• Extract all application packages from the Market
  • http://code.google.com/p/android-market-api/
  • http://cyrket.com
• Run batch tests (fuzzing, targeted attack) on a application subset

• Create a FIXME google account (something less obvious than fixme@gmail.com :D)

• Intercept traffic http://www.floyd.ch/?p=244
• Download on TPB

Misc

• Browser app:// scheme

Bind to service

• Extract all apps with a private service using AIDL
• Decompile apk and resources
• Modify AndroidManifest.xml so the Service is exported
• Save the Service interface file (.aidl)
• Repackage application and resource
• Create a 3rd party app accessing the service methods

Broadcast Intents

• Extract AndroidManifest.xml data to find interesting Intent Filters
• Create an application implementing all possible filters (type, data, categories)
• Eavesdrop broadcasted intent, handle them before the supposed activity, replay (DoS)

Unlock screen

• mashing button
• Back button
• Car dock
• gmail null password

To test

• Install app from an other app without perm prompt ???
• Download apps with a transparent proxy (burp, iptables)
• When login screen (ie.) invoke other activities directly..
• test classes
• 2nd factor auth: mTAN
• MITM study on smartphones http://www.globalthreatcenter.com/wp-content/uploads/2009/11/MIMT-Whitepaper031.pdf
• reverse shell with app:// scheme (no perm) http://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
• https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
• Permission leak: File:Android Woodpecker.pdf