Android Common Vulnerabilities - Cybersecurity Academy

Overview

Android applications are often vulnerable due to insecure coding practices, improper storage, and lack of encryption. As an ethical hacker or security tester, recognizing these flaws can help secure mobile ecosystems. This guide covers common vulnerabilities found in Android apps, with practical testing tips.

⚠️ Most Common Android Vulnerabilities

1. Insecure Data Storage

Storing sensitive data (tokens, passwords, PII) in SharedPreferences, internal files, or SQLite databases without encryption is a major risk.

Attackers with root access or malware can extract this data.
Use Android Keystore + AES encryption for sensitive info.

2. Improper WebView Usage

Using WebView with JavaScript enabled can expose apps to XSS and RCE via addJavascriptInterface().

// Bad practice
webView.getSettings().setJavaScriptEnabled(true);
webView.addJavascriptInterface(new Object(), "Android");

Only load trusted content and avoid exposing JS interfaces unnecessarily.

3. Hardcoded Secrets

API keys, tokens, credentials, or encryption keys embedded in the APK are easily extractable via reverse engineering tools like apktool or JADX.

String apiKey = "AIzaSyD1234EXAMPLESECRETKEY";

Use dynamic key fetching and store secrets server-side.

4. Insecure Communication

Not using HTTPS or accepting all SSL certificates with custom trust managers leads to MITM attacks.

// Vulnerable trust manager example
TrustManager[] trustAllCerts = new TrustManager[] {
   new X509TrustManager() {
       public void checkClientTrusted(...) {}
       public void checkServerTrusted(...) {}
       public X509Certificate[] getAcceptedIssuers() { return null; }
   }
};

Use proper certificate pinning and secure libraries like OkHttp with TLS.

5. Improper Component Export

Activities, Services, or BroadcastReceivers exposed via AndroidManifest.xml can be hijacked by malicious apps.

<activity android:name=".AdminPanel"
    android:exported="true" />

Mark components as exported="false" unless explicitly needed.

🔬 How to Test These Vulnerabilities

Reverse Engineering

Tools like apktool and JADX can be used to decompile the APK and inspect for hardcoded secrets or insecure logic.

# Decompile APK
apktool d vulnerableApp.apk
jadx-gui vulnerableApp.apk

Static Analysis

Look for the following red flags in source code:

Plaintext storage in SharedPreferences
Unprotected exported components
Custom TrustManagers accepting all certs

Dynamic Analysis

Use Frida, MobSF, or Burp Suite to monitor app behavior, intercept traffic, and inject hooks.

🌐 Real-World Examples

Popular finance apps leaking credentials via logcat
Games exposing cheat/debug interfaces via exported Activities
Streaming apps accepting self-signed certificates (easy MITM)

💡 Tips for Developers

Never store sensitive info unencrypted on device
Use proguard-rules.pro to obfuscate critical logic
Test apps on rooted environments to simulate real attacker behavior
Review all exported components in the manifest
Implement certificate pinning and secure storage APIs

🤖 Android Common Vulnerabilities