From 3dab1d1b7a259bc271050d04f265e76ce9c90ca1 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sun, 15 Mar 2026 12:52:05 +0000
Subject: [PATCH] Add content from: PulseAPK Core: GUI workflow for APK
 decompilation, Smali rul...

---
 .../android-app-pentesting/smali-changes.md   | 45 ++++++++++++++++++-
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/mobile-pentesting/android-app-pentesting/smali-changes.md b/src/mobile-pentesting/android-app-pentesting/smali-changes.md
index 176d03fb024..1e3d7a9db2f 100644
--- a/src/mobile-pentesting/android-app-pentesting/smali-changes.md
+++ b/src/mobile-pentesting/android-app-pentesting/smali-changes.md
@@ -220,8 +220,49 @@ Notes:
 - Make sure the correct ABI variant of the library exists under lib/<abi>/ (e.g., arm64-v8a/armeabi-v7a) to avoid UnsatisfiedLinkError.
 - Loading very early (class static initializer) guarantees the native logger can observe subsequent JNI activity.
 
-## References
+## Smali Static Analysis / Rule-Based Hunting
+
+After decompiling with `apktool`, you can **scan Smali line-by-line** with regex rules to quickly spot anti-analysis logic (root/emulator checks) and likely hardcoded secrets. This is a **fast triage** technique: treat hits as leads that you must verify in surrounding Smali or reconstructed Java/Kotlin.
+
+Key ideas:
+- **Library filtering**: suppress or tag findings under common third-party namespaces so you focus on app-owned code paths.
+- **Context hints**: require suspicious strings to appear near the APIs that consume them (within the same method, within N lines).
+- **Confidence**: use simple levels (high/medium) to rank leads and reduce false positives.
+
+Example library prefixes to suppress by default:
+```text
+Landroidx/
+Lkotlin/
+Lkotlinx/
+Lcom/google/
+Lcom/squareup/
+Lokhttp3/
+Lokio/
+Lretrofit2/
+```
+
+Example detection rules (regex + context heuristics):
+```json
+{
+  "category": "root_check",
+  "regex_patterns": [
+    "(?i)invoke-static .*Runtime;->getRuntime\\(\\).*->exec\\(.*\\"(su|magisk|busybox)\\"",
+    "(?i)const-string [vp0-9, ]+\\"(/system/xbin/su|/system/bin/su|/sbin/su)\\""
+  ],
+  "context_hint": "Only report when the same method also calls File;->exists/canExecute or Runtime;->exec."
+}
+```
 
+Additional heuristics that work well in practice:
+- **Root package/path checks**: require nearby `PackageManager;->getPackageInfo` or `File;->exists` calls for strings like `com.topjohnwu.magisk` or `/data/local/tmp`.
+- **Emulator checks**: pair suspicious literals (e.g., `ro.kernel.qemu`, `generic`, `goldfish`) with nearby `Build.*` getters and string comparisons (`->equals`, `->contains`, `->startsWith`).
+- **Hardcoded secrets**: flag `const-string` only when a nearby `.field` or `move-result` identifier includes keywords like `password`, `token`, `api_key`. Explicitly ignore UI-only markers such as `AutofillType`, `InputType`, `EditorInfo`.
+
+Rule-driven scanners like PulseAPK Core implement this model to quickly surface anti-analysis logic and potential secrets in Smali.
+
+## References
+- [PulseAPK Core](https://github.com/deemoun/PulseAPK-Core)
+- [PulseAPK Smali Detection Rules](https://github.com/deemoun/PulseAPK-Core/blob/main/APK_ANALYSIS_RULES.md)
 - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
 
-{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
+{{#include ../../banners/hacktricks-training.md}}