Android applications are widely used across banking, healthcare, e-commerce, government services, fintech, social media, and enterprise platforms. Because Android apps process sensitive user data such as authentication tokens, personal information, payment details, and business data, mobile application security testing has become a critical part of modern cybersecurity assessments.
An Android VAPT (Vulnerability Assessment and Penetration Testing) helps identify security weaknesses in Android applications before attackers exploit them. A proper Android security assessment includes both static analysis and dynamic analysis to evaluate how securely the application handles data, communication, authentication, storage, APIs, and runtime protections.
In this guide, we will cover a practical Android VAPT checklist that can help security researchers, penetration testers, bug bounty hunters, and cybersecurity students perform structured Android application security testing.
What is Android VAPT?
Android VAPT is the process of assessing an Android application for vulnerabilities, insecure configurations, coding flaws, weak encryption, exposed secrets, authentication bypasses, insecure APIs, and runtime security weaknesses.
The objective is to identify:
- Sensitive data exposure
- Insecure local storage
- API vulnerabilities
- Authentication flaws
- Hardcoded secrets
- Weak encryption
- Root detection bypasses
- SSL pinning weaknesses
- Reverse engineering risks
- Business logic issues
Android security testing usually includes:
- Static Analysis
- Dynamic Analysis
- API Testing
- Backend Validation
- Runtime Manipulation
- Reverse Engineering
Android VAPT Methodology
A standard Android penetration testing process generally follows these phases:
- Application Information Gathering
- APK Extraction and Decompilation
- Static Analysis
- Dynamic Analysis
- API Security Testing
- Runtime Security Validation
- Authentication and Session Testing
- Data Storage Testing
- Network Traffic Analysis
- Reporting and Remediation
Android Static Analysis Checklist
Static analysis focuses on analyzing the APK without running the application.
This phase helps identify:
- Hardcoded secrets
- Insecure permissions
- Exposed activities
- Weak configurations
- Sensitive strings
- Source code weaknesses
1. APK Information Gathering
Before testing, collect:
- Package name
- Version details
- Target SDK
- Minimum SDK
- Permissions
- Exported components
Useful Tools:
- APKTool
- jadx
- MobSF
- aapt
Example:
aapt dump badging app.apkCheck for:
- Dangerous permissions
- Debuggable mode
- Backup enabled
- Cleartext traffic allowed
2. AndroidManifest.xml Review
The AndroidManifest.xml file is one of the most important files during Android VAPT.
Review for:
- Exported activities
- Exported services
- Exported broadcast receivers
- Exported content providers
- Backup configurations
- Debug flags
- Intent filters
Common Misconfigurations:
android:debuggable="true"android:allowBackup="true"- Exported activities without protection
Example Risk:
<application android:allowBackup="true">This may allow attackers to extract application data through ADB backup.
3. Permission Analysis
Review all requested permissions carefully.
Dangerous permissions include:
- READ_SMS
- READ_CONTACTS
- RECORD_AUDIO
- ACCESS_FINE_LOCATION
- CAMERA
- READ_EXTERNAL_STORAGE
Check whether permissions are actually required for business functionality.
Excessive permissions increase attack surface.
4. Hardcoded Secrets and API Keys
One of the most common Android security issues is hardcoded sensitive information.
Check for:
- API keys
- Access tokens
- JWT secrets
- Firebase keys
- AWS credentials
- Encryption keys
- URLs and endpoints
Useful Commands:
strings app.apkUsing jadx:
jadx-gui app.apkCommon Findings:
- Firebase configurations
- Internal API URLs
- Third-party secrets
- Test credentials
5. Shared Preferences Analysis
Applications often store sensitive data insecurely in SharedPreferences.
Check for:
- Plaintext passwords
- Session tokens
- User information
- API tokens
Location:
/data/data/package_name/shared_prefs/Sensitive data should never be stored in plaintext.
6. SQLite Database Review
Android apps frequently use SQLite databases.
Check for:
- Stored credentials
- PII data
- Cached tokens
- Business-sensitive data
Database Location:
/data/data/package_name/databases/Improperly secured databases can lead to data exposure.
7. Source Code Review
During decompilation, review:
- Authentication logic
- Root detection
- SSL pinning implementation
- API requests
- WebView configurations
- Encryption methods
Check for:
- Weak cryptography
- Deprecated algorithms
- Hardcoded logic
- Hidden admin functions
8. WebView Security Testing
Improper WebView implementation can introduce major vulnerabilities.
Check for:
- JavaScript enabled unnecessarily
- File access enabled
- Insecure URL loading
- JavaScript bridges
Risky Example:
webView.getSettings().setJavaScriptEnabled(true);Improper WebView configuration may lead to:
- XSS
- Local file access
- Remote code execution
Android Dynamic Analysis Checklist
Dynamic testing focuses on analyzing the application during runtime.
This phase validates:
- Runtime protections
- API behavior
- Authentication controls
- SSL pinning
- Session handling
- Data leakage
9. Setting Up Dynamic Testing Environment
Common environments:
- Rooted Android device
- Android Emulator
- Genymotion
- Android Studio Emulator
Common Tools:
- Burp Suite
- Frida
- Objection
- Drozer
- MobSF
- adb
Official Android Documentation:
Android Developers Security Guide
10. SSL Pinning Validation
Many apps implement SSL pinning to prevent interception.
During testing:
- Configure Burp Suite proxy
- Install CA certificate
- Check whether traffic is blocked
If SSL pinning exists:
- Attempt bypass using Frida
- Validate implementation strength
Common Tools:
- Frida
- Objection
Example:
objection exploreThen:
android sslpinning disableImproper SSL pinning can expose sensitive communication.
11. Authentication Testing
Authentication testing is one of the most critical parts of Android VAPT.
Validate:
- Login flow
- Token handling
- Session expiration
- MFA bypass
- Account lockout
- Password reset logic
Check for:
- Weak JWT validation
- Token reuse
- Insecure refresh tokens
- Missing logout invalidation
12. API Security Testing
Most Android apps rely heavily on backend APIs.
Test APIs for:
- IDOR vulnerabilities
- Broken authentication
- Authorization bypass
- Rate limiting
- Injection attacks
- Sensitive data exposure
Common API Tools:
- Burp Suite
- Postman
- Insomnia
Check whether APIs trust only client-side validation.
13. Runtime Manipulation Testing
Runtime manipulation helps identify insecure trust assumptions.
Common checks:
- Root detection bypass
- Emulator detection bypass
- SSL bypass
- Runtime hooking
- Function manipulation
Tools:
- Frida
- Objection
- Xposed Framework
14. Insecure Local Storage Testing
During runtime, verify:
- Clipboard leakage
- Screenshot protections
- Cached files
- Temporary files
- Downloaded sensitive documents
Common Locations:
/sdcard/
/data/data/package_name/cache/15. Root Detection Validation
Applications handling sensitive financial or enterprise data should implement root detection.
Check:
- Whether root is detected
- Whether detection can be bypassed
- Whether sensitive operations continue after bypass
16. Clipboard Leakage Testing
Sensitive data copied into clipboard may be accessed by other applications.
Check whether:
- OTPs
- Passwords
- Tokens
- Account numbers
are exposed via clipboard.
17. Screen Security Validation
Sensitive screens should prevent screenshots.
Check for:
FLAG_SECUREWithout this protection:
- Banking details
- Payment screens
- Authentication pages
may be captured.
18. Logging and Debug Information
Review runtime logs using:
adb logcatCheck for:
- Credentials
- Tokens
- API responses
- Sensitive logs
- Stack traces
Applications should avoid logging sensitive information.
19. Reverse Engineering Resistance
Check whether the application implements:
- Code obfuscation
- Anti-tampering
- Root detection
- Anti-debugging
- Runtime integrity checks
Common tools:
- ProGuard
- R8
- DexGuard
Common Android VAPT Findings
| Vulnerability | Risk |
|---|---|
| Hardcoded API Keys | Unauthorized access |
| Exported Activities | Privilege escalation |
| Insecure Storage | Data exposure |
| SSL Pinning Bypass | MITM attacks |
| Weak Authentication | Account compromise |
| Debuggable APK | Reverse engineering |
| Weak Root Detection | Runtime manipulation |
| IDOR in APIs | Unauthorized data access |
Android VAPT Reporting Best Practices
A professional Android VAPT report should include:
- Application overview
- Testing methodology
- Static analysis findings
- Dynamic analysis findings
- API testing observations
- Risk severity
- Screenshots and PoC
- Remediation recommendations
Each finding should clearly explain:
- Description
- Root cause
- Business impact
- Technical impact
- Mitigation steps
Recommended Android Security Tools
| Tool | Purpose |
|---|---|
| APKTool | APK reverse engineering |
| jadx | Source code review |
| MobSF | Automated analysis |
| Burp Suite | API interception |
| Frida | Runtime instrumentation |
| Objection | Mobile exploitation |
| adb | Android debugging |
| Drozer | Android attack framework |
Official Resources:
Internal PentestHint Resources
Explore more mobile security and VAPT content:
Conclusion
Android application security testing is no longer optional for organizations handling sensitive user data. Modern Android apps rely heavily on APIs, local storage, runtime protections, and third-party integrations, making them attractive targets for attackers.
A proper Android VAPT should include both static analysis and dynamic analysis to identify vulnerabilities that may not be visible through automated scanners alone.
Whether you are a penetration tester, bug bounty hunter, mobile security researcher, or cybersecurity student, understanding Android VAPT methodology is essential for securing modern mobile applications against real-world attacks.
