To perform a pentest on an android application there are three important things that should be done by the pentester.
Pentesting Android Apps
1. Set up the pentest environment
You would require an environment where the target application needs to be installed. In most of the scenarios, pentesters use emulated devices such as Genymotion as it allows you create android devices with multiple OS flavors and it has various versions. These emulated devices are rooted in nature so the coverage for the client side analysis would be the maximum.
Note: Please first confirm with the client that they do want the Pentest to be performed on rooted device.
2. Utilize a methodology
Generally, you should follow OWASP Top 10, one of the main methodologies for performing an Android pentest, as it is one of the most widely accepted standards which covers a broad range of vulnerabilities. It is always recommended to perform the pentest using a hybrid approach i.e. doing it manually and then summing it up using automated tools.
3. Leverage an arsenal of tools
The most important thing for a pentester is to know the tools at his disposal and utilize them to the maximum to get the best results. Tools are helpful and beneficial to use when pentesting but it still takes a pentester to analyze the data and explore a vulnerabilities business impact.
Here is a list of tools that can be used for Android pentesting
Xposed Framework (contains multiple tools which can be leveraged for android security assessment)
Appie (android security framework)
Happy Hacking :-)