Android Application Penetration Testing Raja Nagori
A presentation at Android Penetration Testing Part 8 in March 2022 in India by Raja Nagori
Android Application Penetration Testing Raja Nagori
Static Analysis
• Extension is .xml • You’ll get basic information about the application • SDK version Android manifest file • Permission • Activities • Content Providers • Intent
• Doesn’t have any extension unfortunately • It defines what data and hardware component can be need at the runtime • Camera Permission • Internet • Access external storage • Bluetooth • ETC.
• It also do not have any extension too • UI element of the application or different screen in the application. (take example of Gpay) • First screen will show you Gpay Logo. Activities • Second will ask you the Fingerprint. • Third will display all the payment you did in past. NOTE: 1. Here INTENT is changing from one screen to other. 2. If you see exported=“True”
• Usually find in resources/strings.xml • Threat Vector Finding Hardcoded Strings • Login Bypass • URL’s Exposed • API Keys Exposed • Firebase URL’s
See you on next chapter of this series
