Android Testing - Cybersecurity Academy

What is Android Application Security Testing?

Android application testing involves assessing the security of mobile apps built for the Android platform. This includes analyzing the app's code, behavior, network communication, data storage, and interaction with the Android OS. The objective is to identify vulnerabilities before attackers do.

🔍 Key Phases of Android Testing

1. Static Analysis (SAST)

Examining the app without executing it. This involves reverse engineering the APK file to analyze code, permissions, hardcoded secrets, and insecure configurations.

2. Dynamic Analysis (DAST)

Running the app in a controlled environment to observe runtime behavior, monitor logs, intercept traffic, and trigger vulnerabilities.

3. Reverse Engineering

Decoding and understanding compiled Android apps to reveal logic flaws or hidden functionality.

4. Exploitation

Actively attempting to exploit discovered vulnerabilities such as insecure storage, activity hijacking, insecure API calls, or insecure communication.

🧰 Essential Tools

APKTool – Decode and rebuild APKs
MobSF (Mobile Security Framework) – Automated analysis tool for static and dynamic testing
Burp Suite – Intercept and manipulate HTTP/S traffic
Frida – Dynamic instrumentation toolkit
Jadx – Decompile APKs into readable Java source
ADB (Android Debug Bridge) – Interact with Android device/emulator shell

⚙️ Step-by-Step Android App Testing Workflow

Step 1: Extract APK

Use adb pull or download the APK from the Play Store or third-party sources.

adb shell pm list packages
adb shell pm path com.target.app
adb pull /data/app/com.target.app-1/base.apk

Step 2: Decompile APK

Use APKTool or jadx to analyze resources and source code.

apktool d base.apk -o decoded_app
jadx -d source_code base.apk

Step 3: Analyze Manifest

Inspect AndroidManifest.xml for exported components, permissions, and misconfigurations (e.g., android:debuggable=true).

Step 4: Inspect Code

Look for hardcoded secrets, API keys, and insecure function calls like WebView.loadUrl().

Step 5: Setup Emulator + Proxy

Run the app on an emulator or real device. Configure Burp Suite for traffic interception.

adb shell settings put global http_proxy 127.0.0.1:8080

Step 6: Dynamic Testing with Frida

Hook into runtime functions and bypass root detection, SSL pinning, or other checks.

frida -U -n com.target.app -l ssl_bypass.js

🌐 Real-World Example

While analyzing a fitness app:

Discovered SharedPreferences storing credentials in plaintext
Found exposed Activity components with exported=true and no permission checks
Intercepted insecure HTTP requests using Burp Suite, leaking session tokens

💡 Practical Tips

Use rooted emulators or Genymotion for easier testing
Check for insecure permissions and exported components
Analyze network calls – look for lack of HTTPS, bad token handling
Pay attention to native libraries and JNI bindings
Use automation tools (like MobSF) to save time, but always validate manually

📱 Android Testing