AppSecNotes
Android Static Analysis
  • Upload the app to MobSF and analyse results.
  • Manually explore the decompiled code of the application with jadx-gui. Look into strings.xml, attrs.xml, xmls.xml, integers.xml and others.
  • Enumerate Storage Buckets.
  • Enumerate Firebase Databases.
  • Use the text search tool from jadx to search everywhere (Ctrl+Shift+F):
    • insecure urls: http://
    • other urls: https://
    • password
    • pass
    • ID
    • API
    • AWS
    • cloud
    • key
    • username
    • firebase
    • gcp
    • SQL
    • secret
    • client_id
    • clientid
    • coupon
    • sticky (to look for decrecated sticky broadcasts)
    • load (looking for methods for creating WebViews: loadUrl, loadData or loadDataWithBaseURL)
    • setResults (check the code and if the Activity is exported without permissions set)
  • Explore the source code of all Activities and Fragments.