πŸ‘¨β€πŸ’»πŸ‘ΎπŸ‘¨β€πŸ’»πŸ‘ΎπŸ‘¨β€πŸ’»πŸ‘Ύ

c-static analysis

2 min read

apktool

apktool will provide raw smali code.

C:\Users\secsh\Downloads\Android-InsecureBankv2>apktool d InsecureBankv2.apk -o InsecureBankv2_apktooled
I: Using Apktool 2.12.1 on InsecureBankv2.apk with 8 threads
I: Baksmaling classes.dex...
I: Loading resource table...
I: Decoding file-resources...
I: Loading resource table from file: C:\Users\secsh\AppData\Local\apktool\framework\1.apk
I: Decoding values */* XMLs...
I: Decoding AndroidManifest.xml with resources...
I: Copying original files...
I: Copying unknown files...

Below are some that should be manually looked into:

  • AndroidManifest.xml
  • exported Activity / Service
  • res/values/strings.xml
  • hardcoded secrets
  • smali/…/LoginActivity.smali
  • smali/…/RequestDispatcher.smali
C:\Users\secsh\Downloads\Android-InsecureBankv2\InsecureBankv2_apktooled>dir
 Volume in drive C has no label.
 Volume Serial Number is 2ACD-1208
 
 Directory of C:\Users\secsh\Downloads\Android-InsecureBankv2\InsecureBankv2_apktooled
 
02/08/2026  11:05 AM    <DIR>          .
02/08/2026  11:04 AM    <DIR>          ..
02/08/2026  11:05 AM             4,162 AndroidManifest.xml
02/08/2026  11:05 AM               257 apktool.yml
02/08/2026  11:05 AM    <DIR>          original
02/08/2026  11:05 AM    <DIR>          res
02/08/2026  11:04 AM    <DIR>          smali
               2 File(s)          4,419 bytes
               5 Dir(s)  108,264,226,816 bytes free

Find Hardcoded Strings

Hardcoded strings can be found in places like resources/strings.xml and xmls.xml.

Also in activity source code

threat vector:

  • login bypass
  • url exposed
  • API keys exposed
  • Firebase URLs (firebase.io)
image

Seach keywords:

  • api
  • password
  • username
  • firebase.io
  • SQL
  • key
  • ClientID
  • ClientSecret
  • http://
  • https://
image

dex2jar β†’ jadx gui

C:\Users\secsh\Downloads\Android_Pentests\dex-tools-v2.4\dex-tools-v2.4>d2j-dex2jar.bat -f InsecureBankv2.apk
dex2jar InsecureBankv2.apk -> .\InsecureBankv2-dex2jar.jar

C:\Users\secsh\Downloads\Android_Pentests\dex-tools-v2.4\dex-tools-v2.4>dir *jar
 Volume in drive C has no label.
 Volume Serial Number is 2ACD-1208

 Directory of C:\Users\secsh\Downloads\Android_Pentests\dex-tools-v2.4\dex-tools-v2.4

02/15/2026  03:39 PM         6,944,741 InsecureBankv2-dex2jar.jar
               1 File(s)      6,944,741 bytes
               0 Dir(s)  122,810,023,936 bytes free

Explore File System

shared_prefs, databases

generic_x86:/data/data/com.android.insecurebankv2 # ls -l
total 28
drwxrwx--x 2 u0_a77 u0_a77       4096 2026-02-15 16:36 app_textures
drwx------ 3 u0_a77 u0_a77       4096 2026-02-15 16:36 app_webview
drwxrws--x 3 u0_a77 u0_a77_cache 4096 2026-02-15 16:36 cache
drwxrws--x 2 u0_a77 u0_a77_cache 4096 2026-02-15 14:27 code_cache
drwxrwx--x 2 u0_a77 u0_a77       4096 2026-02-15 14:27 databases
drwxrwx--x 2 u0_a77 u0_a77       4096 2026-02-15 16:36 files
drwxrwx--x 2 u0_a77 u0_a77       4096 2026-02-15 16:36 shared_prefs

generic_x86:/data/data/com.android.insecurebankv2/databases # ls -l
total 20
-rw-rw---- 1 u0_a77 u0_a77 20480 2026-02-15 14:27 mydb
-rw-rw---- 1 u0_a77 u0_a77     0 2026-02-15 14:27 mydb-journal

generic_x86:/data/data/com.android.insecurebankv2/databases # sqlite3 mydb
SQLite version 3.18.2 2017-07-21 07:56:09
Enter ".help" for usage hints.
sqlite> .tables
android_metadata  names
sqlite> select * from android_metadata
   ...> ;
en_US

LogCat Info Leaks

search password, login etc on logcat

Graph View