Android recon for Bug Bounty hunters from APK extraction to ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.yeswehack.com/learn-bug-bounty/android-recon-bug-bounty-guide
• Blog Title: Android recon for Bug Bounty hunters: from APK extraction to attack surface mapping
• Suggested Section: 📱 Mobile Pentesting -> Android Applications Pentesting (new subsection like "Android APK Recon & Static Attack Surface Mapping")

🎯 Content Summary

This post is a complete, hands-on guide to Android reconnaissance for bug bounty hunters, focusing on extracting authentic APKs, decompiling them, and statically mapping the entire attack surface before doing any dynamic testing.

Why Android recon is critical
Most hunters install an app, open Burp, and click around the UI, effectively testing blind. This only covers what the interface exposes and ignores hidden APIs, debug components, hardcoded credentials, a...

🔧 Technical Details

Reliable APK acquisition and integrity checking
For accurate recon, always work with genuine production builds. Use APKeep (https://github.com/EFForg/apkeep) to pull APKs from Google Play (optionally authenticated via an oauth_token that starts with oauth2_4/) or APKPure mirrors, and use ADB (adb shell pm path, adb pull) to extract on‑device or split APKs from /data/app/. Always verify authenticity with apksigner verify --print-certs target.apk and compare the signing certificate to the official Play signature before analysing or reporting any issues.

Using APKTool and resources to enumerate components and hidden endpoints
Decompile APKs with APKTool (apktool d target.apk -o target_unpacked) to obtain AndroidManifest.xml, res/, smali/, lib/, and assets/. From the...

🤖 Agent Actions

Summary:

• Added a new “Android APK Recon & Static Attack Surface Mapping” subsection to src/mobile-pentesting/android-app-pentesting/README.md, detailing a full workflow for obtaining authentic APKs (APKeep, ADB pulls, split handling), verifying signatures, decompiling with APKTool/jadx, harvesting endpoints, and statically identifying secrets, weak auth logic, insecure storage, and ICC/WebView attack surfaces prior to dynamic testing.
• Linked supporting tools and existing HackTricks pages to show how to operationalize findings, and highlighted how to build a prioritized attack target list from the recon process.
• Updated the references section with the source blog and APKeep documentation used for the additions.

Tests: Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.yeswehack.com/learn-bug-bounty/android-recon-bug-bounty-guide

Content Categories: Based on the analysis, this content was categorized under "📱 Mobile Pentesting -> Android Applications Pentesting (new subsection like "Android APK Recon & Static Attack Surface Mapping")".

Repository Maintenance:

• MD Files Formatting: 913 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0