Android Pentesting

Mobile Testing

Android testing combines static review, dynamic instrumentation, traffic analysis, local storage inspection, and platform control validation. Use a dedicated lab device or emulator, test accounts, and a signed scope before handling client application data.

Use a Dedicated Lab Device

Do not test client applications from a personal phone. Use a resettable emulator or enrolled test device, isolate proxy certificates and tooling, and avoid capturing production user data unless the RoE explicitly authorizes it.

Assessment Flow

Static Review

  • Manifest permissions, exported components, deep links, backup flags.
  • Hardcoded secrets, API URLs, keys, debug code, and environment toggles.
  • Cryptography, certificate pinning configuration, and storage APIs.
  • Third-party SDKs and dependency risk.

Dynamic Review

  • Authenticated workflows through an intercepting proxy.
  • Runtime control behavior on rooted and non-rooted test profiles.
  • Local storage changes before and after sensitive actions.
  • Session timeout, token refresh, and offline behavior.

APK Collection and Static Analysis

android-static-analysis.sh
bash 
# Identify and pull an APK from a test device
adb shell pm list packages | grep target
adb shell pm path com.example.target
adb pull /data/app/<PACKAGE_PATH>/base.apk ./evidence/base.apk
sha256sum ./evidence/base.apk > ./evidence/base.apk.sha256

# Decode resources and inspect source-like output
apktool d ./evidence/base.apk -o ./work/app_decoded
jadx -d ./work/app_source ./evidence/base.apk

# Common static checks
rg -n "android:exported|allowBackup|debuggable|usesCleartextTraffic" ./work/app_decoded
rg -n "api[_-]?key|secret|token|password|client[_-]?secret|http://" ./work/app_source
# Identify and pull an APK from a test device
adb shell pm list packages | grep target
adb shell pm path com.example.target
adb pull /data/app/<PACKAGE_PATH>/base.apk ./evidence/base.apk
sha256sum ./evidence/base.apk > ./evidence/base.apk.sha256

# Decode resources and inspect source-like output
apktool d ./evidence/base.apk -o ./work/app_decoded
jadx -d ./work/app_source ./evidence/base.apk

# Common static checks
rg -n "android:exported|allowBackup|debuggable|usesCleartextTraffic" ./work/app_decoded
rg -n "api[_-]?key|secret|token|password|client[_-]?secret|http://" ./work/app_source

Dynamic Testing Checkpoints

Area What to Validate Evidence
TransportTLS, certificate validation, proxy behavior, no cleartext fallback.Proxy history, network security config, screenshots.
AuthenticationToken lifetime, logout invalidation, MFA/step-up behavior.Request IDs, token metadata, server responses.
Local StorageSecrets in SharedPreferences, SQLite, files, logs, clipboard, backups.Redacted file paths, hashes, sanitized snippets.
Runtime ControlsRoot/debug/instrumentation detection and fail-safe behavior.Control matrix and user-visible behavior.

Evidence Notes Template

android-evidence-note.yaml
yaml 
finding_area: local-storage
app_id: com.example.target
app_version: 4.2.1
test_account: mobile-test-user-01
device_profile: android-14-emulator-rooted
artifact:
  type: sqlite-database
  path: /data/data/com.example.target/databases/session.db
  hash_sha256: <SHA256>
observation: access token persisted after logout
risk: token replay if device backup or local compromise occurs
recommended_fix: clear tokens on logout, store secrets in Android Keystore, enforce server-side token revocation
retest: repeat logout flow and confirm token is removed and rejected by API
finding_area: local-storage
app_id: com.example.target
app_version: 4.2.1
test_account: mobile-test-user-01
device_profile: android-14-emulator-rooted
artifact:
  type: sqlite-database
  path: /data/data/com.example.target/databases/session.db
  hash_sha256: <SHA256>
observation: access token persisted after logout
risk: token replay if device backup or local compromise occurs
recommended_fix: clear tokens on logout, store secrets in Android Keystore, enforce server-side token revocation
retest: repeat logout flow and confirm token is removed and rejected by API

Android Tools

MobSF

Analysis
Docs

Automated mobile static and dynamic analysis platform for Android and iOS.

Installation

bash 
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

apktool

Reverse Engineering
Docs

Decode Android resources and rebuild test APKs in lab environments.

Installation

bash 
brew install apktool
brew install apktool

jadx

Decompiler
Docs

Dex to Java/Kotlin-like decompiler for source review.

Installation

bash 
brew install jadx
brew install jadx

Frida

Instrumentation
Docs

Dynamic instrumentation toolkit for authorized runtime testing.

Installation

bash 
pip install frida-tools
pip install frida-tools

Related Topics

Mobile Testing

Local Storage

Certificate Pinning