π What is Dynamic Analysis?
Dynamic analysis refers to observing and interacting with an Android application while it's running on a real device or emulator. This helps identify runtime issues such as insecure API calls, data leakage, improper authentication, or unintended access to sensitive functionality.
π Why is it Important?
- Static analysis alone may miss runtime issues
- It helps catch logic flaws, API abuse, or hidden features
- Essential for testing real-world behavior under different conditions
βοΈ Setting Up Your Lab
You can choose between real devices or emulators. Here's a basic setup:
1. Required Tools
- Android Emulator (AVD or Genymotion)
- Frida - dynamic instrumentation toolkit
- Burp Suite - for intercepting HTTP(S) traffic
- adb - Android Debug Bridge
- APKTool / jadx - for reversing APKs
- Rooted Device or Emulator - for deeper analysis
π Step-by-Step Guide
Step 1: Install the APK
adb install targetapp.apkStep 2: Set Up Burp Proxy
- Configure Android Wi-Fi to use your host IP as a proxy (port 8080)
- Install Burp's CA certificate on the device (under User credentials)
Step 3: Observe API Traffic
Launch the app and monitor HTTP/HTTPS calls via Burp Suite. Look for:
- Insecure endpoints (HTTP instead of HTTPS)
- Hardcoded API keys in headers
- Sensitive data (tokens, credentials, PII) in responses
Step 4: Runtime Hooking with Frida
Use frida-trace or custom scripts to hook into app functions.
# Example: Hooking a Java method
frida -U -n com.target.app -l hook.jsStep 5: Monitor Logs and Intents
adb logcat | grep "your.package.name"This reveals runtime logs, crash info, and debug messages.
π§ Common Vulnerabilities Found via Dynamic Analysis
- Insecure data storage (e.g., SharedPreferences storing passwords)
- Improper certificate validation (MITM attacks possible)
- Debug or test functions left in production builds
- Hardcoded secrets accessed at runtime
- Abuse of exported components (Activities, Services, etc.)
π Real-World Example
# Hooking the login function to dump credentials
Java.perform(function () {
var LoginManager = Java.use("com.target.app.LoginManager");
LoginManager.authenticate.overload('java.lang.String', 'java.lang.String').implementation = function(u, p) {
console.log("Username: " + u);
console.log("Password: " + p);
return this.authenticate(u, p);
};
});β‘οΈ This reveals real credentials sent during login attempts, useful in testing weak authentication logic.
π‘ Practical Tips
- Always test in a controlled, isolated environment
- Rooted emulators provide deeper access (Magisk + Xposed)
- Use snapshots to revert emulator to clean state
- Combine with static analysis to cross-check logic
- Logcat output is gold β donβt ignore it!