In the previous chapter, we covered server-side attacks associated with Android applications. This chapter covers various client-side attacks from a static application security testing (SAST) perspective. In the next chapter we will cover the same client-side attacks from a dynamic application security testing (DAST) perspective and will also see some automated tools. To successfully execute most of the attacks covered in this chapter, an attacker needs to convince the victim to install a malicious application on his/her phone. Additionally, it is also possible for an attacker to successfully exploit the apps if he has physical access to the device.
Following are some of the major topics that we will discuss in this chapter:
Attacking application components
Activities
Services
Broadcast receivers
Content providers
Leaking content providers
SQL Injection in content providers
Automated Static Analysis using QARK