Skip to main content

Introduction

This guide covers Android application penetration testing. Where possible, I have included procedures for Android versions up to 15. I use rooted Pixel devices during any penetration testing engagments, as well as Corellium virtual device as needed.

Version: 8.5.1 - September 2025

Android Security

With each major Android release, Google updates the developer security guide. This guide describes the overall implementation of security features - both hardware and software - for the latest release. To fully understand the security features of Android, it is recommended that you read through the security guide.

The latest guide is located at: https://developer.android.com/topic/security/best-practices

OWASP Mobile Top 10 (2024)

Official Link

M1: Improper Credential Usage

M2: Inadequate Supply Chain Security

M3: Insecure Authentication/Authorization

M4: Insufficient Input/Output Validation

M5: Insecure Communication

M6: Inadequate Privacy Controls

M7: Insufficient Binary Protections

M8: Security Misconfiguration

M9: Insecure Data Storage

M10: Insufficient Cryptography

OWASP Mobile Testing Guide

Official Link

OWASP produces a very good mobile application penetration testing guide. It covers both Android & iOS, and is frequently updated. For a more complete guide of testing procedures, I highly recommend that you use the OWASP guide during any testing engagements!

Android Mobile Application Testing:

a. Static Analysis:

  • Obtain the application's APK file from the Google Play Store or the developer.
  • Utilize static analysis tools like APKTool, JADX, or commercial tools to decompile the APK and review the application's code and resources.
  • Look for sensitive data stored in code or resources, similar to the iOS testing process.

b. Dynamic Analysis:

  • Run the application on an Android device or emulator using tools like Android Studio, ADB, or Frida.
  • Monitor network traffic to identify insecure communication and data leakage.
  • Test for runtime vulnerabilities, such as insecure data storage, memory leaks, or unintended data exposure.

c. Root Detection and Emulator Detection:

  • Test the application's response to rooted devices and emulators, as they may pose additional security risks.
  • Analyze the effectiveness of any root and emulator detection mechanisms implemented by the app.

d. Secure Communication:

  • Evaluate the implementation of secure communication protocols and check for certificate pinning.

e. Authentication and Authorization:

  • Test the strength of user authentication mechanisms, including password policies and the use of multi-factor authentication (if applicable).
  • Check for authorization issues to ensure that users can access only their appropriate data.

f. Data Storage:

  • Assess the security of local data storage, ensuring sensitive data is encrypted and adequately protected.

g. Code Review:

  • Conduct a manual code review, paying close attention to security-critical components.
  • Look for common vulnerabilities like insecure data storage, input validation issues, and potential backdoors.

h. Business Logic Flaws:

  • Analyze the application's business logic to identify any potential vulnerabilities or logic flaws that could lead to security breaches.

i. Obfuscation and Tampering:

  • Check if the application uses obfuscation techniques to protect sensitive code and data from reverse engineering.
  • Test the app's resistance to tampering and modification.

j. Third-party Libraries:

  • Review third-party libraries used in the application to ensure they are up-to-date and free of known vulnerabilities.

k. Code Injection and Reverse Engineering:

  • Attempt code injection and reverse engineering techniques to uncover potential security weaknesses.