Static testing is a crucial phase in Android application security testing. It involves analyzing the application’s code, structure, and assets without executing it. This approach helps identify vulnerabilities, coding flaws, and insecure configurations early in the development lifecycle. In this blog, we’ll cover the steps to perform static testing on an Android application, the tools required, and best practices.
Prerequisites for Static Testing
Access to the APK File: Obtain the APK (Android Package Kit) file of the application to analyze its resources and code. For demonstration purposes, we will use the DIVA Android application, which you can download from here.
Basic Understanding of Android Architecture: Familiarize yourself with components like activities, services, broadcast receivers, and content providers.
Tools Setup:
- Java Development Kit (JDK): Required for decompiling and analyzing Java-based code.
- Android Studio: Useful for exploring code and resources.
Steps to Perform Static Testing
Step 1: Decompile the APK File- Use APKTool or JADX to decompile the APK and access its source code and resources. Command: apktool d DivaApplication.apk -o output_folder
- Analyze the AndroidManifest.xml for:
- Excessive permissions
- Exported components
- Insecure intents
- Debuggable attribute enabled
Demo of Static Testing on DIVA Step-by-Step
- Use the JADX-GUI tool to decompile the APK file and review the AndroidManifest.xml file.
– The AndroidManifest.xml file is attached below. First, review the code yourself and try to find any vulnerability. Then, we will discuss each bug it contains and understand its impact.
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
android:versionCode="1"
android:versionName="1.0"
package="jakhar.aseem.diva"
platformBuildVersionCode="23"
platformBuildVersionName="6.0-2166767">
<uses-sdk
android:minSdkVersion="15"
android:targetSdkVersion="23"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.INTERNET"/>
<application
android:theme="@style/AppTheme"
android:label="@string/app_name"
android:icon="@mipmap/ic_launcher"
android:debuggable="true"
android:allowBackup="true"
android:supportsRtl="true">
<activity
android:theme="@style/AppTheme.NoActionBar"
android:label="@string/app_name"
android:name="jakhar.aseem.diva.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<activity
android:label="@string/d1"
android:name="jakhar.aseem.diva.LogActivity"/>
<activity
android:label="@string/d2"
android:name="jakhar.aseem.diva.HardcodeActivity"/>
<activity
android:label="@string/d3"
android:name="jakhar.aseem.diva.InsecureDataStorage1Activity"/>
<activity
android:label="@string/d4"
android:name="jakhar.aseem.diva.InsecureDataStorage2Activity"/>
<activity
android:label="@string/d5"
android:name="jakhar.aseem.diva.InsecureDataStorage3Activity"/>
<activity
android:label="@string/d6"
android:name="jakhar.aseem.diva.InsecureDataStorage4Activity"/>
<activity
android:label="@string/d7"
android:name="jakhar.aseem.diva.SQLInjectionActivity"/>
<activity
android:label="@string/d8"
android:name="jakhar.aseem.diva.InputValidation2URISchemeActivity"/>
<activity
android:label="@string/d9"
android:name="jakhar.aseem.diva.AccessControl1Activity"/>
<activity
android:label="@string/apic_label"
android:name="jakhar.aseem.diva.APICredsActivity">
<intent-filter>
<action android:name="jakhar.aseem.diva.action.VIEW_CREDS"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>
<activity
android:label="@string/d10"
android:name="jakhar.aseem.diva.AccessControl2Activity"/>
<activity
android:label="@string/apic2_label"
android:name="jakhar.aseem.diva.APICreds2Activity">
<intent-filter>
<action android:name="jakhar.aseem.diva.action.VIEW_CREDS2"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>
<provider
android:name="jakhar.aseem.diva.NotesProvider"
android:enabled="true"
android:exported="true"
android:authorities="jakhar.aseem.diva.provider.notesprovider"/>
<activity
android:label="@string/d11"
android:name="jakhar.aseem.diva.AccessControl3Activity"/>
<activity
android:label="@string/d12"
android:name="jakhar.aseem.diva.Hardcode2Activity"/>
<activity
android:label="@string/pnotes"
android:name="jakhar.aseem.diva.AccessControl3NotesActivity"/>
<activity
android:label="@string/d13"
android:name="jakhar.aseem.diva.InputValidation3Activity"/>
</application>
</manifest>
Raghav Rajput
With a strong academic background, including an MCA and CEH certification, I bring over two years of hands-on experience in cybersecurity. In my role, I focus on Android, iOS, and web penetration testing, consistently applying advanced skills to safeguard digital landscapes. Outside of work, I enjoy the intellectual challenge of chess and find relaxation in listening to music, which balances my passion for cybersecurity with personal growth and creativity.
