Android Penetration Testing -Part 1

A Beginner’s Step-by-Step Guide

part 1

🔹 Introduction

Android apps handle our personal and financial data every day. If an app isn’t secure, attackers can steal that data. Android penetration testing is the process of finding security flaws before hackers do.

This Part 1 guide is designed for absolute beginners. You’ll learn the basics step by step.

This work has been prepared in collaboration with Shaid Hussain, whose insights contributed significantly to the research of this article

🔹 1. Setting Up Your Lab

You’ll need:

• A rooted Android device (preferred) or Genymotion/Android Studio emulator.

Install these tools on your PC:

• ADB = Android Debug Bridge
• Apktool = unpack APKs
• Jadx = view source code
• MobSF = automated analysis
• Burp Suite = capture app traffic

🔹 2. Getting an APK

Ways to get an APK:

• Download from APKPure or APKMirror.
• Or pull from your device:

adb shell pm list packages 
adb shell pm path com.target.app 
adb pull /data/app/com.target.app/base.apk

🔹 3. Static Analysis (Look Inside the APK)

Decompile the APK:

apktool d app.apk
jadx-gui app.apk

Now you can explore AndroidManifest.xml and the source code.

🔍 Check for:

• android:allowBackup="true" → anyone can back up app data.
• android:debuggable="true" → debug mode enabled.
• Hardcoded API keys, tokens, or passwords:

grep -EHirn "api_key|token|password" ./decompiled_app/

🛠 Use Apkleaks for automatic secret discovery:

python apkleaks.py -f app.apk

🔹 4. Dynamic Analysis (Run & Observe the App)

Connect device:

adb devices
adb shell

Capture traffic with Burp Suite:

• Add Burp certificate to your device.
• Route traffic via Burp proxy.
• Look for HTTP requests or sensitive data being sent.

🔹 5. Quick Wins for Beginners

• Use MobSF: Upload APK → Get instant report.
• Look for hardcoded keys in source code.
• Check app permissions in AndroidManifest.xml.
• Test if sensitive data is stored on external storage (/sdcard/Android/data/).