Before starting to talk about mobile pentesting, we must lay the foundations and differentiate between static analysis of the application and dynamic analysis. But not before talking about the structure of an APK.
The process of disassembling an APK is called decompression and it is through this process through which we can access the innards of our binary:
To do this, it would be enough to:
unzip APP.apk -d output-unzip
apktool d APP.apk -o output-apktool
When it comes to decompiling the source code, we have two ways, on the one hand we can generate the .smali which is the “readable” bytecode for humans (apktool), or generate the interpreted .java, it is not the original source code, but we It helps to understand the logic of the application more easily (jadx).
Static vs Dynamic Analysis
- Vulnerable keywords or code patterns.
- Credentials / api keys.
- Identification of important functions: authentication, state changes, PII.
- Debug function identification. Presence of comments in the code.
- Identification of dangerous functions: use of external storage, code execution. Sanitization.
- Hardcoded secrets.