Skip to content

Commit f05c13f

Browse files
author
HackTricks News Bot
committed
Add content from: Research Update: Enhanced src/mobile-pentesting/android-chec...
1 parent 8a70915 commit f05c13f

1 file changed

Lines changed: 7 additions & 3 deletions

File tree

src/mobile-pentesting/android-checklist.md

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@
4747
- `flutter-packer`, `fluttersign`, `rn-differ`
4848
- [ ] Scan third-party native libraries for known CVEs (e.g., **libwebp CVE-2023-4863**, **libpng**, etc.).
4949
- [ ] Evaluate **SEMgrep Mobile rules**, **Pithus** and the latest **MobSF ≥ 3.9** AI-assisted scan results for additional findings.
50+
- [ ] Check OEM ROM add-ons (OxygenOS/ColorOS/MIUI/OneUI) for extra **exported ContentProviders** that bypass permissions; try `content query --uri content://com.android.providers.telephony/ServiceNumberProvider` without `READ_SMS` (e.g., OnePlus CVE-2025-10184).
5051

5152
### [Dynamic Analysis](android-app-pentesting/index.html#dynamic-analysis)
5253

@@ -66,10 +67,11 @@
6667
- [ ] Attempt **overlay / SYSTEM_ALERT_WINDOW clickjacking** and **Accessibility Service abuse** for privilege escalation.
6768
- [ ] Check if `adb backup` / `bmgr backupnow` can still dump app data (apps that forgot to disable `allowBackup`).
6869
- [ ] Probe for **Binder-level LPEs** (e.g., **CVE-2023-20963, CVE-2023-20928**); use kernel fuzzers or PoCs if permitted.
69-
- [ ] If Play Integrity / SafetyNet is enforced, try runtime hooks (`Frida Gadget`, `MagiskIntegrityFix`, `Integrity-faker`) or network-level replay.
70+
- [ ] If Play Integrity / SafetyNet is enforced, try runtime hooks (`Frida Gadget`, `MagiskIntegrityFix`, `Integrity-faker`) or network-level replay. Recent Play Integrity Fix forks (≥17.x) embed `playcurl`—focus on ZygiskNext + PIF + ZygiskAssistant/TrickyStore combinations to regain DEVICE/STRONG verdicts.
7071
- [ ] Instrument with modern tooling:
71-
- **Objection > 2.0**, **Frida 17+**, **NowSecure-Tracer (2024)**
72+
- **Objection > 2.0**, **Frida 17+ (Android 16 support, ART offset fixes)**, **NowSecure-Tracer (2024)**
7273
- Dynamic system-wide tracing with `perfetto` / `simpleperf`.
74+
- [ ] For OEM telephony/provider bugs (e.g., OxygenOS CVE-2025-10184), attempt **permission-less SMS read/send** via the `content` CLI or in-app `ContentResolver`; test blind SQLi in `update()` to exfiltrate rows.
7375

7476
### Some obfuscation/Deobfuscation information
7577

@@ -79,5 +81,7 @@
7981
## References
8082

8183
- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/)
84+
- [Rapid7: CVE-2025-10184 OnePlus OxygenOS Telephony provider permission bypass](https://www.rapid7.com/blog/post/cve-2025-10184-oneplus-oxygenos-telephony-provider-permission-bypass-not-fixed/)
85+
- [TapTrap animation-based tapjacking research (TU Wien)](https://www.tomsguide.com/computing/online-security/this-new-android-attack-could-trick-you-into-compromising-your-own-phone-everything-you-need-to-know)
8286

83-
{{#include ../banners/hacktricks-training.md}}
87+
{{#include ../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)