Fixme.ch:OldWiki/Android Lab

= Goals =
 * Extract all application packages from the Market
 * http://code.google.com/p/android-market-api/
 * http://cyrket.com
 * Run batch tests (fuzzing, targeted attack) on a application subset

= TODO =
 * Create a FIXME google account (something less obvious than fixme@gmail.com :D)

= Harvest APK =
 * Intercept traffic http://www.floyd.ch/?p=244
 * Download on TPB

= Attack surfaces =

Misc

 * Browser app:// scheme

Bind to service

 * Extract all apps with a private service using AIDL
 * Decompile apk and resources
 * Modify AndroidManifest.xml so the Service is exported
 * Save the Service interface file (.aidl)
 * Repackage application and resource
 * Create a 3rd party app accessing the service methods

Broadcast Intents

 * Extract AndroidManifest.xml data to find interesting Intent Filters
 * Create an application implementing all possible filters (type, data, categories)
 * Eavesdrop broadcasted intent, handle them before the supposed activity, replay (DoS)

= Other =

Unlock screen

 * mashing button
 * Back button
 * Car dock
 * gmail null password

To test

 * Install app from an other app without perm prompt ???
 * Download apps with a transparent proxy (burp, iptables)
 * When login screen (ie.) invoke other activities directly..
 * test classes
 * 2nd factor auth: mTAN
 * MITM study on smartphones http://www.globalthreatcenter.com/wp-content/uploads/2009/11/MIMT-Whitepaper031.pdf
 * reverse shell with app:// scheme (no perm) http://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
 * https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
 * Permission leak: [[File:Android_Woodpecker.pdf]]