Information Gathering, or mobile application reconnaissance, is the crucial first phase in any mobile app security assessment. This stage focuses on identifying publicly accessible, exposed, or easily retrievable information that attackers could leverage to plan and execute targeted attacks.
Tests Performed in Information Gathering Assessments:
Reverse Engineering the Application Code
We decompile and analyze the application’s compiled binaries (APK or IPA files) to identify hardcoded credentials, API keys, encryption routines, or proprietary logic. This Android reverse engineering assessment reveals hidden information that attackers could extract through static analysis.
Testing for Common Libraries and Fingerprinting
This test identifies third-party libraries and SDKs embedded within the app, along with version details and known vulnerabilities. We also perform application fingerprinting security testing to map technologies and frameworks in use — enabling risk analysis based on public exploits or misconfigurations.
Enumeration of Application Known Controllers
We analyze the app’s code and runtime behavior to enumerate backend API endpoints, Activities, Services, and other controllers. This test ensures that unauthorized components aren’t exposed and helps anticipate attack vectors targeting backend systems or privileged actions.
Information Disclosure by Logcat
We verify whether sensitive data or technical details are being logged to Android’s Logcat system. This includes user data, internal error messages, debugging information, and application state changes — all of which could aid attackers during exploitation.