Static Code Analysis

Reverse Engineering

Decode APK packages using apktools. The result will be a folder mirroring the structure of the original package containing all source files, configuration files and resources

java -jar apktools d <apk archive>
java -jar apktools d <apk archive> -s #do not disassemble .DEX files

Decode DEX packages using dex2jar to convert them into JAR archives and then use any Java decompiler such as JD-Gui to analyze the code

d2j-dex2jar.sh <dex file or apk archive> -o <output jar filename>

To retrieve the smali code from a DEX file use the java application provided here.

java -jar baksmali-<ver> <dex file>

Code Analysis

Hardcoded values

The Java code might include hardcoded credentials or values that can be exploited to bypass logins or modify the app behavior in unexpected ways

Unsafe Intent declaration

text

AIDL analysis

Describes an API offered by a service to an external application by defining the primitives expected by the server during an Inter-Process Communication (IPC).

Direct Binder class invocation

text

Permissions and Protection Levels

text

WebViews

WebViews are used to display applications designed with web technologies as opposed to native Java apps. These applications are vulnerable to the same exploits and misconfigurations that target standard web applications such as XSS, SQLi, File Inclusion and RCE.

• WebViewClient is used to display simple HTML code

• In WebViewClient popups will not work as such, XSS test payloads such as alert(1); will not be triggered

• The class maintains its own cookie jar completely separated from the parent's cookie jar

• Creating a WebViewClient requires to provide an URL to load using one of these methods loadUrl, loadData or loadDataWithBaseURL. Testers should ensure that the values provided to these methods are not provided by unsanitized user data

• Verify that Javascript is enabled by searching for the method setJavaScriptEnabled(true)

• WebViews can access content providers by requiring an URL crafted as follows content://<URL>. To verifiy if this option is enabled look for the method setAllowContentAccess(true)

• WebView can access local files by navigating to file://<PATH>. To verify if this option is enabled look for the method setAllowFileAccess(true). If this option is set to false the WebView is restricted to access only file:///android_asset and file:///android_res

• If the option setAllowUniversalAccessFromFileURLs is set to true (default in Adroid <= 4.0.3) then an attacker who controls a file inside the WebView is able to access any content in any other loaded domain

Applications with shared UID

Applications signed with the same UID can share the same resources. Applications that share UIDs have the following line in their manifest file: android.sharedUserId=<id>. Applications that share the same resources such as files and services can lead to security vulnerabilities when the access permissions are not correctly configured and enforced.

Certificates management