Comprehensive Android App Pentesting Checklist 🔥

By Het Mehta | Published: 2025-04-04 | Last Updated: 5/7/2025

Introduction

This checklist provides a structured approach to Android application penetration testing, covering key phases from reconnaissance to detailed analysis. It heavily references the essential MASVS (Mobile Application Security Verification Standard) and MASTG (Mobile Security Testing Guide).

• MASVS (Mobile Application Security Verification Standard)
• MASTG (Mobile Security Testing Guide)

🧪 Testing Environment Setup

Ensure you have the necessary tools and environment:

• Device/Emulator: Rooted physical device or Emulator (Android Studio, Genymotion).
• Proxy: Burp Suite Pro or OWASP ZAP.
• Instrumentation: Frida & Objection (`pip install frida-tools objection`).
• ADB: Android Debug Bridge (SDK Platform Tools).
• Decompilers: Jadx-GUI, apktool, dex2jar.
• Analysis Tools: MobSF, Drozer, Ghidra/IDA Pro (optional).
• Utilities: Root File Explorer, SQLite Browser.

Phase 1: Information Gathering & Reconnaissance

• Identify Application Details:
  • Obtain APK.
  • Note app name, version, developer, store description.
  • Identify backend tech/APIs (initial scan).
  • Tools: App Stores, `adb`, `apktool`.
• Map Attack Surface:
  • Identify entry points (UI, Intents, Deep Links, APIs, Files).
  • Identify backend servers/endpoints.
  • Tools: Manual Exploration, Burp/ZAP, MobSF.

Phase 2: Static Analysis (SAST) 🔬

• Decompile/Unpack APK:
  • Use Jadx-GUI (primary), `apktool d`, `dex2jar`.
  • Tools: `jadx-gui`, `apktool`, `dex2jar`.
• Analyze AndroidManifest.xml:
  • Check android:debuggable="true".
  • Check android:allowBackup="true".
  • Review permissions (<uses-permission>) - Are they excessive?
  • Identify exported components (Activities, Services, Receivers, Providers).
  • Check network_security_config.xml.
  • Tools: Text Editor, Jadx-GUI, MobSF.
• Analyze Resources (res/) & Code:
  • Hardcoded Secrets: Search code & resources (`strings.xml`) for keys, passwords, tokens. Use keywords like "API_KEY", "SECRET".
  • Insecure Data Storage: Check for unencrypted storage in SharedPreferences, SQLite, files, logs.
  • Weak Crypto: Hardcoded keys, weak algorithms (DES, MD5), static IVs, ECB mode.
  • Insecure Comms: HTTP use, bad SSL/TLS handling, missing/bypassable pinning.
  • Insecure WebView: JS enabled without care, bad addJavascriptInterface, bad URL loading, file:// URIs.
  • Insecure IPC: Trusting Intent data, sensitive broadcasts, provider issues (SQLi, Path Traversal).
  • Vulnerable Libraries: Check library versions against CVEs.
  • Anti-Analysis: Note root detection, anti-debugging code.
  • Tools: Jadx-GUI, MobSF, `grep`/`rg`, Manual Review.
• Analyze Native Libraries (lib/):
  • Check native code (.so) for secrets/flaws.
  • Tools: Ghidra, IDA Pro, `strings`.

Phase 3: Dynamic Analysis (DAST) 🏃

• Setup Runtime & Bypass Controls:
  • Install app, configure proxy, install CA cert.
  • Start Frida server.
  • Bypass root detection (`objection ... android root disable`).
  • Bypass SSL Pinning (`objection ... android sslpinning disable`). Verify traffic interception.
  • Tools: `adb`, Burp/ZAP, Frida, Objection.
• Analyze Data Storage (Runtime):
  • Check SharedPreferences (`run-as ... cat shared_prefs/...`).
  • Check SQLite DBs (`run-as ... cp ...`, pull, view / `run-as ... sqlite3 ...`).
  • Check Internal/External Storage (`run-as ... ls/cat files/...`, browse `/sdcard/...`).
  • Check logs for sensitive data (`adb logcat`).
  • Tools: `adb`, SQLite Browser, File Explorer, Frida (hooking).
• Analyze IPC Endpoints (Runtime):
  • Activities: Launch via `adb shell am start -n ...`, fuzz extras (`-e key val`).
  • Services: Start/bind via `adb shell am startservice/bindservice ...`, fuzz extras.
  • Receivers: Send broadcasts via `adb shell am broadcast -a ...`, fuzz extras.
  • Providers: Use Drozer (`run app.provider.info/query/update`), test SQLi (`--selection "' OR '1'='1"`), Path Traversal.
  • Tools: `adb`, Drozer, Frida.
  • Payload Concepts: Fuzz intent extras (`--ez isAdmin true`), Provider SQLi (`' UNION SELECT...`), Provider Path (`content://.../../../../../etc/hosts`).

  # Example: Launching an exported activity with an extra
  adb shell am start -n com.victim.app/.SecretActivity -e user_id 1337

• Analyze WebView (Runtime):
  • Test for XSS if content is controllable.
  • Test JS Interface abuse (find via Frida/Objection, call via `javascript:...`).
  • Check URL loading logic (try `file://`, `javascript:` URIs).
  • Tools: Burp/ZAP, Frida/Objection.
  • Payload Concepts: XSS (<img src="x" onerror="alert('1337')">), JS Interface (javascript:AndroidInterface.stealData()).

  // Example: Calling exposed Java method from WebView JS context
  javascript:prompt(AndroidBridge.getApiKey())

• Runtime Manipulation & Memory Analysis:
  • Hook methods with Frida/Objection to inspect/modify behavior (bypass checks).
  • Dump memory (`Fridump`) and search for secrets.
  • Tools: Frida, Objection, Fridump.

Phase 4: Network & Backend API Analysis ☁️

• Intercept & Analyze Traffic:
  • Proxy all traffic (handle pinning). Check for HTTP.
  • Analyze TLS configuration (weak ciphers, cert issues).
  • Tools: Burp Suite, OWASP ZAP.
• Analyze API Endpoints (Apply OWASP API Security Top 10):
  • AuthN/AuthZ: Test login, session management, BOLA/IDOR (change IDs), BFLA (access restricted functions).
  • Input Validation: Test for SQLi, NoSQLi, Command Injection, XXE, SSRF, XSS on all inputs.
  • Other Checks: Insecure Deserialization, Information Disclosure, Rate Limiting, Mass Assignment.
  • Tools: Burp Suite (Repeater, Intruder, Scanner), ZAP, Postman, `sqlmap`, SecLists.
  • Payload Concepts: Standard web payloads adapted to API context.

  # Example: Testing for IDOR/BOLA
  GET /api/v1/users/123/profile HTTP/1.1  --> Change 123 to another user's ID
  Host: api.victim.com
  Authorization: Bearer 
  ...

Phase 5: Reporting 📝

• Document Findings:
  • Detail each vulnerability (Description, PoC, Impact).
  • Include evidence (screenshots, logs).
  • Assign severity (e.g., CVSS).
• Provide Remediation Recommendations.
• Structure Report: Executive Summary, Methodology, Findings, Conclusion.

Conclusion

This checklist provides a solid foundation. Remember to adapt your testing based on the specific application and stay updated with OWASP resources and new techniques.