I have audited hundreds of Android apps over the years. The same security mistakes show up again and again — and most developers have no idea they are shipping them.
Here are 7 checks you should run on your own APK before every release.
1. Check Your Permissions
Open your AndroidManifest.xml and ask: does my app actually need every permission listed?
Red flags:
- READ_CONTACTS on a calculator app
- ACCESS_FINE_LOCATION when you only need coarse
- CAMERA or RECORD_AUDIO that you added for a feature you removed
- READ_PHONE_STATE — this gives access to IMEI and device ID
How to check:
aapt dump permissions your-app.apk
Or decompile with apktool:
apktool d your-app.apk -o output/
cat output/AndroidManifest.xml | grep uses-permission
Remove every permission you do not actively use. Fewer permissions = more user trust = more installs.
2. Find Hardcoded Secrets
This is the number one vulnerability I find. API keys, Firebase credentials, AWS tokens — sitting right there in the code.
How to check:
jadx your-app.apk -d output/
grep -r AIza output/
grep -r AKIA output/
grep -r sk_live output/
grep -r firebase output/
The fix: Move all secrets server-side. Your app should call YOUR backend, which holds the actual API keys. Never ship secrets in client code — APKs are trivially easy to decompile.
3. Check What SDKs Are Tracking Your Users
Third-party SDKs often collect data you do not know about. Ad networks, analytics, crash reporters — they all phone home.
How to check with Exodus (open source):
pip install exodus-core
exodus-analyze your-app.apk
This lists every known tracker in your APK. You might be surprised to find trackers from SDKs you integrated for a completely different purpose.
You can also check any app without downloading it at Exodus Privacy or use our free scanner which runs Exodus plus 9 more tools.
4. Verify SSL/TLS Configuration
Your app talks to a server. Is that connection actually secure?
Common mistakes:
- Trusting all certificates (bypassing SSL verification)
- Not implementing certificate pinning
- Using HTTP somewhere in your codebase
- usesCleartextTraffic set to true in manifest
How to check:
grep -r usesCleartextTraffic output/AndroidManifest.xml
grep -rn TrustAllCerts output/
grep -rn ALLOW_ALL output/
5. Check Data Storage
Where does your app store sensitive data locally?
Danger zones:
- SharedPreferences with tokens or passwords — easily readable on rooted devices
- SQLite databases without encryption
- Files on external storage (world-readable)
- Logging sensitive data to logcat
Best practices:
- Use Android Keystore for cryptographic keys
- Use EncryptedSharedPreferences from Jetpack Security
- Never store passwords — store tokens with expiry
- Disable logging in release builds
6. Inspect WebView Security
If your app uses WebViews, they are a common attack vector.
Check for:
grep -rn setJavaScriptEnabled output/sources/
grep -rn addJavascriptInterface output/sources/
grep -rn setAllowFileAccess output/sources/
- addJavascriptInterface can expose Java methods to JavaScript — very dangerous if loading external URLs
- setAllowFileAccess lets JavaScript read local files
Rule: If your WebView loads external URLs, lock it down. If it only loads your own bundled HTML, it is lower risk.
7. Run an Automated Security Scan
Manual checks catch the obvious stuff. Automated tools find the rest.
Free open-source tools you should know:
| Tool | What It Does | Install |
|---|---|---|
| jadx | Decompiles APK to readable Java source | brew install jadx |
| apktool | Decodes resources and manifest | brew install apktool |
| androguard | Python APK analysis library | pip install androguard |
| dex2jar | Converts DEX to JAR for analysis | GitHub releases |
| APKiD | Detects packers, obfuscators, anti-debug | pip install apkid |
| quark-engine | Android malware scoring system | pip install quark-engine |
| Exodus CLI | Tracker and permission detection | pip install exodus-core |
| semgrep | Pattern-based static analysis | brew install semgrep |
| dependency-check | Known CVE detection in libraries | OWASP project |
| MobSF | Full mobile security framework | Docker setup |
Setting all of these up individually takes time. Our App Security Scanner orchestrates 10 of these tools in parallel — upload an APK and get results from all of them in one report. Basic scans are free.
Quick Pre-Release Security Checklist
[ ] All permissions are justified and documented
[ ] No hardcoded API keys, tokens, or secrets
[ ] Tracker/SDK audit done — know what phones home
[ ] SSL pinning implemented for critical endpoints
[ ] No cleartext traffic allowed
[ ] Sensitive data uses EncryptedSharedPreferences
[ ] WebViews locked down
[ ] Logging disabled in release builds
[ ] ProGuard/R8 obfuscation enabled
[ ] Data Safety section in Play Console is accurate
Most apps ship with at least 2-3 of these issues. The good news is they are all fixable in an afternoon.
Spend an hour running through this list before your next release. Your users deserve it.
Have questions about a specific vulnerability? Drop your scenario in the comments — happy to help figure out the fix.
Top comments (1)
good article