/Android-Pentesting-Checklist

Delve into a comprehensive checklist, your ultimate companion for Android app penetration testing. Identify vulnerabilities in network, data, storage, and permissions effortlessly. Boost security skills with essential tools and user-friendly guides. Elevate Android security seamlessly!

android android

Android App Pentesting Checklist

Welcome to the "Android App Penetration Testing Checklist" Repository!

Explore the ultimate companion for Android app penetration testing, meticulously crafted to identify vulnerabilities in network, data, storage, and permissions effortlessly. This repository merges a comprehensive checklist of tasks and cutting-edge techniques, providing security professionals with a robust framework for a thorough security assessment of Android applications.

The checklist covers a range of topics, including:

Static analysis: reviewing the app's source code and resources for potential vulnerabilities

Dynamic analysis: analyzing the app's behavior and interactions with the device and network during runtime

Network analysis: analyzing the app's communication with servers and other external resources over the network

Permission analysis: reviewing the app's requested permissions and assessing whether they are appropriate and secure

Cryptographic analysis: reviewing the app's use of cryptography and ensuring that it is implemented securely

Data storage analysis: analyzing the app's handling of sensitive data, including how it is stored and transmitted

This checklist is intended as a starting point for penetration testers and bug bounty hunters to identify common security issues in Android applications. It is not a comprehensive guide to all possible security issues and should be used in conjunction with other resources and best practices.

Table of Content

Android Applications Penetration Testing Checklist (v1-beta)

C01 SSL Pinning Discovered Undiscovered
An SSL pinning vulnerability in an Android app occurs when the app does not properly verify the server's SSL certificate or public key during the SSL/TLS handshake process, allowing a man-in-the-middle attacker to intercept and decrypt the app's communication.
1 Missing SSL Pinning
2 Check if is it bypassable or not using Frida/Objection
3 Check code manipulation possible or not
C02 Root Detection Discovered Undiscovered
A root detection vulnerability in an Android app occurs when the app does not properly detect and prevent access by rooted devices, allowing users to potentially gain unauthorized access to the app's data or functionality.
1 Missing Root Detection
2 Check if is it bypassable or not using frida/Objection
3 Check that internal logic flow can be modified or not
C03 Emulator Detection Discovered Undiscovered
An emulator detection vulnerability in an Android app occurs when the app does not properly detect and prevent access by emulators, allowing users to potentially bypass security controls or access unauthorized functionality.
1 Missing Emulator Detection
2 Check if is it bypassable or not using frida
C04 Sensitive data in ADB Logcat Logs Discovered Undiscovered
A sensitive data in ADB Logcat vulnerability in an Android app occurs when the app logs sensitive data, such as passwords or personal information, to the system log using Android Debug Bridge (ADB), potentially exposing the data to attackers or unauthorized users.
1 Check Logcat logs for sensitive information/data
2 Check if is it bypassable or not using frida/Objection
3 Check for any unencrypted request/data in Logcat logs
C05 Sensitive data/info stored in Local Storage Discovered Undiscovered
A sensitive data stored in local storage vulnerability in an Android app occurs when the app stores sensitive data, such as passwords or personal information, in unencrypted or unsecured local storage on the device, potentially exposing the data to attackers or unauthorized users.
1 Check for sensitive information/data store on Shared Preferences or not
2 Check for any information/data stored in temporary files or not
3 Check if sensitive information/data is stored in the local storage database using strong encryption on or not
4 Check for any information/data stored in any other files or not
C06 Sensitive data/info in Application Memory Discovered Undiscovered
A sensitive data in application memory vulnerability in an Android app occurs when the app stores sensitive data, such as passwords or personal information, in memory in an unencrypted or unsecured manner, potentially exposing the data to attackers or unauthorized users who have access to the device's memory.
1 Check for any sensitive information/data temporarily stored on Application Memory or not[ Use fridump.py (https://github.com/Nightbringer21/fridump/blob/master/fridump.py) ]
C07 Weak Signer Certificate Discovered Undiscovered
A weak signer certificate vulnerability in an Android app occurs when the app is signed with a weak or compromised certificate, potentially allowing attackers to modify the app or gain unauthorized access to the app's functionality.
1 Check if the app signed with a weak algorithm such as "SHC1withRSA"
2 Check for Janus Vulnerability
3 Check for the application if is it signed with debug certificate or not
C08 Vulnerable Android Activities Discovered Undiscovered
Android activities are components of an Android app that represent a screen or part of the app's user interface. A vulnerable Android activity is one that contains vulnerabilities, such as insecure coding practices or the use of third-party libraries with known vulnerabilities, that could be exploited by attackers to gain unauthorized access to the app's data or functionality.
1 Check for the protected activity that can be accessible by calling the activity from the ADB bypassing the Authentication activity (Authentication Bypass)Example: An application having a login screen if login is successful the app launch the second activity, and any user has to authenticate herself. But that can bypass though ADB by calling the second activity directly from ADB
2 Check for exported android activity is set false, and check for the android activity can activity can be launched by any other applications or not
3 Check if any of the application activities can be hijacked through ADB or any others tools
4 Check if any of the application activities cause the Denial of Service or App crash
C09 WebView Discovered Undiscovered
Android WebView is a component of an Android app that allows the app to display web content within the app's user interface. It can contain vulnerabilities, such as insecure coding practices improper validation, etc.
1 Check for Cross sites scripting vulnerability in android activity WebView
2 Check for Local File Inclusion (LFI) vulnerability in android activity WebView
3 Check for insecure JavaScript enabled for WebView
C10 Intent Filters Discovered Undiscovered
Intent redirection is an embedded intent it can be implicit or explicit Intent which is used to move one android component to another component. This vulnerability occurs when the developer does not retrieve the intent data via filtering. This vulnerability is similar to OpenRedirect for web security.
1 Check for intent spoofing or intent sniffing vulnerabilities (those can occur when the developer does not retrieve the intent data via filtering)
C11 Broadcast Receivers Discovered Undiscovered
A vulnerable Android Broadcast Receiver is a component of an Android app that allows the app to receive and respond to system-wide broadcasts, such as the receipt of a text message or the disconnection of a charger. It can be exploited
1 Check the manifest file for the receiver tag and the exported attribute if it is True and if there is no other permission is set. It can be exploited.
C12 Content Provider Discovered Undiscovered
Content providers in Android are used to share data between applications. They use standard insert, update, delete, and query methods to access data and are assigned a special URI starting with "content://". If proper security controls are not implemented, it can lead to the leakage of information. An example of a content provider is the built-in SMS application, which can be accessed by other apps using a specific URI and the READ_SMS permission. There may be cases where content providers are not implemented for sharing data or where access is restricted to apps with proper permissions.
1 If security controls are not properly implemented, content providers can lead to SQL injection.
2 If security controls are not properly implemented, content providers can lead to Path Traversal.
3 If security controls are not properly implemented in content providers, it may lead to internal data access vulnerability
C13 Source Code Obfuscation Discovered Undiscovered
Source code obfuscation in Android is the process of making the source code of an Android app difficult to understand or reverse engineer, typically to protect intellectual property or prevent unauthorized modifications.
1 Check for Code Obfuscation(PRO Guard) implemented or not
2 If Code Obfuscation is implemented partially check for the main sensitive codes is properly obfuscated
C14 Sensitive Information/Auth-Keys Hardcoded Discovered Undiscovered
Hardcoded information vulnerability is the practice of storing sensitive data, such as passwords or security keys, directly in the source code of an application, potentially exposing the data to attackers or unauthorized users who have access to the source code.
1 Check the Source Code for any hardcoded API Key/Token, Auth-Key, Passwords, Credentials, etc.(This task can be automated by using tools like MobSF)
C15 Insecure Coding Practice Discovered Undiscovered
Insecure coding practice refers to the use of coding techniques or practices that do not adequately protect an application or system from security vulnerabilities or threats, such as using weak passwords or failing to properly validate user input. Insecure coding practices can make an application or system more susceptible to attacks or data breaches. To prevent insecure coding practices, developers should follow best practices for secure coding and regularly review and test their code for vulnerabilities.
1 Check for use of Insecure Random Number Generator functions (Like generating guessable OTP)
2 Check for use of Insecure functions or insure functions/objects calling
3 Uses of weak cryptography or easily reversible encryption method (like MD5 Hash, Base64 Encoding)
4 Check for any other Insecure Coding Weakness presence
C16 Insecure Deeplinks Discovered Undiscovered
Insecure deeplinks in Android can allow attackers to access sensitive data or functionality within an app. Developers can prevent this by validating and securing deeplinks and implementing appropriate security controls.
1 Check for any explicit deeplink that PendingIntent to a specific location within the application
2 Check for any implicit deeplink that refers to a specific destination in an app when the deeplink is invoked
C17 Missing Integrity Checks Discovered Undiscovered
Integrity checks in Android refer to the process of verifying the authenticity or integrity of an app's source code, to ensure that it has not been tampered with or modified by an unauthorized party. This can help protect against attacks that aim to inject malicious code or modify the app's functionality, such as man-in-the-middle attacks or repackaging attacks.
1 Decompile the application, modify its code, recompile it, and sign it to check if it still functions properly or not.
C18 Insecure Android Permissions Discovered Undiscovered
Android applications have a number of permissions that can be set in the "AndroidManifest.xml" file. If these permissions are not properly filtered or validated, they can be exploited.
1 Check for clear text traffic option enable or not in "AndroidManifest.xml" file
2 Check for debug mode option enable or not in "AndroidManifest.xml" file
3 Check for backup mode option enable or not in "AndroidManifest.xml" file
4 Check for any other Unnecessary Permission in "AndroidManifest.xml" file
C19 Background Screen Caching Discovered Undiscovered
Screen caching is a mobile vulnerability, caused due to a performance/usability feature present in mobile OS’s.
1 Check for screenshots are taken when the application is sent to background
C20 Insecure Firebase Database Discovered Undiscovered
Firebase Database is a cloud-based real-time database service that allows developers to store and sync data across multiple devices and platforms.
1 Append ".json" payload at the end of Firebase instance to see if "read" permission are enable or not
2 Also try replacing "firebaseio.com" with "appspot.com" with "/.json" appended at the end may allow you to access appspot instance. (Check for CORS in Firebase)
C21 Android Lock/Biometric Authentication Bypass Discovered Undiscovered
Some applications use the Android Screen Lock/Biometric Authentication to validate the user before providing any specific service or before launching the application's main interface.
1 If the application uses Android Lock/Biometric Authentication check for that can be bypassed or not in runtime by runtime hooking or code level modification
C22 Key-Checks in Dynamic Analysis Discovered Undiscovered
Some applications use the Android Screen Lock/Biometric Authentication to validate the user before providing any specific service or before launching the application's main interface.
1 Checks for all possible the possible test cases that’s are applicable on API Check (Use a comprehensive API checklist)
2 Check for Broken Access Controls and Authentications (Checks mainly in server side)
3 Checks for Server-Side Injections and Security misconfigurations
4 Check for Sensitive Data exposer
5 Fuzzing
C- Some Other Checks Discovered Undiscovered
N/A
1 Check for the application doesn't reuse the same cryptographic key for multiple purposes
2 Check for any sensitive data or information exposed through the user interface or leaks to screenshots or not
3 Check for whether the keyboard cache for the application is disable or not
4 Check the application does not allow users to copy/paste any secret data (like passwords, credit card info, etc)
5 Check if the sensitive data is not masked when performing app switching
6 Check for the Third-Party Keyboard applications that are disabled specifically in the sensitive fields

NB: This list does not follow the OWASP vulnerability indexing order.

Important Tools

Tools Installation/Setup

Prerequisites

Hardware requirements

  • Windows/Linux (preferred Kali-Linux).
  • USB Cable
  • An android device with Bootloader unlocked
    • How to unlock Bootloader ? (Link)
  • A pen-drive and OTG cable or SD card

Software/Tools prerequisites

Before you start testing Android apps, make sure to install the necessary tools on both your computer (Linux/Windows) and the Android device itself.

1. Java (Jdk) (Link)
  • Download Java JDK version 17 or up according to your system(Download Link)
  • Install JDK to your system
2. Python/Python3 (Link)

Python3 installation for Debian or Ubuntu based linux distributions:

sudo apt-get update
sudo apt-get -y install python3 python3-pip

Python installation for Windows:

  • Download Windows installer of Python from official website (Link)
  • Double click the installer
  • Check 'Add python.exe to PATH' checkbox
  • Click on 'Customize installation'
  • Check 'pip' checkbox
  • Check 'Python test suite' checkbox
  • Check 'py launcher' checkbox
  • Check 'for all users (requires admin privileges)' checkbox
  • Click next to install python
3. Genymotion (Link)
  • Create a free account on Genymotion website
  • Follow this official instruction to install Genymotion on Linux. Instruction
  • Follow this official instruction to install Genymotion on Windows. Instruction
4. Docker (Link)

Docker installation for Debian or Ubuntu based linux distributions:

sudo apt-get update
sudo apt-get -y install docker.io
systemctl start docker

NB: If you are using other than Debian or Ubuntu based Linux, read this instruction to install docker according to your operating system.

Docker installation for Windows:

  • Download Docker Desktop (Link)
  • Double click to install
5. Android Debug Bridge (adb) (Link)

adb installation for Debian or Ubuntu based linux distributions:

sudo apt install adb
wget -c https://dl.google.com/android/repository/platform-tools-latest-linux.zip
unzip platform-tools-latest-linux.zip
cd platform-tools

give executable permission

chmod +x ./adb
chmod +x ./fastboot

Check adb working or not

./adb version

adb installation for Windows:

  • Download adb-setup.zip
  • Extract the downloaded zip
  • Double click on adb-setup-1.4.3.exe
  • In CMD window select Y for all options Fastboot
  • Install the Google USB driver. (The installer will automatically run once the fastboot setup is complete) Google Driver
6. Magisk (Link)

Pre-requirement:

  • An android device with Bootloader unlocked
  • USB Cable
  • A pen-drive and OTG cable or SD card

Magisk installation for unlocked bootloader devices:

  • Install custom recovery
    We need to install a custom recovery before installing magisk

    • Download a custom recovery for your Android device, such as TWRP / OrangeFox / PitchBlack onto your desktop.

    • Rename the downloaded recovery (.img) filename to "recovery.img" (without quote)

    • Enable usb debugging on your android device

    • Run this command to check your device is connected or not with proper access

      adb devices

      Allow usb debugging authorization prompt on android USB Debugging Authorization Dialog

      The output will look like this
      adb devices command output
      N.B: If you encounter an 'unauthorized' message after seeing your device number, follow the steps below. Ensure you perform these commands. Allow usb debugging authorization on your Android device when prompted also check Always allow from this computer checkbox. Select 'File Transfer' in USB mode.

      adb kill-server
      adb start-server
      adb devices

    • Run the command to initiate a reboot into fastboot mode

      adb reboot bootloader

    • Run command to check your device is properly connected in fastboot mode or not

      adb reboot bootloader

    • Flash the recovery image

      fastboot flash recovery recovery.img

    • Boot to Recovery from Fastboot via Commands

      fastboot boot recovery.img

  • Install Magisk

    • Download Magisk version 24 or up apk in your desktop (Link)
    • Copy apk file into your pen-drive or SD card
    • Connect your pen-drive or insert SD card
    • Reboot your recovery once
    • Flash your Magisk.apk TWRP- Flash Magisk.apk
    • Reboot your device
    • Open Magisk Manager from app menu
    • Follow on screen instruction to compleat the magisk setup Magisk Additional Steps

Mobile Security Framework (MobSF)

Pre-requirement:

let's assume your docker engine up and running let's continue with MobSF installation

Install MobSF:

docker pull opensecurity/mobile-security-framework-mobsf

Run MobSF:

docker run -it --rm --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf

Congratulation your MobSF is installed and running navigate to localhost:8000 using your preferred web browser.

Drozer (on desktop)

Pre-requirement:

let's assume your docker engine up and running let's continue with Drozer installation on your desktop

Install Drozer:

docker pull fsecurelabs/drozer

Run Drozer:

docker run -it --rm --name drozer fsecurelabs/drozer

Congratulation your Drozer is installed on your desktop now we need to install Drozer Agent Apk agent-debug.apk

APKLeaks

Pre-requirement:

let's assume your docker engine up and running let's continue with APKLeaks installation

Install APKLeaks:

docker pull dwisiswant0/apkleaks:latest

Run APKLeaks:

docker run -it --rm -v /tmp:/tmp dwisiswant0/apkleaks:latest -f /tmp/file.apk

Apktool

Pre-requirement:

let's assume you have installed Java JDK let's continue with Apktool installation on your desktop

Install Apktool (linux):

#  Clone apktool script
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O apktool
# Give executable permission to apktool script
chmod +x apktool && cp apktool /usr/local/bin/apktool
  • Check latest release of apktool from their Bitbucket repository (Link)
# Clone latest version of apktool
wget https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.1.jar -O apktool.jar
# Give executable permission to apktool and move to bin file
chmod +x apktool.jar && cp apktool.jar /usr/local/bin/apktool.jar

Install Apktool (Windows):

  • Open the link on your browser right click and save the file as 'apktool.bat' (Link)
  • Download latest version of apktool (Link)
  • Move both apktool.jar and apktool.bat to your Windows directory. (Usually C://Windows)

Run Apktool:

apktool

APKToolGUI

Pre-requirement:

let's assume you have installed Java JDK let's continue with APKToolGUI installation on your desktop

Install APKToolGUI (Windows):

  • Download latest release of APKToolGUI from APKToolGUI Github repository (Link)
  • Extract the zip file and rename the extracted folder to APKToolGUI

Run APKToolGUI (Windows):

  • Double click APKToolGUI.exe inside extracted APKToolGUI folder

N.B: Please note that APKToolGUI is currently only available for Windows OS.

JADX

Pre-requirement:

let's assume you have installed Java JDK let's continue with JADX installation on your desktop

Install JADX (linux):

  • Download latest release of JADX from JADX Github repository (Link)
  • Extract the zip file and rename the extracted folder to JADX
cd ./JADX/bin
# Give executable permission to jadx and jadx-gui script
chmod +x jadx && chmod +x jadx-gui

Run JADX (linux):

# run jadx cli
./jadx
# run jadx gui
./jadx-gui

Install JADX (Windows):

  • Download latest release of JADX from JADX Github repository (Link)
  • Extract the zip file and rename the extracted folder to JADX

Run JADX (Windows):

  • Navigate to bin folder inside the JADX folder
  • Double click jdax.bat to run jadx cli
  • Double click jdax-gui.bat to run jadx gui

Objection

Pre-requirement:

let's assume Python/Python3 is installed let's continue with objection installation on your desktop

Install Objection (Linux):

pip3 install objection

Install Objection (Windows):

pip install objection

Burp Suite

Pre-requirement:

let's assume you have installed Java JDK let's continue with Burp Suite installation on your desktop

  • Go to the Burp Suite official website, pick either Burp Suite Professional or Burp Suite Community, and download the JAR file(Link)

Run Burp Suite:

java "--add-opens=java.desktop/javax.swing=ALL-UNNAMED" "--add-opens=java.base/java.lang=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED" "-noverify" "-jar" .\burpsuite.jar

Postman

  • Go to the Postman official website, and download the tar.gz file for linux & the exe for the windows (Link)

Install Postman (Linux):

# Install dependencies
sudo apt-get -y install libgconf-2-4 openssl
# Extract the archive
tar zxf /path/to/downloaded/archive/Postman-linux-xXX-X.XX.X.tar.gz
# Move postman to apps
sudo mv Postman /opt/apps/
# Create shortcut
sudo ln -s /opt/apps/Postman/Postman /usr/local/bin/postman

Run Postman (Linux):

postman

Install & Run Postman (Windows):

  • Double click downloaded installer

Radare2

Install Radare2 (Linux):

sudo apt-get -y install radare2

Install Radare2 (Windows):

  • Download radare2-x.x.x-wxx.zip from official release (Link)
  • Extract the zip in your preferred location

Run Radare2 (Linux):

radare2 -h

Run Radare2 (Windows):

.\radare2\bin\r2.bat

DB Browser for SQLite

Install DB Browser on Debian based linux distros:

sudo apt-get install sqlitebrowser

Install DB Browser on Ubuntu and Ubuntu based linux distros:

# Add PPA to repo list
sudo add-apt-repository -y ppa:linuxgndu/sqlitebrowser
# Update the repo list
sudo apt-get update
# Install sqlitebrowser
sudo apt-get install sqlitebrowser

Install DB Browser on Windows:

  • Download windows installer (Link)
  • Double click the Executable installer and install DB Browser

Run DB Browser (Linux):

sqlitebrowser

Frida Tools

Pre-requirement:

let's assume Python/Python3 is installed let's continue with Frida Tools installation on your desktop

Install Frida Tools (Linux):

pip3 install frida
pip3 install frida-tools

Install Frida Tools (Windows):

pip install frida
pip install frida-tools

Frida Server (Magisk-Frida)

Pre-requirement:

let's assume Magisk is installed on your Android device let's continue with Frida Server installation

  • Download MagiskFrida Latest version zip (Link)

  • Place the zip on your Android

  • Open your Magisk Manager App, go to module section, Click on 'Install from storage'

  • Select the downloaded zip

  • Reboot the device

    Refer to Picture

Always Trust User Certs & Burp-cert Magisk Modules

Pre-requirement:

let's assume Magisk is installed on your Android device let's continue with Always Trust User Certs & Burp-cert Magisk Modules installation

  • Download Always Trust User Certs Magisk Module zip (Link)

  • Download Burp-cert Magisk Module zip (Link)

  • Place the zip on your Android

  • Open your Magisk Manager App, go to module section, Click on 'Install from storage'

  • Select the downloaded zip one by one

  • Reboot the device

    Refer to Picture

Fridump

Pre-requirement:

let's assume Python/Python3, Frida is installed on your desktop and Frida Server is installed on your android device let's continue with Fridump installation

Install Fridump (Linux):

git clone https://github.com/Nightbringer21/fridump.git

Run Fridump (Linux):

  • Open terminal and navigate to fridump folder
python3 fridump.py -h

Install Fridump (Windows):

  • Download the Fridump zip (Link)
  • Rename the filename fridump-master.zip to fridump.zip
  • Extract the fridump.zip

Run Fridump (Windows):

  • Open powershell and navigate to fridump folder
python fridump.py -h

Important Links

Intentionally Vulnerable Applications For Practice

  • Damn Insecure and vulnerable App for Android (DIVA) (Link)
  • InsecureBankv2 (Link)
  • VyAPI (Link) Hybrid (Cloud + Android)
  • Damn Vulnerable Hybrid Mobile App (DVHMA) (Link)
  • What a Terrible Failure (WaTF Bank) (Link)
  • Vuldroid (Link)
  • Oversecured Vulnerable Android App (OVAA) (Link) Raw Code(Gradle)


I tried my best to enrich this checklist. Please feel free to share your key findings and knowledge. Thank you🙏