文章介绍了Android渗透测试中的静态分析方法,包括提取APK文件、反编译代码、检查配置文件(如AndroidManifest.xml和strings.xml)以及使用工具(如jd-gui和mobsf)自动化分析。目标是通过检查Smali代码、配置文件等发现漏洞或不良编码实践。 2025-8-4 04:41:37 Author: infosecwriteups.com(查看原文) 阅读量:18 收藏
Hey There, Back again! 😄
If you’ve read my first post on Android Pentesting Fundamentals, welcome back! And if you aree new here, no worries feel free to start from here and hop back later.
Covered topics in the post — what is static analysis, multiple methods to extract an apk file, reverse engineering of an apk, what to check in manifest file, how to get smali file, what to check in strings.xml and smali file, jdax-gui, automating static analysis using mobsf.
This post is all about Static Analysis, reversing APKs, decompiling code, and finding vulnerabilities without running the app..
Just like before, these are my learning notes. If you are someone trying to make sense of Android pentesting, I hope this helps you too …😄
It’s all about checking an app’s code without running it on a device. We extract the Android APK and examine files like Smali code, native libraries, configuration files like Android Manifest, decompiled Java code, and more to find vulnerabilities or bad coding practices. For example — Insecure storage, Hardcoded sensitive information, Insecure permissions and more.
APK Extraction
Most android apps are installed via play stores which handles everything automatically but for static analysis will require the raw APK…
如有侵权请联系:admin#unsafe.sh