Comprehensive Android App Pentesting Checklist

By Het Mehta | Published: 2025-04-04 | Last Updated: 3/27/2026

Introduction

This checklist provides a structured approach to Android application penetration testing, covering key phases from reconnaissance to detailed analysis. It heavily references the essential OWASP MAS resources:

• MASVS (Mobile Application Security Verification Standard)
• MASTG (Mobile Security Testing Guide)
• MASWE (Mobile Application Security Weakness Enumeration)

Testing Environment Setup

Ensure you have the necessary tools and environment:

• Device/Emulator: Rooted physical device or Emulator (Android Studio AVD, Genymotion).
• Proxy: Burp Suite Pro or OWASP ZAP.
• Instrumentation: Frida & Objection (pip install frida-tools objection).
• ADB: Android Debug Bridge (SDK Platform Tools).
• Decompilers: Jadx-GUI (primary), apktool, dex2jar (secondary/legacy).
• Analysis Tools: MobSF (≥ 3.9), Drozer, Semgrep (with android security rules), Ghidra/IDA Pro (optional for native).
• Utilities: Root File Explorer, SQLite Browser, APKiD (packer/obfuscator detection).

Phase 1: Information Gathering & Reconnaissance

• Identify Application Details:
  • Obtain APK (from device via adb pull, or tools like APKPure/APKMirror for non-Play installs).
  • Note app name, version, package name, developer, store description.
  • Identify backend tech/APIs (initial scan).
  • Check if app is a cross-platform build (React Native, Flutter, Xamarin, Cordova/Ionic) — affects decompilation approach.
  • Tools: App Stores, adb, apktool, APKiD.
• Map Attack Surface:
  • Identify entry points (UI, Intents, Deep Links, Custom URL Schemes, APIs, Files).
  • Identify backend servers/endpoints.
  • Tools: Manual Exploration, Burp/ZAP, MobSF.

Phase 2: Static Analysis (SAST) 🔬

• Decompile/Unpack APK:
  • Use Jadx-GUI (primary), apktool d (for resources/smali), dex2jar (legacy fallback).
  • Run MobSF automated static scan for a quick security posture overview.
  • Run Semgrep with android security rules for automated pattern detection.
  • Tools: jadx-gui, apktool, MobSF, Semgrep, APKiD.
• Verify APK Signing Scheme:
  • Check APK signing scheme version — v1 only is vulnerable to the Janus attack (CVE-2017-13156); apps should use v2 or v3.
  • Test anti-tampering: recompile with apktool, sign with a test key, install — if the app runs normally without complaint, tamper detection is absent or bypassable.

  # Check signing scheme
  apksigner verify --print-certs --verbose app.apk

  • Tools: apksigner, apktool.
• Analyze AndroidManifest.xml:
  • Check android:debuggable="true".
  • Check android:allowBackup="true".
  • Review permissions (<uses-permission>) — are they excessive or dangerous (e.g., BIND_ACCESSIBILITY_SERVICE, SYSTEM_ALERT_WINDOW)?
  • Identify exported components (Activities, Services, Receivers, Providers). On Android 12+ (API 31), android:exported is mandatory for components with intent-filters — flag any misconfigurations.
  • Check android:minSdkVersion — a low minimum SDK may expose users to older platform vulnerabilities.
  • Check network_security_config.xml — look for cleartextTrafficPermitted="true" or domain-specific overrides.
  • Identify deep link / App Link intent filters (android:scheme, android:host) and check for android:autoVerify="true".
  • Tools: Text Editor, Jadx-GUI, MobSF.
• Analyze Resources (res/) & Code:
  • Hardcoded Secrets: Search code & resources (strings.xml) for keys, passwords, tokens. Use keywords like "API_KEY", "SECRET", "password", "token", "Bearer".
  • Insecure Data Storage: Check for unencrypted storage in SharedPreferences, SQLite, files, logs.
  • Weak Crypto: Hardcoded keys, weak algorithms (DES, 3DES, MD5, SHA1), static IVs, ECB mode. Prefer AES-GCM or AES-CCM.
  • Insecure Comms: HTTP use, bad SSL/TLS handling, missing/bypassable certificate pinning.
  • Insecure WebView: JS enabled without care, bad addJavascriptInterface (all public methods exposed pre-API 17), bad URL loading, file:// URIs, setAllowUniversalAccessFromFileURLs.
  • Insecure IPC: Trusting Intent data without validation, sensitive broadcasts, provider issues (SQLi, Path Traversal).
  • Deep Link / App Link validation: Check that deep link parameters are validated and sanitized; look for open-redirect or arbitrary component access via unvalidated URI parameters.
  • Screenshot / Screen Recording prevention: Check that sensitive screens (e.g., login, payment) use FLAG_SECURE to prevent screenshots and appearance in the recent apps list.
  • Clipboard leakage: Check if sensitive fields (passwords, card numbers) allow clipboard copy — these should be disabled or use InputType.TYPE_TEXT_FLAG_NO_SUGGESTIONS.
  • Vulnerable Libraries: Check library versions against CVEs (e.g., libwebp CVE-2023-4863). Use MobSF or manual review of build.gradle.
  • Anti-Analysis: Note root detection, emulator detection, anti-debugging, Play Integrity / SafetyNet checks, and app integrity/tamper detection code.
  • Cross-platform bundles: For React Native, inspect the JS bundle (assets/index.android.bundle); for Flutter, analyze libapp.so with dedicated tools (e.g., reFlutter).
  • Tools: Jadx-GUI, MobSF, Semgrep, grep/rg, Manual Review.
• Analyze Native Libraries (lib/):
  • Check native code (.so) for hardcoded secrets, insecure functions (strcpy, sprintf), and known CVEs.
  • Tools: Ghidra, IDA Pro, strings, nm.

Phase 3: Dynamic Analysis (DAST)

• Setup Runtime & Bypass Controls:
  • Install app, configure proxy, install CA cert (for Android 7+ use Network Security Config or Magisk trust-user-certs module).
  • Start Frida server on device.
  • Bypass root detection (objection ... android root disable or custom Frida scripts).
  • Bypass SSL Pinning (objection ... android sslpinning disable). Verify traffic interception in Burp/ZAP.
  • Bypass Play Integrity / SafetyNet attestation if enforced (Frida hooks, MagiskIntegrityFix / integrity-faker). Note: SafetyNet is deprecated — apps should now use the Play Integrity API.
  • Tools: adb, Burp/ZAP, Frida, Objection, Magisk modules.
• Analyze Data Storage (Runtime):
  • Check SharedPreferences (run-as ... cat shared_prefs/...).
  • Check SQLite DBs (run-as ... cp ..., pull, view in SQLite Browser / run-as ... sqlite3 ...).
  • Check Internal/External Storage (run-as ... ls/cat files/..., browse /sdcard/...).
  • Check logs for sensitive data (adb logcat).
  • Check clipboard contents for sensitive data leakage after interacting with sensitive fields.
  • Verify app data is not accessible via adb backup (if allowBackup is true).
  • Tools: adb, SQLite Browser, File Explorer, Frida (hooking).
• Analyze IPC Endpoints (Runtime):
  • Activities: Launch via adb shell am start -n ..., fuzz extras (-e key val, --ez isAdmin true).
  • Services: Start/bind via adb shell am startservice/bindservice ..., fuzz extras.
  • Receivers: Send broadcasts via adb shell am broadcast -a ..., fuzz extras.
  • Providers: Use Drozer (run app.provider.info/query/update), test SQLi (--selection "' OR '1'='1"), Path Traversal (content://.../../../../../etc/hosts).
  • Deep Links / Custom Schemes: Enumerate all URL schemes from the manifest. Test each with malformed, malicious, and boundary-value URI parameters. Check for open redirect, arbitrary WebView URL load, and auth bypass via deep link.
  • Tools: adb, Drozer, Frida.
  • Payload Concepts: Fuzz intent extras (--ez isAdmin true), Provider SQLi (' UNION SELECT...), Provider Path (content://.../../../../../etc/hosts), Deep link open redirect (myapp://webview?url=https://evil.com).

  # Launch an exported activity with an extra
  adb shell am start -n com.victim.app/.SecretActivity -e user_id 1337
  
  # Trigger a deep link
  adb shell am start -a android.intent.action.VIEW \
    -d "myapp://reset?token=INJECT&redirect=https://evil.com" \
    com.victim.app

• Analyze WebView (Runtime):
  • Test for XSS if content is user-controllable.
  • Test JS Interface abuse (find via Frida/Objection, call via javascript:...).
  • Check URL loading logic (try file://, javascript: URIs, content:// URIs).
  • Check if setAllowUniversalAccessFromFileURLs or setAllowFileAccessFromFileURLs is enabled — allows cross-origin file reads.
  • Tools: Burp/ZAP, Frida/Objection.
  • Payload Concepts: XSS (<img src="x" onerror="alert('1337')">), JS Interface (javascript:AndroidInterface.stealData()).

  // Calling exposed Java method from WebView JS context
  javascript:prompt(AndroidBridge.getApiKey())
  
  // File read via setAllowUniversalAccessFromFileURLs
  // Load attacker page -> XHR to file:///data/data/com.victim.app/shared_prefs/creds.xml

• Tapjacking & Overlay Attacks:
  • Identify exported activities handling sensitive actions — check if they are vulnerable to tapjacking (a malicious overlay intercepts user taps).
  • Verify android:filterTouchesWhenObscured="true" is set on sensitive UI elements in layout files.
  • Note: Android 12+ (API 31/32) auto-blocks most tapjacking on overlays from untrusted sources, but devices with lower minSdkVersion may still be at risk.
  • Tools: Tapjacking-ExportedActivity PoC, manual PoC app.
• Runtime Manipulation & Memory Analysis:
  • Hook methods with Frida/Objection to inspect/modify behavior (bypass checks, alter return values).
  • Dump memory (Fridump) and search for secrets, keys, tokens in memory.
  • Tools: Frida, Objection, Fridump.

Phase 4: Network & Backend API Analysis ☁️

• Intercept & Analyze Traffic:
  • Proxy all traffic (handle pinning). Check for any plain HTTP usage.
  • Analyze TLS configuration (weak ciphers, outdated TLS versions, certificate validation issues).
  • Check for sensitive data leakage to third-party SDKs/analytics (ad networks, crash reporters, etc.).
  • Tools: Burp Suite, OWASP ZAP.
• Analyze API Endpoints (Apply OWASP API Security Top 10):
  • AuthN/AuthZ: Test login, session management, token expiry, BOLA/IDOR (change IDs), BFLA (access restricted functions).
  • Input Validation: Test for SQLi, NoSQLi, Command Injection, XXE, SSRF, XSS on all inputs.
  • Other Checks: Insecure Deserialization, Information Disclosure (verbose errors, stack traces), Rate Limiting, Mass Assignment.
  • Tools: Burp Suite (Repeater, Intruder, Scanner), ZAP, Postman, sqlmap, SecLists.
  • Payload Concepts: Standard web payloads adapted to mobile API context.

  # Testing for IDOR/BOLA
  GET /api/v1/users/123/profile HTTP/1.1  --> Change 123 to another user's ID
  Host: api.victim.com
  Authorization: Bearer <valid_token_for_user_123>
  ...

Phase 5: Reporting

• Document Findings:
  • Detail each vulnerability (Description, PoC, Impact).
  • Include evidence (screenshots, logs, traffic captures).
  • Assign severity (e.g., CVSS v3.1 or CVSS v4.0).
  • Map findings to MASVS / MASTG controls where applicable.
• Provide Remediation Recommendations.
• Structure Report: Executive Summary, Methodology, Findings, Conclusion.

Conclusion

This checklist provides a solid foundation. Remember to adapt your testing based on the specific application and stay updated with OWASP MAS resources (MASVS, MASTG, MASWE) and new techniques. The mobile threat landscape evolves quickly — particularly around Play Integrity bypass, overlay/accessibility abuse, and cross-platform framework-specific attack surfaces.