Mobile Application Penetration testing Checklist 2016

Client Side – Static and Dynamic analysis Test Name Description Tool OWASP Applicable Platform Result
Reverse Engineering the Application Code Disassembling and Decompiling the application, Obfuscation checking apktool, dex2jar, Clutch, Classdump M10 All Issue
Hard-coded credentials on sourcecode Identify sensitive information on sourecode string, jdgui, IDA, Hopper M2 All Issue
Insecure version of Android OS Installation Allowed Identify “minSdkVersion” on apktool.yml, the value be set over than 17 apktool
M5 Android Issue
Cryptographic Based Storage Strength Identify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on sourcecode jdgui, YSO, Qark, AndroBugs M6 Android Issue
Poor key management process Identify hardcoded key in application or Keys may be intercepted via Binary attacks jdgui, YSO, Qark, AndroBugs M6 Android Issue
Use of custom encryption protocols Identify implementing their own protocol jdgui, YSO, Qark, AndroBugs M6 Android Issue
Unrestricted Backup file Check “android:allowBackup” attribute which should be set to “false” apktool
M2 Android Issue
Unencrypted Database files Check encryption on database files adb, idb, iFunbox M2 All Issue
Insecure Shared Storage Identify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLE adb, keychaindumper M2 All Issue
Insecure Application Data Storage Identify Sensitive Data in application files (application log, Cache file, Cookie) adb, idb, iFunbox,BinaryCookieReader M2 All Issue
Information Disclosure through Logcat/Apple System Log (ASL) Identify sensitive information through application log CatLog, idb, Snoop-it M4 All Issue
Application Backgrounding (Screenshot) Identify application snapshot/screenshot backgrounding adb, iFunbox M4 All Issue
URL Caching (HTTP Request and Response) on cache.db Identify HTTP caching which is stored in Cache.db idb, iFunbox M4 iOS Issue
Keyboard Press Caching Identify keyboard cache file located in: /var/mobile/Library/Keyboard idb, iFunbox M4 iOS Issue
Copy/Paste Buffer Caching Identify disabling Copy/Paste function for sensitive part of the application on EditText/UITextField idb, iFunbox M4 All Issue
Remember Credentials Functionality (Persistent authentication) Identify user’s password or sessions on the device idb, iFunbox M5 All Issue
Client Side Based Authentication Flaws Perform binary attacks against the mobile app in order to bypass offline authentication adb, Drozer, Cycript, Snoop-it, Burpsuite M5 All Issue
Client Side Authorization Breaches Perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege adb, Drozer, Cycript, Snoop-it, Burpsuite M5 All Issue
Insufficient WebView hardening (XSS) Identify misconfiguration on “android.webkit.WebSettings”
(Javascript/File access/Plugins), XSS through UIWebview
jdgui, Burpsuite M7 All Issue
Content Providers: SQL Injection and Local File Inclusion Identify SQLi and LFI on Content provider component Drozer M7 Android Issue
Injection (SQLite Injection, XML Injection) Identify SQLi and XMLi on application adb, iFunbox, Burpsuite M7 All Issue
Local File Inclusion through NSFileManager or Webviews Check LFI on application(../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccess iDevice, Drozer M7 All Issue
Abusing Android Components through IPC intents (“exported” and “intent-filter”) Identify android exported components apktool
M8 Android Issue
Abusing URL schemes For iOS: Identify URL schemes through info.plist and Clutch+Strings to obtain URL scheme structures
For Android: Identify URL schemes through source code or apk file
iFunbox, Clutch, Strings M8 All Issue
Unauthorized Code Modification Binary attack through run-time manipulation and code modification apktool, Frida, cycript, snoop-it M10 All Issue
Debug the application behavior through runtime analysis Identify “android:debuggable” attribute
Using GDB/LLDB attach to application
adb jdwp, jdb, GDB, LLDB M10 All Issue
Communication Channel Test Name Description Tool OWASP Applicable Platform Result
Insecure Transport Layer Protocols Observe the device’s network traffic through a proxy that SSL is implemented or not Burpsuite M3 All Issue
SSL/TLS Weak Encryption Identify SSL/TLS Encryption Algorithms testssl.sh, Qualys SSL Labs M3 All Issue
Disable certificate validation Allow tester to intercept SSL traffic without Certificate installation (checkServerTrusted with nobody) jdgui, YSO, Qark, AndroBugs M3 All Issue
Self-signed certificate Application accepts a certificate from any trusted CA (Burpsuite).
Check setAllowsAnyHTTPSCertificate(iOS) and AllowAllHostnameVerifier(Android)
jdgui, YSO, Qark, AndroBugs M3 All Issue
Exposing Device Specific Identifiers in Attacker Visible Elements Observe the device’s network traffic through a proxy that Device’s information (UDID) is sent during the transmission or not. Burpsuite M4 All Issue
Server Side – Webservices and API Test Name Description Tool OWASP Applicable Platform Result
Excessive port opened at Firewall Identify opened port at Server-side URL/IP Address Nmap M1 All Issue
Default credentials on Application Server Identify default credentials on Backend server (e.g. Tomcat Application server using tomcat/tomcat, admin/tomcat) Web Browser M1 All Issue
Exposure of Webservices through WSDL document Identify webservices help pages (*.asmx) which show methods and structure Web Browser M1 All Issue
Security Misconfiguration on Webserver Identify webserver configuration (e.g. Error handling, HTTP response banner) Web Browser, Burpsuite M1 All Issue
Input validation on API Check input validation on API/Webservices Burpsuite M1 All Issue
Information Exposure through API response message Identify sensitive information on API response message/header Burpsuite M1 All Issue
Bypassing business logic flaws Identify Missing Function Level Access Control, Negative value testing Burpsuite M5 All Issue
Session invalidation on Backend Ensure that all session invalidation events are executed on the server side and not just on the mobile app Burpsuite M9 All Issue
Session Timeout Protection Mobile app must have adequate timeout protection on the backend components Burpsuite M9 All Issue
Cookie Rotation Ensure that reset cookies is properly implemented during authentication state changes
(Anonymous<->User, User A<->User B, Timeout)
Burpsuite M9 All Issue
Token Creation They should be standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks. Burpsuite M9 All Issue
Please follow and like us:

Thanks for reading, and make sure to keep an eye on YeahHub for more technical stuff. You can ask the questions here or @yeahhub on Twitter or Instagram.
Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Leave a Reply

Your email address will not be published. Required fields are marked *

ten + ten =