Security alone

Android Hacking 31

Things I have learned in Android BugBounty Hunting OverAll Experience.

bala manohar surya sai's photo
bala manohar surya sai
·

3 min read

Table of contents

No heading

No headings in the article.

  1. Frida Code Share: This script helps to bypass 70 % apps on the Google play store.

  2. frida-ls-devices: This command helps you to list all the devices that connected to the pc.

  3. frida-ps -U : List all apks

  4. frida-ps -Ua: List apk’s connected to frida

  5. adb shell ps -e : List all background processes

  6. \> adb shell settings put global http_proxy 192.168.0.101:8899
    helps for setting up proxy ip is the system local ip , port is your burp port
    It sets the proxy globally all over the device.

  7. \> adb shell settings put global http_proxy :0
    helps for disabling the proxy

  8. Jadx decompiler: While decompiling with jadx in jadx-gui disable deobfuscation to know code more precisely

  9. Physical Device: Use physical device rather than emulator for testing.

  10. Magisk: Use magisk for rooting

  11. Frida module for magisk: Use frida module for magisk to enable frida automatically while the device boots up. No need to start frida server again and again. 24 hours / 365 days it will be enabled.

  12. Assets: Check the assets folder after you decompiled the code for graphql schemas.

  13. Slicer: A tool to give a overview of Androidmanifest.xml to exploit deeplinks / content providers.

  14. Old version apk : If you want to find some leaks find older version of the apk’s and decompile them and check them. you find secrets.

  15. Subdomains,IP’s : grep for subdomains in decompiled apk for internal domains (use gf by tomnomnom)

  16. https://bevigil.com/ : This site helps for scanning apks for secrets and api keys
    you can upload the custom apk or mention the package name.

  17. Endpoints : Extract Endpoints using gf or custom regex to get the endpoints and bruteforce in burp using intruder.

  18. Download apk from cli : https://github.com/89z/googleplay

  19. Get Leaks from cli : https://github.com/dwisiswant0/apkleaks

  20. Toggler proxy easily : https://play.google.com/store/apps/details?id=org.proxydroid&hl=en

  21. connect to phone wirelessly adb : https://play.google.com/store/apps/details?id=com.ttxapps.wifiadb&hl=en_IN&gl=US.

  22. Get apk info via phone itself : apkinfo is an app helps you see the manifest file details and get the overview of the apk.

  23. Apk Extracter : This app helps you to extract installed apk’s from the phone.

  24. adb pull /sdcard/path-to/extracted-apk-or-file: this command helps you to pull the contents from the device.

  25. adb push file.txt /sdcard/path : you can push contents from your pc to the phone

  26. adb shell cat /proc/<pid-value>/maps : This command helps you to check which .so file is loading when you opening the apk. Get the pid value by using adb shell ps -e | grep pacakgename.

  27. VirusTotal : https://www.virustotal.com/gui/ Upload the apk to the site and go to details sectoin. it gives overview about androidmanifest.xml info and , It list urls in the apk and all the services,recieves content providers , all the info. Try it you love it, It also checks for viruses.

  28. Download all the old versions of the apk : download this tool https://github.com/m4ll0k/BBTz/blob/master/dapk.py. you can download all the versions of the apk.

  29. Decompile the apk using jadx (no issue command): jadx -d out thesecurityguy.apk --deobf-rewrite-cfg --no-res --export-gradle

  30. Query content providers from adb shell : adb shell content query --uri content://com.example.MyApplication.Student..
    <provider android:name="StudentsProvider"

    android:authorities="com.example.MyApplication.StudentsProvider"/>

  31. check if signature are configured in the domain https://<check_it_out>.com/.well-known/assetlinks.json.

you can https://www.buymeacoffee.com/ballx

bugbountypentestingAndroid