AndroidAppPenetrationTesting
Android-specific security assessment covering APK decompilation, exported component exploitation, runtime manipulation, and certificate pinning bypass. CREST-accredited. Fixed-price quotes from £4,000. Reports mapped to OWASP MASVS for QSA and audit acceptance.
Why automated scanners miss Android vulnerabilities.
Mobile SAST tools scan for known patterns. They cannot bypass root detection, hook runtime methods with Frida, or test whether your exported Activities validate Intent extras. That requires a human with a rooted device.
Why Android Apps Fail Security Testing
Findings from Precursor's Android assessments and industry research. These are the failure modes that automated scanners are architecturally incapable of detecting.
Cryptographic Weaknesses
Of Android apps use weak encryption modes, hardcoded keys, or custom cryptographic implementations that fail MASVS-CRYPTO requirements.
Assessment Duration
A standard Android app assessment completes in 3-5 testing days with the full technical report delivered within five business days.
OWASP MASVS Coverage
Every finding maps to one of the seven MASVS control categories: STORAGE, CRYPTO, AUTH, NETWORK, PLATFORM, CODE, and RESILIENCE.
Controls
Android Vulnerabilities Scanners Cannot Find.
Anonymised examples from recent Android application penetration testing engagements. These are the vulnerabilities that automated SAST tools are architecturally incapable of detecting.
Hardcoded AWS Keys in Production APK
JADX decompilation revealed hardcoded AWS access key ID and secret key in a BuildConfig constant. The credentials had S3 read/write permissions across three production buckets containing user-uploaded documents.
Root Detection Bypass via Magisk + Frida
The application used a custom root detection library that checked for common Magisk paths and su binaries. A single Frida script hooked the detection method and returned false, bypassing all checks in under 10 seconds.
Unencrypted SQLite Database with Session Tokens
User session tokens, email addresses, and hashed passwords were stored in an unencrypted SQLite database in the application sandbox. The data persisted after logout and was accessible on rooted devices via adb.
Exported Activity Accepts Arbitrary Intent Extras
An exported Activity accepted user-controlled Intent extras without validation. A malicious app on the same device could inject parameters that triggered privileged functionality including payment confirmation screens.
Certificate Pinning Not Implemented on Auth Endpoints
The application did not enforce certificate pinning on any API endpoint. An attacker on the same network could intercept all API traffic including authentication tokens using a proxy certificate.
Verbose Logging Active in Production Build
The production build retained debug-level logging that wrote API request bodies, authentication tokens, and user PII to the device system log, accessible to any app with READ_LOGS permission.
When Do Organisations Commission This Test?
Android app penetration testing is typically triggered by one of these six scenarios. If any apply, you are in the right place.
Pre-Launch Security Gate
New Android app or major release approaching Google Play submission and your stakeholders require independent security sign-off before go-live.
Compliance Audit Finding
Your ISO 27001, PCI DSS, or Cyber Essentials Plus audit has identified Android application testing as a control gap.
Enterprise Client Mandate
A client, partner, or enterprise buyer has requested evidence of third-party Android application security testing before contract award or renewal.
Failed Previous Test
A prior vendor delivered an automated scan report dressed as a penetration test. No PoC exploits, no MASVS mapping, no code-level remediation. Your auditor rejected it.
Cyber Insurance Renewal
Your cyber insurance renewal requires evidence of penetration testing activity against Android applications that process sensitive customer data.
DevSecOps Release Gate
You need Android security testing that integrates with your release cycle. Pre-release APK builds, staging environments, and rapid turnaround for CI/CD pipelines.
Android-Specific
Testing Methodology
Manual testing using JADX, Frida, Drozer, and Objection: platform-specific tools that identify vulnerabilities automated scanners miss. Every finding is mapped to its OWASP MASVS control.
APK Decompilation & Source Review
JADX and apktool recover decompiled source code and smali bytecode. We review the AndroidManifest.xml for misconfigured android:exported flags, all hardcoded secrets, API keys, encryption logic, and insecure dependency usage.
Root Detection & Certificate Pinning Bypass
Frida and Objection hook runtime functions to bypass root detection and certificate pinning controls. We prove that client-side security controls are circumventable by an attacker with device access, satisfying the mandatory MASVS-RESILIENCE requirement.
IPC & Exported Component Testing
Drozer enumerates all exported Activities, Services, Broadcast Receivers, and Content Providers. We test each for unauthorised access, intent injection, and data leakage. Covers all MASVS-PLATFORM controls for inter-process communication.
Insecure Data Storage
Manual review of SharedPreferences, SQLite databases, external storage, and Android KeyStore implementation for unencrypted PII, session tokens, and cryptographic key material. Maps to MASVS-STORAGE controls.
Deep Link & WebView Analysis
We verify whether malicious deep link URIs can trigger authenticated actions without user consent, steal OAuth tokens, or exploit WebView JavascriptInterface bindings. Covers intent handling and URL scheme validation to prevent cross-app exploitation.
Network & API Interception
Burp Suite with a custom Android proxy configuration intercepts all traffic between the app and its backend APIs. We test for broken authentication, insecure direct object references, and data leakage. See also our dedicated API security testing service.
OWASP MASVS Compliance Mapping
The OWASP Mobile Application Security Verification Standard (MASVS) defines the security requirements for Android and iOS applications. Our assessment covers all seven MASVS control categories at both L1 (standard security) and L2 (defence-in-depth) levels. Every finding references the specific MASVS control it violates, producing evidence accepted by PCI DSS QSAs, ISO 27001 auditors, and enterprise supplier assurance programmes.
Sensitive data storage on the device and in backups. SharedPreferences, SQLite, external storage, and KeyStore validation.
Cryptographic algorithm selection, key management, and custom crypto implementation review.
Authentication and session management controls, biometric API security, and token handling.
TLS configuration, certificate pinning implementation, and hostname verification.
IPC security, intent handling, deep link validation, WebView configuration, and clipboard exposure.
Binary protection, obfuscation effectiveness, third-party library vulnerabilities, and debug flag removal.
Root detection, tamper detection, certificate pinning bypass resistance, and anti-debugging controls.
For mobile application security testing covering both Android and iOS, see our mobile application penetration testing service page. For iOS-specific assessments, see our iOS application security assessment.
The Assessment Process
Four phases from binary analysis to remediation-ready report.
Static Analysis
JADX and apktool decompile the APK. We review all source code, the AndroidManifest.xml, resource files, and third-party dependencies for configuration weaknesses and hardcoded secrets.
Dynamic Instrumentation
Frida and Objection hook into the running process to intercept data flows, bypass root detection, bypass certificate pinning, and manipulate runtime logic without modifying the APK.
Network & API Analysis
Burp Suite with a custom Android proxy configuration intercepts all traffic between the app and its backend APIs. We test for broken authentication, insecure direct object references, and data leakage.
Report & Retest
We deliver a technical report with PoC exploits, code-level remediation guidance, and full OWASP MASVS control mapping. One free retest is included to verify remediation and issue a compliance attestation letter.
What You Get
Every Android application penetration test includes the following deliverables, formatted for both technical teams and non-technical stakeholders.
Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats. Assessment window re-testing included at no additional cost.
Close the Loop.
After the Test.
A penetration test is a point-in-time assessment. After your Android app goes live, our Managed Detection and Response service monitors for API abuse, credential compromise, and anomalous mobile authentication patterns in real time. The same firm that found the vulnerabilities helps you detect when someone tries to exploit them.
Scope a Combined EngagementFull Mobile Testing
iOS and Android tested under a single engagement with shared backend API coverage.
API Security Testing
Dedicated API assessment covering unlinked endpoints, auth flows, and OWASP API Top 10.
24/7 SOC Monitoring
Continuous monitoring for credential compromise, API abuse, and mobile-backend threats.
iOS Assessment
IPA binary analysis, Objective-C runtime hooking, jailbreak detection bypass, and Keychain audit.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Android application penetration testing typically costs between £4,000 and £10,000 depending on app complexity. Standard Android app assessments average £4,000 to £6,000 including APK decompilation, IPC testing, and OWASP MASVS verification. Complex apps with multiple backend integrations typically cost £6,000 to £10,000. We provide fixed quotes after app review and confirm pricing within one business day.
No. We can test the compiled APK only (black box), which replicates what an external attacker can access. Access to source code (white box) allows for more thorough static analysis and logic flaw identification. We recommend grey box as the default for most Android app assessments: testing the APK with partial documentation such as API specifications, providing the thoroughness of white box testing without requiring full source code disclosure.
Yes. While ProGuard and R8 make static analysis more time-intensive, dynamic analysis using Frida and Objection allows us to interact with the running process directly, bypassing obfuscation to identify runtime behaviour, intercept data flows, and hook security-critical functions.
The OWASP Mobile Application Security Verification Standard (MASVS) is the industry-standard framework for Android and iOS app security requirements. It defines two verification levels: MASVS-L1 (standard security baseline required for most commercial apps) and MASVS-L2 (defence-in-depth controls required for apps handling sensitive data such as banking, healthcare, or payment card processing). Our Android application assessment covers all seven MASVS control categories: STORAGE, CRYPTO, AUTH, NETWORK, PLATFORM, CODE, and RESILIENCE. Every finding in our report is mapped to the specific MASVS control it violates, ensuring your report is accepted by QSAs, ISO 27001 auditors, and enterprise supplier assurance programmes.
Our Android assessments use a combination of static and dynamic analysis tools. For static analysis we use JADX and apktool to decompile the APK and review deobfuscated source code and the AndroidManifest.xml. For dynamic analysis and runtime manipulation we use Frida and Objection for function hooking, Drozer for IPC component enumeration, and Burp Suite with a custom Android proxy configuration for network traffic interception. Root detection and certificate pinning bypasses are performed using Magisk and Frida scripts. All findings are validated manually. We do not submit automated scan output as penetration test results.
A standard Android application assessment takes 3 to 5 days of testing time depending on app complexity and the number of backend API integrations. Following testing, we deliver a full technical report within five business days. For urgent assessments (where a launch date or contract deadline is at risk) we offer expedited scheduling. Contact us to discuss your timeline requirements and we will confirm availability and delivery dates before engagement.
In a black box assessment we test the compiled APK only, with no access to source code, replicating what an external attacker can access. In a white box assessment we receive the source code alongside the APK, enabling more thorough static analysis and logic flaw identification. Grey box sits between the two: we test the APK with partial documentation (API specifications, architecture diagrams) but without full source code access. We recommend grey box as the default for most Android app assessments, as it provides the thoroughness of white box testing without requiring full source code disclosure. All three engagement types are available and we scope the appropriate approach based on your compliance requirements and internal risk tolerance.
Yes. Free retesting within the assessment window is included. The retest focuses specifically on the vulnerabilities raised in the initial report. We issue a retest attestation letter confirming remediation status, which can be used as evidence for compliance audits or client assurance requests.