πŸ” Static Analysis in Android Testing

Discover hidden vulnerabilities by analyzing Android apps without execution

πŸ“˜ What is Static Analysis?

Static analysis is the process of analyzing an Android application's code, resources, and structure **without executing it**. It's often the first step in Android penetration testing and helps uncover security flaws such as hardcoded secrets, insecure permissions, and bad coding practices.

πŸ€” Why is Static Analysis Important?

πŸ§ͺ Step-by-Step Static Analysis Process

Step 1: Get the APK

Obtain the APK file of the Android application:

  • Download from Google Play using tools like gplaycli or APKPure
  • Extract directly from a rooted device using adb pull

Step 2: Unpack the APK

Use apktool to decompile the APK and extract the resources:

apktool d target.apk -o output_folder

This gives access to AndroidManifest.xml, smali code, layouts, and more.

Step 3: Convert to Java Code (Optional)

Use a dex-to-jar converter and decompiler:

d2j-dex2jar.sh target.apk
jd-gui target-dex2jar.jar

This will reveal readable Java source code, allowing you to analyze logic more easily.

Step 4: Analyze Key Files

  • AndroidManifest.xml: Check for exported components, permissions, debuggable flag
  • res/values/strings.xml: Look for API keys or sensitive info
  • smali/ or Java code: Look for insecure API usage, logging, or hardcoded credentials

Step 5: Use Static Analysis Tools

  • MobSF: All-in-one static and dynamic analyzer
  • QARK: Scans for known code-level vulnerabilities
  • AndroBugs: Detects misconfigurations and code issues

🧠 Real-World Example: API Key Leak

After unpacking an APK with apktool, you may find:

<string name="api_key">AIzaSyBEXAMPLEKEY123456</string>

This indicates a hardcoded API key, which can be abused if it's linked to cloud services like Firebase, Google Maps, or proprietary APIs.

πŸ’‘ Pro Tips & Best Practices

πŸ”— Useful Tools & Resources