Skip to main content
This checklist guides you through a structured Android application penetration test. Work through each section in order — fundamentals first, then static, then dynamic analysis.

Learn Android Fundamentals

Before testing, ensure you understand Android’s core concepts:
  • Basics — Android security model, sandboxing, UIDs, permissions
  • Dalvik & Smali — DEX bytecode, the human-readable Smali representation
  • Application Entry Points — how the system routes traffic into the app
  • Activities (Launcher and exported)
  • URL Schemes / Deep Links
  • Content Providers
  • Services
  • Broadcast Receivers
  • Intents and Intent Filters
  • How to use ADB (Android Debug Bridge)
  • How to decompile, modify, and recompile Smali code
  • How to extract APKs from a device

Static Analysis Checklist

Static analysis examines the APK without running it. Always start here before dynamic testing.

General Checks

  • Check for obfuscation and anti-tampering / emulator-detection controls
  • Sensitive banking/financial apps should verify if the device is rooted and respond accordingly
  • Search for interesting strings: passwords, URLs, API keys, encryption keys, Bluetooth UUIDs, hardcoded tokens, backdoor credentials
  • Pay special attention to Firebase URLs — check for unauthenticated access to Realtime Database endpoints

Manifest (AndroidManifest.xml) Review

  • Is the app running in debug mode (android:debuggable="true")? If so, try to exploit it
  • Does the APK allow backups (android:allowBackup="true")?
  • List all exported Activities — can they be invoked without authentication?
    • Unity Runtime: exported UnityPlayerActivity with a unity CLI extras bridge; test -xrsdk-pre-init-library <abs-path> for pre-init dlopen() RCE
  • List Content Providers — are any exported without proper permissions?
  • List exposed Services and Broadcast Receivers
  • Check registered URL Schemes for input validation issues
  • android:exported is mandatory on Android 12+ — misconfigured components allow external intent invocation

Network & Transport Security

  • Review Network Security Config (networkSecurityConfig XML) for cleartextTrafficPermitted="true" or domain-specific overrides
  • Check for calls to Play Integrity / SafetyNet / DeviceCheck — can custom attestation be hooked or bypassed?
  • Inspect App Links / Deep Links (android:autoVerify) for intent-redirection or open-redirect issues

Code Review

  • Identify usage of WebView.addJavascriptInterface or loadData*() that may lead to RCE/XSS
  • Analyse cross-platform bundles (Flutter libapp.so, React Native JS bundles, Capacitor/Ionic assets) 
    # Tools for cross-platform bundle analysis:
# flutter-packer, fluttersign, rn-differ
  • Scan third-party native libraries for known CVEs (e.g., libwebp CVE-2023-4863, libpng)
  • Run automated scanners: MobSF ≥ 3.9, Semgrep Mobile rules, Pithus
  • Check all libraries are compiled with the PIE flag
  • Check OEM ROM add-ons (OxygenOS / ColorOS / MIUI / OneUI) for extra exported ContentProviders that bypass permissions

Crypto & Key Management

  • Are passwords or secrets hardcoded in source?
  • Is the app using deprecated/insecure algorithms (RC4, MD4, MD5, SHA1)?
  • Is SSL pinning implemented? Statically search for pinning libraries (OkHttp, TrustKit, Retrofit, custom X509TrustManager). Use Objection or Frida scripts to bypass at runtime.

Dynamic Analysis Checklist

A rooted device or rooted emulator is strongly recommended for dynamic analysis. Tools like Magisk/Zygisk on Pixel devices provide the best experience.

Environment Setup

  • Prepare environment: rooted device/emulator, Burp CA cert installed, Drozer, Frida
  • For online testing: use Appetize.io for APK execution with ADB access
  • For local emulators: Android Studio AVD (x86 with ARM library support) or Genymotion
  • Magisk/Zygisk quick notes: 
    # Patch boot.img with Magisk app and flash via fastboot
# Enable Zygisk + DenyList for root hiding
# Use scrcpy for screen mirroring

Data Leakage

  • Check for unintended data leakage in logs — use pidcat or adb logcat
  • Check Copy/Paste buffer — does the app allow copying sensitive data to clipboard?
  • Check crash logs — do they expose sensitive information?
  • Check SQLite databases at /data/data/<package>/databases/ for plaintext sensitive data
  • Verify that adb backup / bmgr backupnow cannot dump app data

Component Exploitation

  • Test exported Activities for authorization bypass: 
    adb shell am start -n com.example.demo/com.example.test.MainActivity
  • Test Content Providers for SQL injection and path traversal
  • Test exported Services for information disclosure or privilege escalation
  • Test Broadcast Receivers for manipulation
  • Test deep links / URL schemes: 
    adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value"

Traffic Interception

  • Intercept HTTP/HTTPS traffic with Burp Suite
  • Test for MitM susceptibility — weak cipher suites, improper certificate validation
  • Bypass SSL Pinning using:
    • Objection: objection --gadget com.package.app explore --startup-command "android sslpinning disable"
    • Frida scripts / apk-mitm
    • MobSF dynamic analysis
  • Test for Tapjacking / TapTrap animation-based attacks (works on Android 15+, no overlay permission needed)
  • Test overlay / SYSTEM_ALERT_WINDOW clickjacking and Accessibility Service abuse

Frida Instrumentation

  • Use Frida to hook methods, extract runtime values, and bypass checks: 
    frida-ps -Uai
frida -U -f com.example.app -l bypass.js --no-pause
  • Dump memory with Fridump3: 
    python3 fridump3.py -u "<AppName>"
strings * | grep -E "^[a-z]+ [a-z]+ [a-z]+"
  • Bypass fingerprint/biometric authentication: 
    frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f <app.package>
  • Instrument with modern tooling: Objection > 2.0, Frida 17+ (Android 16 support)
  • For Play Integrity bypass, try: Frida Gadget, MagiskIntegrityFix, ZygiskNext + PIF combinations

Binder / LPE Testing

  • Probe for Binder-level LPEs (CVE-2023-20963, CVE-2023-20928) if scope permits
  • For OEM telephony bugs (e.g., OxygenOS CVE-2025-10184): attempt permission-less SMS read/send via content CLI or ContentResolver

Obfuscation & Deobfuscation

ProGuard

Open-source tool that shrinks, optimizes, and obfuscates Java code. Distributed as part of the Android SDK and runs during release builds.

DexGuard

Commercial obfuscator with stronger protections. Step-by-step deobfuscation guide available at blog.lexfo.fr/dexguard.html.

References

Build docs developers (and LLMs) love

Get started for freeTalk to us