
• [ ] Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
• [ ] android:exported mandatory on Android 12+ – misconfigured exported components can lead to external intent invocation.
• [ ] Review Network Security Config (networkSecurityConfig XML) for cleartextTrafficPermitted="true" or domain-specific overrides.
• [ ] Look for calls to Play Integrity / SafetyNet / DeviceCheck – determine whether custom attestation can be hooked/bypassed.
• [ ] Inspect App Links / Deep Links (android:autoVerify) for intent-redirection or open-redirect issues.
• [ ] Identify usage of WebView.addJavascriptInterface or loadData*() that may lead to RCE / XSS inside the app.
• [ ] Analyse cross-platform bundles (Flutter libapp.so, React-Native JS bundles, Capacitor/Ionic assets). Dedicated tooling:
• flutter-packer, fluttersign, rn-differ
• [ ] Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng, etc.).
• [ ] Evaluate SEMgrep Mobile rules, Pithus and the latest MobSF ≥ 3.9 AI-assisted scan results for additional findings.
• [ ] Check OEM ROM add-ons (OxygenOS/ColorOS/MIUI/OneUI) for extra exported ContentProviders that bypass permissions; try content query --uri content://com.android.providers.telephony/ServiceNumberProvider without READ_SMS (e.g., OnePlus CVE-2025-10184).

Dynamic Analysis

• [ ] Prepare the environment (online, local VM or physical)
• [ ] Is there any unintended data leakage (logging, copy/paste, crash logs)?
• [ ] Confidential information being saved in SQLite dbs?
• [ ] Exploitable exposed Activities?
• [ ] Exploitable Content Providers?
• [ ] Exploitable exposed Services?
• [ ] Exploitable Broadcast Receivers?
• [ ] Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
• [ ] Inspect HTTP/HTTPS traffic
• [ ] This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
• [ ] Check for possible Android Client Side Injections (probably some static code analysis will help here)
• [ ] Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
• [ ] Test for Tapjacking / Animation-driven attacks (TapTrap 2025) even on Android 15+ (no overlay permission required).
• [ ] Attempt overlay / SYSTEM_ALERT_WINDOW clickjacking and Accessibility Service abuse for privilege escalation.
• [ ] Check if adb backup / bmgr backupnow can still dump app data (apps that forgot to disable allowBackup).
• [ ] Probe for Binder-level LPEs (e.g., CVE-2023-20963, CVE-2023-20928); use kernel fuzzers or PoCs if permitted.
• [ ] If Play Integrity / SafetyNet is enforced, try runtime hooks (Frida Gadget, MagiskIntegrityFix, Integrity-faker) or network-level replay. Recent Play Integrity Fix forks (≥17.x) embed playcurl—focus on ZygiskNext + PIF + ZygiskAssistant/TrickyStore combinations to regain DEVICE/STRONG verdicts.
• [ ] Instrument with modern tooling:
• Objection > 2.0, Frida 17+ (Android 16 support, ART offset fixes), NowSecure-Tracer (2024)
• Dynamic system-wide tracing with perfetto / simpleperf.
• [ ] For OEM telephony/provider bugs (e.g., OxygenOS CVE-2025-10184), attempt permission-less SMS read/send via the content CLI or in-app ContentResolver; test blind SQLi in update() to exfiltrate rows.

Some obfuscation/Deobfuscation information

• [ ] Read here

References

• CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)
• Rapid7: CVE-2025-10184 OnePlus OxygenOS Telephony provider permission bypass
• TapTrap animation-based tapjacking research (TU Wien)

{{#include ../banners/hacktricks-training.md}}