Changes
= Goals =
* Extract all application packages from the Market
** http://code.google.com/p/android-market-api/
** http://cyrket.com
* Run batch tests (fuzzing, targeted attack) on a application subset
= TODO =
* Create a FIXME google account (something less obvious than fixme@gmail.com :D)
= Harvest APK =
* Intercept traffic http://www.floyd.ch/?p=244
* Download on TPB
= Attack surfaces =
== Misc ==
* Browser app:// scheme
== Bind to service ==
* Extract all apps with a private service using AIDL
* Decompile apk and resources
* Modify AndroidManifest.xml so the Service is exported
* Save the Service interface file (.aidl)
* Repackage application and resource
* Create a 3rd party app accessing the service methods
== Broadcast Intents ==
* Extract AndroidManifest.xml data to find interesting Intent Filters
* Create an application implementing all possible filters (type, data, categories)
* Eavesdrop broadcasted intent, handle them before the supposed activity, replay (DoS)
= Other =
== Unlock screen ==
* mashing button
* Back button
* Car dock
* gmail null password
== To test ==
* Install app from an other app without perm prompt ???
* Download apps with a transparent proxy (burp, iptables)
* When login screen (ie.) invoke other activities directly..
* test classes
* 2nd factor auth: mTAN
* MITM study on smartphones http://www.globalthreatcenter.com/wp-content/uploads/2009/11/MIMT-Whitepaper031.pdf
* reverse shell with app:// scheme (no perm) http://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
* https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
* Permission leak: [[File:Android_Woodpecker.pdf]]
* Extract all application packages from the Market
** http://code.google.com/p/android-market-api/
** http://cyrket.com
* Run batch tests (fuzzing, targeted attack) on a application subset
= TODO =
* Create a FIXME google account (something less obvious than fixme@gmail.com :D)
= Harvest APK =
* Intercept traffic http://www.floyd.ch/?p=244
* Download on TPB
= Attack surfaces =
== Misc ==
* Browser app:// scheme
== Bind to service ==
* Extract all apps with a private service using AIDL
* Decompile apk and resources
* Modify AndroidManifest.xml so the Service is exported
* Save the Service interface file (.aidl)
* Repackage application and resource
* Create a 3rd party app accessing the service methods
== Broadcast Intents ==
* Extract AndroidManifest.xml data to find interesting Intent Filters
* Create an application implementing all possible filters (type, data, categories)
* Eavesdrop broadcasted intent, handle them before the supposed activity, replay (DoS)
= Other =
== Unlock screen ==
* mashing button
* Back button
* Car dock
* gmail null password
== To test ==
* Install app from an other app without perm prompt ???
* Download apps with a transparent proxy (burp, iptables)
* When login screen (ie.) invoke other activities directly..
* test classes
* 2nd factor auth: mTAN
* MITM study on smartphones http://www.globalthreatcenter.com/wp-content/uploads/2009/11/MIMT-Whitepaper031.pdf
* reverse shell with app:// scheme (no perm) http://www.defcon.org/images/defcon-18/dc-18-presentations/Lineberry/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf
* https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
* Permission leak: [[File:Android_Woodpecker.pdf]]
Anonymous user
