Check if source code is obfuscated.
Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. This may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property.

Check if integrity is easily forged.
When source code or binary image is easily modified or forged, authentication, authorization is bypassed without any obstacle, or unauthorized use of charged services, or manipulation of billing information, furthermore, phishing app embedded malicious code stealing private information can be distributed.

Check if app using a data base, and data is encrypted.
Data stored in a data base can be extracted to PC through rooted terminal. Therefore, sensitive data (i.e. password, encryption key, credentials) must be encrypted in database.

Check if app using Shared Preferences, and data is encrypted.
Data stored in Shared Preferences can be extracted to PC through rooted terminal. Therefore, sensitive data (i.e. password, encryption key, credentials) must be encrypted in Shared Preferences.

Check if the data stored at external storage is encrypted.
The data stored at external storage is easily accessible and visible. Therefore, sensitive data (i.e. password, encryption key, credentials) must be encrypted in external storage.

Check if resource is not encrypted.
Resource files (i.e. image, movies) are easily extracted from decompressed APK file. Therefore, business information, intellectual property and other important data should be encrypted.

Check if important information is visible.
Important information (URL, password, encryption key) is easily noticed by attacker through apk-decompile. Therefore, data should be replaced by resource or encrypted by string encryption API.

Check if app contains debugging information such as debugging, logging.
Log data, used at development environment usually, could be a clue to an attacker trying to reverse engineering.

Check if communication channel is encrypted by SSL.
Credential or sensitive data should be encrypted, if else, plain text transferring are sneaked by packet sniffing attack.

Check if access control of Content Provider, Shared Preferences.
In android platform, if the protection level of ContentProvider, or SharedPreferences is not high as expected, un-privileged app can access the local data of the target app without any trouble.

Check the permission the app is requiring.
In case unnecessary or too many permission is granted for the app, attacker could acquire more level than user level, and security risks such as data leakage, tampering would occur.

Check if it is possible to run Activity, Service without any privileges.
Activity and Services are used for instantiating a task procedure with an aim to show a screen or hidden processing, and normally they are hidden for internal use only. If the method of accessing to these are exposed, attacker can make a malware to provoke them to do in a wrong way or a mal-function, or can access to settings for device manager. Therefore the communication way to them is recommended to be deleted or changed into a in-directed method.

Check if any sensitive data is broadcasted or is receivable to any Receiver.
When the target of Broadcast is not designated, or the protection level of Receiver is low, intended message from an attacker is transmitted by a Receiver and provoke mal-function or any message from Broadcast can be sniffed.