Welcome to the Android-App-Auditing wiki!

Initial setup

• enable developer mode + USB debugging on android device
• get adb (https://developer.android.com/studio/command-line/adb)

Get App

• install app
• download app from phone onto computer (adb)

  • pm list packages -f -3 | grep <application name> # find application

  • File Path: /data/app/com.smartsheet.android-2/base.apk

  • Download onto the computer: adb pull /data/app/com.smartsheet.android-2/base.apk

dynamic analysis

• setup burp proxy - use proxydroid android app

  • computer and phone need to be in the same network
  • Check computer Ip address if config - wlo1 inet addr
  • On Proxydroid Host, add the computer ip address
  • Enable invisible proxy on burp suite
  • HTTPS troubleshooting is the next step (if applicable)

• setup drozer (ignore for now)

• frida (ignore for now)

• gdb == debugger (ignore for now)

• adb (ignore for now)

static analysis

• disassemble app - get smali assembly with apktool
• decompile app - get java with jadx
  • jadx will create two folders: sources and resources
  • to decompile more than one dex file, use: for i in *.dex; do jadx -d pwd $(pwd)/$i; done
• Review
  • Manifest
  • services
  • broadcast receivers
  • activities
  • content providers

#Android Sandbox and General Permissions()

• https://www.youtube.com/watch?v=2uwhrfXCl4I