← all writeups
Mobile

Android App Pentesting: From APK to Real Findings

Jan 16, 2026 · 8 min · by Abhishek Bhaskar (Abhi HackZ)

A mobile app ships its entire client to the attacker. Unlike a web front-end you can only observe, an APK sits on a device you fully control — decompile it, hook it, tamper with it, watch every request it makes. That inversion is the whole reason mobile testing is productive: the client is not a black box, it's evidence. This is the methodology I use to take an Android app from a downloaded APK to a report full of proven findings, framed around the OWASP Mobile Application Security Verification Standard (MASVS).

Setup and static teardown

Everything starts by pulling the app apart before it ever runs.

Dynamic analysis on a controlled device

Static tells you what could happen; dynamic proves what does. I run the app on a rooted device or emulator I control and instrument it.

The findings that recur

Across engagements the same high-value issues show up again and again:

Insecure data storage. The big one. Apps cache sensitive data — tokens, PII, full API responses, sometimes credentials — in shared preferences, SQLite databases, or files on external storage, frequently unencrypted. Anything on external storage or in a world-readable location is exposed to other apps and to anyone with device access. I always inventory exactly what the app writes to disk and in what form.

Weak or misused cryptography. Hardcoded keys (an encryption key baked into the APK protects nothing), deprecated algorithms, ECB mode, static IVs, and home-rolled crypto. The pattern is usually "crypto was used, but in a way that doesn't actually provide the guarantee they think."

Exported components and IPC. Exported activities that can be launched with crafted intents to bypass a login screen; content providers that leak data to other apps; broadcast receivers that act on unauthenticated intents. Each exported component is an interface an attacker's app can call directly.

Insufficient transport security. Cleartext traffic, accepting invalid certificates, or falling back to HTTP. Anything sensitive crossing the network unencrypted is interceptable on a hostile network.

Trusting the client. Business logic, price calculations, feature gating or "premium" checks enforced in the app rather than on the server. Because the attacker owns the client, any rule enforced only there is already broken — the same business-logic principle as on the web, sharpened by the fact that the client is fully attacker-controlled.

Mapping to MASVS

I structure the whole assessment against MASVS so findings map to a recognised standard rather than an ad-hoc list:

Each finding cites the MASVS control it violates, which makes the report actionable for developers and easy to re-test.

Fix guidance I give

The through-line: a mobile app hands the attacker the client, so the client cannot be trusted with anything that matters. Security has to live on the server; the app is just the most convenient window into it.

Shipping an Android or iOS app and want it assessed to MASVS with proven findings and fix guidance per issue? That's a service I offerget in touch.

Abhishek Bhaskar (Abhi HackZ)
Security Analyst & VAPT Engineer
Book a free 30-min security scoping call →