2

How can I check if an Android application running on a not rooted device is "secure" without knowing its source?

I would look for:

  1. Plain text in Web-Requests (wireshark and emulator)

  2. SQL-injection (in EditTexts...)

  3. Doing stuff, that isn't always expected (i.e. fast clicking to check for race conditions)

Question: What else could be interesting for auditing Android apps?

Kiril
  • 529
  • 2
  • 4
  • 11
  • 1
    not sure if it can help, but see [monkey](http://developer.android.com/tools/help/monkey.html). – bigstones Sep 12 '13 at 13:52
  • @bigstones Thank you! But I think The Monkey is better suited for automating testing scenarios. What I am looking for are test cases. – Kiril Sep 12 '13 at 13:54
  • Please define secure. Many apps are just a GUI for data stored on server. The server should then require secure API connections from the app, screen for SQL injections etc. – Petter Nordlander Oct 19 '13 at 18:54

1 Answers1

1

One thing you might want to do is use a packet capture application to find out what the app is doing with the network. Is everything encrypted? What could a man-in-the-middle do?

http://mobile.tutsplus.com/tutorials/android/analyzing-android-network-traffic/

Eric Wimberley
  • 61
  • 1
  • Thanks for the link! Unfortunately it uses root to install tcpdump. But it would be a good to have a rooted phone for such testing scenarios. – Kiril Oct 19 '13 at 13:53