Android security testing or android vapt helps you to find security loopholes/vulnerabilities in android(mobile) applications. The companies are coming up with different applications for different operations. Therefore, security testing or VAPT should be done  in order to protect and secure those applications from hackers or threat actors.

The testing involves de-compiling, static and dynamic analysis and testing the android application from security perspective to find the vulnerabilities inside it. The testing involves - insecure data storage, client side injection, hardcoding issues, authentication and access control issues, etc. This could be done with the help of android vapt tools like : burp suite, drozer, adb, apktool, logcat, Mobsf, dex2jar, android studio or genymotion, frida, sdk platform tool, etc. 

OWASP Top 10 Mobile Risks 2016 : 

• M1: Improper Platform Usage

• M2: Insecure Data Storage

• M3: Insecure Communication

• M4: Insecure Authentication

• M5: Insufficient Cryptography

• M6: Insecure Authorization

• M7: Client Code Quality

• M8: Code Tampering

• M9: Reverse Engineering

• M10: Extraneous Functionality

To learn and practice android penetration testing or vapt one has to know about some basic details like:

1. Android basics and it’s architecture

2. Components of android application

3. Lab setup for android penetration testing

4. OWASP Top 10 Mobile Risks

5. Android VAPT tools like : adb, drozer, apktool, dex2jar, etc.

6. Setting up vulnerable android applications like : DIVA, InjuredAndroid, InscureShop, AndroidInsecureBank v2, Damn-Vulnerable-Ban, etc.