In today’s mobile app ecosystem, applications frequently incorporate dynamic code loading, embedded web content, and third-party libraries — increasing the risk of executing untrusted or malicious code. Execution of Untrusted Code Testing is a critical security assessment process that evaluates whether an application securely controls its runtime behavior, protecting against code injection, unauthorized execution, and memory-based attacks.
Android Code Execution & Memory Vulnerability Tests:
WebView Security
We assess WebView configurations to ensure malicious web content cannot execute harmful JavaScript or access app internals — a crucial part of Android RCE testing.
Exposing External Java Interfaces in WebViews DOM
This test identifies whether sensitive Java interfaces are exposed to WebViews’ JavaScript environment, a common risk exploited in mobile app takeovers.
JavaScript Execution Risks at WebViews
We check for unsafe JavaScript execution permissions in WebViews, preventing attackers from injecting or executing malicious scripts within your app.
Code Signing
Our experts verify the integrity of your app’s code signing implementation, ensuring no unauthorized or tampered code can run within the production environment.
Loading Dynamic DEX onto Dalvik
This test identifies risks associated with dynamically loading external DEX (Dalvik Executable) files at runtime, a frequent target in Android dynamic code injection attacks.
Abusing Dynamic Code Execution Decisions
We analyze runtime decision points within the application that control code execution paths, ensuring these cannot be influenced by attackers to load untrusted code.
Stack Based Buffer Overflows
Through mobile memory vulnerability assessments, we detect stack overflow vulnerabilities that could allow attackers to overwrite control data and hijack execution.
Heap Based Buffer Overflows
Similar to stack overflows, we assess for heap memory vulnerabilities that could enable data corruption, privilege escalation, or unauthorized code execution.
Object Lifetime Vulnerabilities (Use-After-Free, Double Free’s)
Our testing identifies flaws in object memory management, such as use-after-free or double free issues, which can lead to memory corruption or unexpected behavior.
Format String Vulnerabilities
We check for improper use of formatting functions that could allow attackers to read sensitive memory or alter program flow — a critical check in mobile memory vulnerability assessments.
NDK Exposed Code Secrets
This test looks for sensitive information, such as encryption keys or hidden logic, exposed within Native Development Kit (NDK) binaries, reducing the risk of reverse engineering.
Integer Overflows
We identify arithmetic operations that exceed the maximum limit of a data type, leading to logic errors, memory corruption, or unauthorized access.
Integer Underflows
Similarly, we detect operations where numeric values drop below the minimum supported value, which attackers might exploit to bypass security checks or cause unpredictable behavior.