Android App Security: The 2025 Penetration Testing Checklist

Android applications handle sensitive user data—from banking credentials to health records. Yet most apps ship with critical vulnerabilities that could be caught with a structured penetration testing approach. Here’s the checklist our team uses on every engagement.

1. Data Storage

Check for sensitive data stored in SharedPreferences, SQLite databases, internal/external storage, and application logs. Credentials, tokens, and PII should never be stored in plaintext. Verify that backup rules (android:allowBackup) don’t leak data.

2. Network Security

Verify SSL/TLS implementation, certificate pinning, and Network Security Config. Test for cleartext traffic, improper certificate validation, and man-in-the-middle vulnerabilities. Check if the app trusts user-installed CA certificates in production builds.

3. Authentication & Session Management

Test biometric authentication bypass, token storage security, session timeout behavior, and whether the app properly invalidates sessions on logout. Check for hardcoded API keys and credentials in the APK.

4. Reverse Engineering & Tampering

Decompile the APK with jadx or apktool and look for hardcoded secrets, API endpoints, and business logic exposed in the code. Test root detection and integrity checking mechanisms for bypass potential.

5. Inter-Process Communication

Review exported Activities, Services, Content Providers, and Broadcast Receivers. Improperly exported components can be exploited by malicious apps on the same device to access sensitive functionality or data without authorization.

6. WebView Security

If the app uses WebView, test for JavaScript injection, insecure WebView settings (setJavaScriptEnabled, addJavascriptInterface), file access vulnerabilities, and URL scheme hijacking.