Penetration testing an Android application involves both the application operation, similar to how a web application test is performed through capturing the outbound and inbound network traffic and targeting the APIs or web services used by the application, along with the client application and how it operates on the device itself.
Android applications are either installed via the Google Play store, deployed via a Mobile Device Management solution, or ‘sideloaded ‘ onto an Android device with software such as ADB (Android Device Bridge). The applications themselves are binary packages containing all of the compiled code and assets necessary to run the application.
One of the most overlooked aspects of Android applications is that it is possible to decompile the binary application package into readable or semi-readable source code. Doing so allows a potential attacker to examine how the application works at a base level and can reveal hardcoded secrets, sensitive information, or pave the way to be able to reverse engineer how a method or function works to identify potential security weaknesses.
Embedded devices or IoT products are prime candidates for mobile application testing as any security weaknesses can impact a large range of consumers.
Corporate mobile applications that are used internally and deployed via an MDM solution should be tested regularly to ensure that any sensitive data cannot be compromised by malicious end-users, and public-facing applications available online or through the Google Play store should also be regularly tested.
The OWASP Mobile Testing Security Guide is an excellent resource for both red and blue teams insofar as providing extensive information on the types of attacks available along with recommendations on how to best secure the application during development. Google also offer great guidance on insecure Android API functionality and recommend alternative methods of integrating features.
If you like this blog post, find more content in our Glossary.