Android Penetration Testing Checklist

1. Pre-Engagement Preparation

Define scope and objectives of the penetration test

Gather information about the target application
Obtain necessary permissions and legal approvals
Set up testing environment (emulators, physical devices, tools)

2. Reconnaissance

Identify application entry points (activities, services, content providers, broadcast

receivers)
Collect app metadata (package name, version, permissions)
Decompile APK to analyze source code and resources
Identify third-party libraries and frameworks used

3. Static Analysis

Analyze manifest file for misconfigurations and insecure components

Review source code for hardcoded credentials and sensitive information
Check for usage of insecure cryptographic algorithms
Assess file permissions and data storage practices
Analyze web views and JavaScript interfaces

4. Dynamic Analysis

Intercept and analyze network traffic (HTTP/HTTPS)

Test for SSL/TLS implementation and certificate validation
Monitor app behavior using tools like Frida, Xposed
Check for unintended data leakage (logs, cache, clipboard)
Test for runtime vulnerabilities (code injection, debugging)

5. Local Storage Analysis

Analyze local storage for sensitive data (SQLite databases, SharedPreferences, internal
storage)
Test encryption of stored data
Check for insecure file storage permissions

6. Authentication and Authorization

Test login mechanisms and password policies

Check for session management issues (token expiration, session fixation)
Test for insecure direct object references (IDOR)
 Assess role-based access controls (RBAC)

7. Input Validation and Injection Attacks

Test for SQL injection vulnerabilities

Check for command injection and code injection vulnerabilities
Assess input validation on user inputs (forms, search fields)
Test for Cross-Site Scripting (XSS) vulnerabilities

8. Inter-Process Communication (IPC)

Test for insecure implementation of intents

Check for exposed components (activities, services)
Test content providers for SQL injection and unauthorized access
Assess broadcast receivers for security issues

9. Third-Party Components

Analyze the security of integrated third-party SDKs and APIs

Check for known vulnerabilities in third-party libraries
Test for secure implementation of third-party services (OAuth, SSO)

10. Reverse Engineering and Tampering

Test app obfuscation techniques (ProGuard, R8)

Analyze binary protection mechanisms (anti-tampering, anti-debugging)
Attempt to modify and repackage the APK
Check for root detection and emulator detection mechanisms

11. Network and API Testing

Test backend APIs for authentication and authorization issues

Check API endpoints for input validation and injection flaws
Assess the security of data transmission (encryption, data integrity)
Test for rate limiting and denial-of-service (DoS) protections

12. Post-Testing Activities

Document all findings with detailed descriptions and remediation steps

Provide risk ratings for identified vulnerabilities
Discuss findings with development team and stakeholders
Retest to verify remediation of vulnerabilities

Recommended Tools

Static Analysis: ApkTool, JADX, MobSF

Dynamic Analysis: Burp Suite, OWASP ZAP, Frida, Xposed
Network Traffic Analysis: Wireshark, mitmproxy, Charles Proxy
Local Storage Analysis: SQLite Database Browser, adb
 Reverse Engineering: Ghidra, Hopper, IDA Pro

This checklist provides a comprehensive guide for conducting an Android penetration test,
covering all essential areas and tools needed to ensure a thorough security assessment.