Module 5 — Dynamic Analysis Fundamentals

This module introduces dynamic analysis for Android applications. Unlike static analysis (where we review APKs, manifests, and code without execution), dynamic analysis focuses on observing the app while it runs on a device or emulator. This provides insights into runtime behavior, network communications, storage use, cryptographic operations, and potential vulnerabilities.

The purpose here is to create a solid foundation before moving into advanced runtime instrumentation (e.g., Frida, Objection).

5.0 Learning Objectives

After completing this module, you will be able to:

Set up an Android device or emulator for safe, repeatable dynamic analysis.
Capture, inspect, and manipulate network traffic from apps.
Monitor logs, processes, and file activity in real time.
Identify common runtime misconfigurations (e.g., missing TLS, exposed logs).
Build repeatable test cases that generate useful evidence for reports.

5.1 Why Dynamic Analysis Matters

Static ≠ complete: Many protections (like runtime checks or encryption) only appear at execution.
Dynamic ≠ intrusive: With the right setup, you can passively observe behavior without tampering.
Bridges gap: Combines what you saw in static analysis (hardcoded endpoints, permissions) with what actually happens at runtime.

Typical findings:

Endpoints discovered only when features are triggered.
Sensitive data written into system logs.
Plaintext credentials in transit.
Weak certificate validation (or no TLS at all).

5.2 Lab Setup for Dynamic Analysis

Dynamic analysis requires a controlled, instrumented environment:

Recommended environment:

Real device (preferred): Gives closest-to-production behavior. Rooting optional but useful.
Emulator (Android Studio AVD or Genymotion): Easier to snapshot and reset, but some protections detect emulators.

Tools to install:

adb (Android Debug Bridge) → core interface.
Burp Suite / OWASP ZAP → intercept and modify network traffic.
Wireshark / tcpdump → low-level packet capture.
Logcat → view system and application logs.
strace/ltrace (if rooted) → system call tracing.
sqlite3 → database inspection (if app uses local storage).

5.3 Basic Workflow

Dynamic analysis proceeds in structured stages:

Launch app in controlled environment (device/emulator with proxy configured).
Monitor logs (adb logcat) while using the app.
Generate interactions: log in, navigate menus, trigger features.
Capture traffic with Burp or tcpdump.
Inspect storage: check /data/data/<package> (if rooted).
Document anomalies: insecure traffic, sensitive logs, unencrypted storage.

5.4 Logging & Monitoring

adb logcat

adb logcat *:W

Shows warnings and errors. Adjust filters to target the app:

adb logcat | grep com.target.app

Things to look for:

API keys or tokens accidentally logged.
Debug messages exposing backend structure.
Exceptions leaking stack traces.

5.5 Network Interception

Proxy configuration

Configure device/emulator Wi-Fi → manual proxy → point to Burp/ZAP.
Install custom CA certificate in device user store.
For apps using certificate pinning, interception may fail (we’ll handle that in advanced modules).

Capturing traffic

tcpdump -i any -s 0 -w capture.pcap

Then open capture.pcap in Wireshark.

What to check:

Endpoints: enumerate all contacted domains/paths.
Protocols: HTTP, HTTPS, gRPC, WebSocket.
Sensitive data: credentials, tokens, PII.
TLS configuration: weak ciphersuites, missing SNI.

5.6 File System & Storage Checks

If you have root or emulator access:

adb shell
cd /data/data/com.target.app/
ls -R

Check for:

Unencrypted SQLite DBs (credentials, tokens, PII).
SharedPreferences XML with secrets.
Log files storing API responses.
Cache files with sensitive temporary data.

5.7 Runtime Behavior Checks

Process monitoring

adb shell ps | grep com.target.app

Permissions at runtime

adb shell dumpsys package com.target.app

Confirms declared vs granted permissions.

System call tracing (rooted)

strace -p <pid>

Shows file/network operations the app performs in real time.

5.8 Evidence Collection & Documentation

For every dynamic finding:

Screenshot or log excerpt.
Describe what triggered it (steps to reproduce).
Record exact data observed (e.g., plaintext password in log).
Assess severity:
- High: plaintext credentials over HTTP.
- Medium: PII stored in unencrypted SQLite DB.
- Low: debug logs with generic info.

All evidence should be timestamped and traceable to a specific device/emulator instance.

5.9 Deliverables of Dynamic Analysis

Traffic map: all observed endpoints, protocols, and authentication flows.
Log review: sensitive info leaks, error messages, debugging info.
Storage review: insecure databases, files, or preferences.
Runtime anomalies: crashes, unusual system calls, unsafe inter-app communication.

5.10 Safe Lab Exercises

Exercise A — Logcat hunting

Run a vulnerable test APK.
Trigger login.
Use adb logcat to capture and find hardcoded credentials printed in logs.

Exercise B — Network capture

Route app traffic through Burp.
Log into app.
Export session from Burp → verify if tokens or credentials travel in plaintext.

Exercise C — Storage inspection

On emulator, extract /data/data/com.vulnapp/shared_prefs/.
Inspect XML files → identify sensitive values stored unencrypted.

5.11 Common Mistakes to Avoid

Forgetting to restore device proxy settings → may block internet for other apps.
Misinterpreting encrypted blobs as plaintext (always validate with crypto review).
Over-relying on emulator findings (real devices may behave differently).
Ignoring TLS handshake errors in Burp (could mean certificate pinning).

5.12 Key Takeaways

Dynamic analysis complements static analysis by showing real-world runtime behavior.
Focus on logs, network, storage, and process activity.
Document everything with reproducible steps and artifacts.
Certificate pinning and advanced anti-analysis techniques will require more advanced modules.