Static and dynamic testing of Android apps. A quick guide:

(thread)

(static analysis) 1. Decompile the app to understand how the code works. Use jadx.

(static analysis) 2. Analyze the app's resources for potential hardcoded credentials or sensitive information.

(static analysis) 3. Analyze app's Manifest.xml for potential vulns when it comes to permissions.

(static analysis) 4. Analyze app's storage via adb shell.

(dynamic analysis) 5. Use an emulator or a physical device (rooted) and run the app. 

At the same time, use frida for dynamic instrumentation and monitoring app's behavior.

(dynamic analysis) 6. Use Burp Suite to intercept/modify app's traffic. 

- usually after bypassing SSL pinning.

7. All of these steps can go in much more depth, but you have a starting point or a rough overview. You can find details for each via search engine.

Like, retweet, and follow me @cristivlad25 for more posts like this.

#appsec #infosec #cybersecurity #pentesting #bugbounty