This is a comprehensive mind map covering various aspects of Android app penetration testing. The categories are structured to provide an in-depth look into the tools, methodologies, and best practices.
- Linux Basics
- Programming Basics (Java Recommended)
- Virtualization Basics
- Optional: App Dev Background (Not required, but good to have)
- Application
- Application Framework
- Libraries & ART
- Linux Kernel
- AndroidManifest.XML
- classes.dex
- res
- META-INF
- Manifest.mf
- cert.sf
- cert.rsa
- Kali/Parrot VM (Attacker)
- Genymotion / Android Studio AVD (Attacker)
- Activity
- Content Provider
- Content Resolver
- Broadcast Receiver
- Intent
- Explicit
- Implicit
- Intent Filter
- Intent Resolution
- Services
- adb
- MOB-SF
- apktool
- jadx / jadx-gui
- zipalign
- Optional (but good to know):
- frida
- objection
- qark
- drozer
- Recon
- Static Analysis
- Dynamic Analysis
- Reporting
- M1: Weak Server Side Controls
- M2: Insecure Data Storage
- M3: Insufficient Transport Layer
- M4: Unintended Data Leakage
- M5: Poor Authorization & Authentication
- M6: Broken Cryptography
- M7: Client Side Injection
- M8: Security Decision via Untrusted Input
- M9: Improper Session Handling
- M10: Lack of Binary Protection
- DIVA
- Insecure Bank v2
- Injured Android
This mind map provides a structured approach for performing Android app penetration testing. Follow the steps from setting up your environment to understanding OWASP vulnerabilities and practicing with real-world labs.