Android App Penetration Testing Checklist with 154 Test cases [Free Excel File]
With 2.9 million apps, the Android Play Store is the most widely adopted mobile operating system.
With its vast opportunities, Android also draws the attention of malicious hackers who continuously seek to exploit weaknesses in mobile applications. Because of security concerns, Google has banned many apps from the Play Store.
Building a secure Android app requires thorough mobile application penetration testing. To help you navigate this task, we have developed an Android pen testing checklist that provides step-by-step guidance.
What is Android Application Penetration Testing?
Android application penetration testing, also known as Android pen testing, identifies vulnerabilities in Android applications. It systematically evaluates the application’s components, functionalities, and underlying infrastructure to uncover potential weaknesses attackers could exploit.
The primary goal of pen testing is to simulate real-world attack scenarios and provide valuable insights to enhance the application’s security.
This includes analysing the application’s code, network communication, data storage, authentication mechanisms, authorization controls, and adherence to secure coding practices.
Why is Android Pentesting Necessary?
Pentesting Android apps is crucial for several reasons:
- Identify Vulnerabilities: Android apps can be susceptible to various security vulnerabilities, such as insecure data storage, improper input validation, insecure communication, or inadequate authentication mechanisms. Pen testing helps to identify these vulnerabilities and weaknesses in the application’s code and configurations.
- Protect User Data: Mobile apps often handle sensitive user information, including personal data, financial details, and login credentials. Pen testing helps ensure that appropriate security measures are in place to protect user data from unauthorized access, data breaches, or misuse.
- Mitigate Risks: By conducting Android pen testing, developers and organizations can identify and understand the potential risks and threats their Android apps may face. This knowledge allows them to proactively address and mitigate these risks before attackers can exploit them.
- Enhance Application Security: Pen testing helps improve the overall security posture of an Android app. Developers can implement security patches, fixes, and updates by identifying vulnerabilities and weaknesses to enhance the app’s resilience against attacks.
- Compliance and Regulations: Many industries and regions have specific security compliance requirements and regulations that must be followed. Mobile app penetration testing can help organizations meet these requirements and demonstrate due diligence in ensuring the security and privacy of user data.
Steps in Android Application Penetration Testing
An Android application security testing checklist is like a detailed guidebook, showing you the important steps to make sure your mobile apps are safe from cyber threats. This detailed checklist breaks down the testing process into key steps, helping you find and fix any issues to boost your app’s security.
1. Reconnaissance and Information Gathering
The first phase in pen testing the Android app involves gathering information about the target application. This includes understanding the app’s functionality, intended user base, underlying technologies, and potential external dependencies. APK decompilers, network sniffers, and online research techniques help collect valuable information to build a solid testing foundation.
2. Threat Modeling and Risk Assessment
Based on the gathered information, the tester identifies and prioritizes potential threats and risks in this phase. This involves considering the app’s attack surface, threat vectors, potential impact, and the likelihood of exploitation. Testers can create a focused and efficient testing strategy by understanding the application’s critical assets and potential vulnerabilities.
3. Analysis / Assessment
During the analysis and assessment phase, pen-testers employ various techniques to examine the mobile application’s security thoroughly. Some assessment techniques commonly used include:
- Static Analysis: Static analysis involves examining the Android application’s code and resources without executing it. Testers use static analysis tools to identify security vulnerabilities, such as insecure data storage, improper input validation, or code injection vulnerabilities. This phase helps uncover issues in the codebase and adherence to secure coding practices.
- Dynamic Analysis: Dynamic analysis involves executing the application to observe its behaviour in runtime. Testers use tools and techniques to analyse network traffic, API interactions, session management, and input validation. This helps identify runtime vulnerabilities, logic flaws, insecure data transmission, and weaknesses in authentication and authorization mechanisms.
- Architecture Analysis: Pentesters assess the application’s architecture to understand its overall design and identify any security vulnerabilities from architectural flaws. This analysis focuses on aspects such as the interaction between different components, data flows, trust boundaries, and potential points of compromise.
- Reverse Engineering: Reverse engineering involves dissecting the application to understand its inner workings, even if the source code is unavailable. Pentesters analyze the application’s binaries, protocols, and dependencies to uncover potential vulnerabilities, hidden features, or weak security mechanisms.
- Analysis of File System: Pentesters examine the application’s file system to identify sensitive data stored insecurely. This analysis may involve looking for hardcoded credentials, sensitive configuration files, temporary files containing sensitive information, or any other files that attackers could target.
- Inter-application Communication: This technique focuses on analyzing how different applications within a system communicate with each other. Pentesters assess the security of inter-application communication mechanisms, such as APIs, shared resources, or network protocols, to identify potential vulnerabilities or weaknesses that attackers could exploit.
The exploitation phase focuses on exploiting the identified vulnerabilities to determine their impact and potential for unauthorized access or data compromise. Pen testers conduct targeted attacks to gain unauthorized access, escalate privileges, or manipulate the application’s behaviour. They also test for common attack vectors like SQL injection, cross-site scripting (XSS), or insecure direct object references.
After completing the testing process, testers compile a detailed report that includes identified vulnerabilities, their severity, and recommended remediation steps. The report serves as a roadmap for developers and stakeholders to understand the security weaknesses and prioritize fixes to enhance the application’s security posture.
Top Android Pen Testing Use Cases to Test for
1. Insufficient Authentication / Authorization
Insufficient authentication and authorization can lead to unauthorized access and misuse of sensitive functionality or data in an Android app. Here are some top use cases for Android application penetration testing to test for these vulnerabilities:
- Weak Password Policies: Test the app’s authentication mechanism by attempting to create accounts with weak passwords, such as simple or common passwords, and check if the app enforces strong password policies.
- Brute-Force and Dictionary Attacks: Perform brute-force or dictionary-based attacks to test if the app’s authentication mechanism can withstand repeated login attempts with incorrect credentials.
- Session Management: Test the app’s session management to ensure that session tokens or cookies are properly generated, invalidated, and protected against session hijacking or fixation attacks.
- Privilege Escalation: Test if it’s possible to elevate privileges or bypass authorization controls by manipulating input parameters, changing user roles, or tampering with authorization tokens.
- Access Control Testing: Verify if the app properly enforces access controls for different user roles or permissions—test scenarios where a user attempts to access restricted functionality or sensitive data without authorization.
- API Authorization: Test the app’s API endpoints to ensure proper authorization checks are performed before accessing sensitive data or performing privileged operations. Verify that APIs reject unauthorized requests.
Here is a detailed blog on authorization, rate limiting, and 12 ways to protect your APIs
- Account Lockout Mechanisms: Test if the app implements account lockout mechanisms to prevent brute-force attacks. Check if the app locks user accounts after a certain number of failed login attempts.
- Remember Me Functionality: Test the “Remember Me” or persistent login feature to ensure that it does not compromise the security of user accounts by providing unauthorized access to the app.
2. Insecure Data Storage
- Internal Storage: Pen-test Android apps to identify if they securely store sensitive data locally. Android includes measures to safeguard files created on internal storage, ensuring that they are accessible exclusively by the app. However, developers may unknowingly undermine this protection by implementing modes such as MODE_WORLD_READABLE and MODE_WORLD_WRITABLE, inadvertently allowing unauthorized access by other apps, including malicious ones.
When performing static analysis, pay close attention to code sections that involve such modes. These modes can introduce security vulnerabilities, allowing unauthorized access to files. Additionally, during dynamic analysis, it is essential to validate the permissions of files created by the application to ensure that they adhere to the required security restrictions.
- External Storage: Pentesting Android apps should involve evaluating the security of sensitive data stored on external storage. Verify that files created on external storage, such as SD Cards, are not globally readable or writable, as this would pose a security risk.
Also, check if the app properly handles data from external storage by performing input validation to mitigate potential vulnerabilities. We strongly advise against storing sensitive information on external storage due to its susceptibility to removal and modification by users and other applications.
Additionally, we caution against storing executable or class files on external storage before dynamic loading and recommend cryptographically verifying such files to prevent the execution of malicious code. By conducting these assessments, pen testers ensure that the app follows best practices and safeguards sensitive data when using external storage.
3. Sensitive Data Exposure
- Data Storage Review: Android provides a convenient way for applications to save XML files in the directory /data/data/<packagename>/shared_prefs/. However, it is essential to note that sensitive information may sometimes be found in clear text within this folder, posing a security risk. Assess if encryption mechanisms, like Android Keystore System or secure storage libraries, are used appropriately to protect stored data. Discover the impacts of excessive data exposure here.
- Logging Mechanisms: Examine the app’s logging mechanisms to identify if sensitive information, such as passwords, API keys, or user credentials, is being logged in plaintext. Check for improper logging practices that might leak sensitive data to log files.
- Error Handling: Analyze how the app handles errors and exceptions. Ensure that error messages and stack traces do not reveal sensitive information that could aid an attacker in exploiting vulnerabilities.
- Code Review: Perform a thorough code review to identify any instances where sensitive data is handled without proper security measures, such as missing input validation or insecure data handling practices.
4. Broken Cryptography
- Insufficient Transport Layer Protection: While pen testing Android apps, assessing the implementation of algorithms used for various purposes is essential. Developers should avoid using insecure and deprecated algorithms, such as RC4, MD4, MD5, and SHA1, for tasks like authorization checks, data storage, and data transmission. Instead, secure and modern algorithms should be employed to ensure the confidentiality and integrity of sensitive information. When storing passwords, it is recommended to use salted hashes resistant to brute-force attacks.
- Weak Handshake Negotiation: Examining the handshake negotiation process is important. Weak handshake negotiation occurs when an insecure cipher suite is used between the application and server during the SSL/TLS handshake. This weak cipher suite choice exposes the connection to potential MITM attacks, allowing attackers to decrypt the communication easily.
- Poor Key Management Processes : In some cases, developers may store sensitive data in local storage and encrypt it using a hardcoded or predictable key embedded in the code. This inherently insecure approach can enable attackers to extract confidential information by analyzing the code through reverse engineering methods.
5. SSL Pinning
SSL Pinning involves validating the server’s SSL/TLS certificate against a pre-configured or “pinned” certificate within the mobile app. This process helps mitigate the risk of Man-in-the-Middle (MITM) attacks by ensuring that the app only communicates with trusted servers.
Assess the SSL pinning during mobile app penetration testing to validate its implementation and effectiveness.
Check whether the application accepts a certificate from any trusted CA or not. E.g. Check AllowAllHostnameVerifier(Android)
6. Common Web Vulnerabilities
It is crucial to be aware of common web application vulnerabilities and exercise caution when assessing the security of an Android application.
- SQL Injection: Take extra precautions when dealing with dynamic queries or Content-Providers. Ensure that parameterized queries are used to prevent SQL Injection attacks.
- Local File Inclusion: Confirm that File System Access is disabled for any WebViews. By default, WebView settings should have file access disabled (webview.getSettings().setAllowFileAccess(false);).
- Persistent Cookies: Be mindful of the persistence of cookies even after a session has ended with the Android application. Ensure that cookies are adequately revoked or cleared and take precautions to prevent cookies from being saved to disk.
Android application penetration testing involves going beyond the surface-level discovery of vulnerabilities. It encompasses an active phase where the pen-testers exploit the identified weaknesses to uncover other vulnerabilities potentially.
Empower your Android app’s protection against vulnerabilities using our ultimate mobile security testing checklist. Level up your security game and build user trust!