We can decompile code to JAVA using jadx.
Copy docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
For ease of static analysis (since there are many files), we can have few keywords and grep those words to see how many files are intresting to lookout for.
Copy ╰─➤ cat resources/AndroidManifest.xml | grep -i backup
android:allowBackup = "true"
╰─➤ cat resources/AndroidManifest.xml | grep -iE 'exported="true"' 1 ↵
android:exported = "true"
╰─➤ cat resources/AndroidManifest.xml | grep -iE 'debuggable' --color 1 ↵
android:debuggable = "true"
╰─➤ cat resources/AndroidManifest.xml | grep -i 'android.permission' --color
< uses-permission android:name= "android.permission.INTERNET" / >