Android Penetration Testing Tutorial

Android App Development Security Issues to Avoid

Table of Contents

  • Insecure Password Storage
  • Insecure Password Storage
  • Hidden Buttons
  • Hidden buttons
  • Test your knowledge with a quick quiz!
  • Bugs during Development
  • Developers bug
  • Insecure Authentication
  • lnsecure login
  • Debug Mode Enabled
  • Debug Mode Enabled
  • Backup Mode Enabled
  • Backup Mode Enabled
  • Test your knowledge with a quick quiz!
  • Insecure Authentication (Advanced)
  • Insecure Login Advance
  • It’s Quiz Time!

Insecure Password Storage

Every Android app must store the passwords in a secure manner so that hackers can’t access them even if the database or app is hacked. The right frameworks and coding languages should be stored, keeping security a priority. 

It is crucial if the attackers find the store password hashes, they can launch brute force hashes offline. 

Insecure Password Storage

Learn about Insecure Password Storage in a detailed video:

Hidden Buttons

Many mobile apps have hidden buttons that were once created for a purpose but then put to the rest. However, the buttons still exist there with their functionalities. Hackers can find the hidden buttons and exploit them for malicious purposes. 

Hidden buttons

Learn about Hidden buttons in a detailed video:


Test your knowledge with a quick quiz!

__________ that were once created for a purpose but then put to the rest.

Select the correct answer

Bugs during Development

When an Android is developed, the developers write the code but there are always some errors and bugs that remain during the life cycle. That is where the role of QA teams comes into play. They test the complete app to find and fix the bugs.

However, some bugs are difficult to detect. In case hackers discover those bugs, they can exploit them to compromise the app. 

Developers bug

Learn about Developers bug in a detailed video:

Insecure Authentication

When there are poor authentication mechanisms in the app, the users can’t be identified. There will be a failure in logging and auditing the user activity. As a result, the app can’t detect malicious users and sources of attacks. Eventually, it will lead to data theft, unauthorized access to sensitive data, etc. 

lnsecure login

Learn about lnsecure login in a detailed video:


Debug Mode Enabled

Debug mode is usually enabled when the app is in the development phase. However, if it is still enabled after the production, it will bring security risks. 

Hackers can use APKTOOL to find the AndroidManifest.xml file and check whether the app is debuggable or not. If the file can be found, it means the app can be debugged and exploited. Hackers can inject malicious code into the app and use it for their benefit.

Debug Mode Enabled

Learn about Debug Mode Enabled in a detailed video:

Backup Mode Enabled

Android apps have android:allowBackup attribute to determine if the data on the app can be backed up and restored. If the backup mode is enabled, hackers can check it and take the backup of the data through adb on their device. 

In case the backup flag is found true, even sensitive data like banking details, passwords, etc. can be stolen.

Backup Mode Enabled

Learn about Backup Mode Enabled in a detailed video:

Test your knowledge with a quick quiz!

Hackers can check data and take backup through ___ on their device.

Select the correct answer

Insecure Authentication (Advanced)

OWASP lists insecure authentication among the top five most exploited vulnerabilities in mobile apps. Hackers can bypass the login page without validation by exploiting insecure authentication schemes. This is usually done by submitting requests to the backend server without interacting with the app. 

An Android app faces insecure authentication when:

  • It executes backend API service requests without an access token. 

  • It saves the passwords on a local device.

  • Weak password policies are in place that can be guessed by hackers.

  • Features like TouchID are in use. 

One of the main reasons leading to insecure authentication is when the sensitive data is stored on a local device or external storage. Files stored on external storage can be read and modified by hackers. 

They locate the authentication file of the app, check the code that contains credentials, and find access to the app. 

Insecure Login Advance

Learn about Insecure Login Advance in a detailed video:

It’s Quiz Time!

Did you find this article helpful?