Hey Azher,
Any app-level security tests are going to be fine: injection, CSRF, XSS, etc., will be fine to test, since we don't monitor or prevent this in any way. It's up to app developers to safeguard from these app-level vulnerabilities.
However, when it comes to DOS, be aware that our infrastructure does actively prevent these, as you can read in the
Security Whitepaper:
All traffic is routed through custom GFE (Google Front End) servers to detect and stop malicious requests and Distributed Denial of Service (DDoS) attacks.
Conducting a (D)DOS attack, whether "real" or a "test" (they're ultimately identical in terms of network packets), will have the result of potentially rousing the infrastructure security systems from slumber, and might result in black-listing the IPs you used as your launchpad for the (D)DOS.
Additionally, note that attempting to break out of the security sandbox is of course in violation of the
Terms of Service, and you'll want to take a look at that as well before proceeding.
Do you have any further questions related to security and pen-testing?
-- Nick