How can I check if an Android application running on a not rooted device is "secure" without knowing its source?
I would look for:
-
Plain text in Web-Requests (wireshark and emulator)
-
SQL-injection (in EditTexts…)
-
Doing stuff, that isn't always expected (i.e. fast clicking to check for race conditions)
Question: What else could be interesting for auditing Android apps?
Best Answer
One thing you might want to do is use a packet capture application to find out what the app is doing with the network. Is everything encrypted? What could a man-in-the-middle do?
http://mobile.tutsplus.com/tutorials/android/analyzing-android-network-traffic/