- Download the APK.
- Drag and drop the APK onto an Android emulator such as genymotion, or use
adb install
to install the APK onto an Android device.
- List all Android activities within the application
- Find and extract the usernames and passwords of the applications users.
- Find and extract the administrator's username and password.
- Examine the devices application memory for sensitive information (using a tool such as fridump) and report anything interesting you find.
- Find the secret admin interface and catalog the steps to access it.
- Summarize your findings, their CVSS severity, and the steps to reproduce them in a report using the word processor of your choice.