Merge pull request #2007 from HackTricks-wiki/update_PulseAPK_Core__GUI_workflow_for_APK_decompilation__20260315_124922

PulseAPK Core GUI workflow for APK decompilation, Smali rule...

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/smali-changes.md

@@ -293,8 +293,49 @@ Notes:
 - Make sure the correct ABI variant of the library exists under lib/<abi>/ (e.g., arm64-v8a/armeabi-v7a) to avoid UnsatisfiedLinkError.
 - Loading very early (class static initializer) guarantees the native logger can observe subsequent JNI activity.
 
-## References
+## Smali Static Analysis / Rule-Based Hunting
+
+After decompiling with `apktool`, you can **scan Smali line-by-line** with regex rules to quickly spot anti-analysis logic (root/emulator checks) and likely hardcoded secrets. This is a **fast triage** technique: treat hits as leads that you must verify in surrounding Smali or reconstructed Java/Kotlin.
+
+Key ideas:
+- **Library filtering**: suppress or tag findings under common third-party namespaces so you focus on app-owned code paths.
+- **Context hints**: require suspicious strings to appear near the APIs that consume them (within the same method, within N lines).
+- **Confidence**: use simple levels (high/medium) to rank leads and reduce false positives.
+
+Example library prefixes to suppress by default:
+```text
+Landroidx/
+Lkotlin/
+Lkotlinx/
+Lcom/google/
+Lcom/squareup/
+Lokhttp3/
+Lokio/
+Lretrofit2/
+```
+
+Example detection rules (regex + context heuristics):
+```json
+{
+  "category": "root_check",
+  "regex_patterns": [
+    "(?i)invoke-static .*Runtime;->getRuntime\\(\\).*->exec\\(.*\\"(su|magisk|busybox)\\"",
+    "(?i)const-string [vp0-9, ]+\\"(/system/xbin/su|/system/bin/su|/sbin/su)\\""
+  ],
+  "context_hint": "Only report when the same method also calls File;->exists/canExecute or Runtime;->exec."
+}
+```
+
+Additional heuristics that work well in practice:
+- **Root package/path checks**: require nearby `PackageManager;->getPackageInfo` or `File;->exists` calls for strings like `com.topjohnwu.magisk` or `/data/local/tmp`.
+- **Emulator checks**: pair suspicious literals (e.g., `ro.kernel.qemu`, `generic`, `goldfish`) with nearby `Build.*` getters and string comparisons (`->equals`, `->contains`, `->startsWith`).
+- **Hardcoded secrets**: flag `const-string` only when a nearby `.field` or `move-result` identifier includes keywords like `password`, `token`, `api_key`. Explicitly ignore UI-only markers such as `AutofillType`, `InputType`, `EditorInfo`.
 
+Rule-driven scanners like PulseAPK Core implement this model to quickly surface anti-analysis logic and potential secrets in Smali.
+
+## References
+- [PulseAPK Core](https://github.com/deemoun/PulseAPK-Core)
+- [PulseAPK Smali Detection Rules](https://github.com/deemoun/PulseAPK-Core/blob/main/APK_ANALYSIS_RULES.md)
 - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
 - Android Developers: [apksigner](https://developer.android.com/tools/apksigner) and [zipalign](https://developer.android.com/tools/zipalign)
 - apk.sh: [github.com/ax/apk.sh](https://github.com/ax/apk.sh)