Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
Check if the application is in debug mode and try to "exploit" it
Check if the APK allows backups
Is the application saving data insecurely internally or externally?
All the libraries compiled using the PIE flag?
Don't forget that there is a bunch of static Android Analyzers that can help you a lot during this phase.
Is there any unintended data leakage (logging, copy/paste, crash logs)?
Is the application transmitting information in clear text/using weak algorithms? is a MitM possible?
This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
Check for possible Android Client Side Injections (probably some static code analysis will help here)
Frida: Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬 PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm. If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book. Don't forget to give ⭐ on the github to motivate me to continue developing this book.