| Penetration testing checklist based on OWASP Top 10 Mobile 2016 | ||
| M1. Improper Platform Usage | Test Name | Result |
| M1-01 | Misuse of App permissions | Issue |
| M1-02 | Insecure version of OS Installation Allowed | Issue |
| M1-03 | Abusing Android Components through IPC intents ("exported" and "intent-filter") | Issue |
| M1-04 | Misuse of Keychain , Touch ID and other security related controls | Issue |
| M1-05 | Minimum Device Security Requirements absent | Issue |
| M1-06 | Excessive port opened at Firewall | Issue |
| M1-07 | Default credentials on Application Server | Issue |
| M1-08 | Weak password policy Implementation | Issue |
| M1-09 | Exposure of Webservices through WSDL document | Issue |
| M1-10 | Security Misconfiguration on Server API | Issue |
| M1-11 | Security Patching on Server API | Issue |
| M1-12 | Input validation on API | Issue |
| M1-13 | Information Exposure through API response message | Issue |
| M1-14 | Control of interaction frequency on API (Replay Attack) | Issue |
| M2. Insecure Data Storage | Test Name | Result |
| M2-01 | Unrestricted Backup file | Issue |
| M2-02 | Unencrypted Database files | Issue |
| M2-03 | Insecure Shared Storage | Issue |
| M2-04 | Insecure Application Data Storage | Issue |
| M2-05 | Information Disclosure through Logcat/Apple System Log (ASL) | Issue |
| M2-06 | Application Backgrounding (Screenshot) | Issue |
| M2-07 | Copy/Paste Buffer Caching | Issue |
| M2-08 | Keyboard Press Caching | Issue |
| M3. Insecure Communication | Test Name | Result |
| M3-01 | Insecure Transport Layer Protocols | Issue |
| M3-02 | Use of Insecure and Deprecated algorithms | Issue |
| M3-03 | Use of Disabling certificate validation | Issue |
| M3-04 | SSL pinning Implementation | Issue |
| M3-05 | End-to-end encryption | Issue |
| M4. Insecure Authentication | Test Name | Result |
| M4-01 | Remember Credentials Functionality (Persistent authentication) | Issue |
| M4-02 | Client Side Based Authentication Flaws | Issue |
| M4-03 | Session invalidation on Backend | Issue |
| M4-04 | Session Timeout Protection | Issue |
| M4-05 | Cookie Rotation | Issue |
| M4-06 | Multiple concurrent logins | Issue |
| M4-07 | Exposing Device Specific Identifiers in Attacker Visible Elements | Issue |
| M5. Insufficient Cryptography | Test Name | Result |
| M5-01 | Cryptographic Based Storage Strength | Issue |
| M5-02 | Poor key management process | Issue |
| M5-03 | Use of custom encryption protocols | Issue |
| M5-04 | Token/Session Creation and handling | Issue |
| M6. Insecure Authorization | Test Name | Result |
| M6-01 | Client Side Authorization Breaches | Issue |
| M6-02 | Insecure Direct Object references | Issue |
| M6-03 | Missing function level access control | Issue |
| M6-04 | Bypassing business logic flaws | Issue |
| M7 Client Code Quality | Test Name | Result |
| M7-01 | Content Providers: SQL Injection and Local File Inclusion | Issue |
| M7-02 | Broadcast Receiver | Issue |
| M7-03 | Service component | Issue |
| M7-04 | Insufficient WebView hardening | Issue |
| M7-05 | Injection (SQLite Injection, XML Injection) | Issue |
| M7-06 | Local File Inclusion through NSFileManager or Webviews | |
| M7-07 | Abusing URL schemes or Deeplinks | |
| M7-08 | Sensitive Information Masking | Issue |
| M8. Code Tampering | Test Name | Result |
| M8-01 | Unauthorized Code Modification | Issue |
| M8-02 | Runtime Manipulation | Issue |
| M8-03 | Rooted or Jail-broken device checking | Issue |
| M9. Reverse Engineering | Test Name | Result |
| M9-01 | Reverse Engineering the Application Code (Code Obfuscating Checking) | Issue |
| M9-02 | Information leakage/Hardcoded credential in the binaries | Issue |
| M10. Extraneous Functionality | Test Name | Result |
| M10-01 | Debuggable Application | Issue |
| M10-02 | Passwords/ Connection String disclosure | Issue |
| M10-03 | Hidden and Unscrutinised functionalities | Issue |
| Penetration testing checklist based on OWASP Top 10 Mobile 2016 | ||||||
| Static analysis | Test Name | Description | Tool | Applicable Platform | OWASP | Result |
|
Reverse Engineering the Application Code (Code Obfuscating Checking) |
Disassembling and Decompiling the application | apktool, dex2jar, Clutch, Classdump | All | M9 | Issue | |
| Information leakage/Hardcoded credential in the binaries | Identify sensitive information through binary/source code | string, jdgui, IDA, Hopper | All | M9 | Issue | |
| Unauthorized Code Modification | Static code modification, Binary patching, Bypass check sum mechanism | apktool, Hopper | All | M8 | Issue | |
| Misuse of App permissions | Identify excessive App permissions | apktool, MobSF | Android | M1 | Issue | |
| Insecure version of OS Installation Allowed | Identify "minSdkVersion" on apktool.yml, the value be set over than 17. For iOS, identify minOS using idb. | apktool, idb | All | M1 | Issue | |
|
Abusing Android Components through IPC intents ("exported" and "intent-filter") |
Identify android exported components | MobSF Androidmanifest.xml |
Android | M1 | Issue | |
| Unrestricted Backup file | Check "android:allowBackup" attribute which should be set to "false" | apktool Androidmanifest.xml |
Android | M2 | Issue | |
| Cryptographic Based Storage Strength | Identify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on sourcecode | jdgui, MobSF, Qark, Hopper, iFunbox | All | M5 | Issue | |
| Poor key management process | Identify hardcoded key in application or Keys may be intercepted via Binary attacks | jdgui, MobSF, Qark, Hopper, iFunbox | All | M5 | Issue | |
| Use of custom encryption protocols | Identify implementing their own protocol | jdgui, MobSF, Qark, Hopper, iFunbox | All | M5 | Issue | |
| Debuggable Application | Identify "android:debuggable" attribute | adb, MobSF | Android | M10 | Issue | |
|
Dynamic and Runtime analysis |
Test Name | Description | Tool | Applicable Platform | OWASP | Result |
|
Misuse of Keychain , Touch ID and other security related controls |
Identify misuse of Data protection API on Keychain, Misuse of TouchID (Retrieve credentials from Local Storage, Local Authen) |
iDevice | iOS | M1 | Issue | |
| Minimum Device Security Requirements absent | Ensure that app cannot execute when the PIN or Pattern lock is not enabled. | Device | All | M1 | Issue | |
| Unencrypted Database files | Check encryption on database files | adb, idb, iFunbox | All | M2 | Issue | |
| Insecure Shared Storage |
Identify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLE |
adb | Android | M2 | Issue | |
| Insecure Application Data Storage | Identify Sensitive Data in application files (application log, Cache file, Cookie) | adb, idb, iFunbox,BinaryCookieReader | All | M2 | Issue | |
| Information Disclosure through Logcat/Apple System Log (ASL) | Identify sensitive information through application log | adb logcat, idb, libimobiledevice | All | M2 | Issue | |
| Application Backgrounding (Screenshot) | Identify application snapshot/screenshot backgrounding | Device, iFunbox | All | M2 | Issue | |
| Copy/Paste Buffer Caching | Identify disabling Copy/Paste function for sensitive part of the application on EditText/UITextField | idb, iFunbox | All | M2 | Issue | |
| Keyboard Press Caching | Identify keyboard cache file located in: /var/mobile/Library/Keyboard /data/data/com.android.providers.userdictionary/databases/user_dict.db |
Device, idb, iFunbox | All | M2 | Issue | |
| Unrestricted Backup file | For Android, Check "android:allowBackup" attribute which should be set to "false" For iOS, Use iTune to backup application folder in order to check sensitive info from backup folder |
apktool,iPhone Backup Extractor | All | M2 | Issue | |
| Remember Credentials Functionality (Persistent authentication) | Identify user's password or sessions on the device | adb, idb, iFunbox | All | M4 | Issue | |
| Client Side Based Authentication Flaws | Perform binary attacks against the mobile app in order to bypass offline authentication | adb, Drozer, Cycript, Snoop-it, Burpsuite | All | M4 | Issue | |
| Client Side Authorization Breaches |
Perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege |
adb, Drozer, Cycript, Snoop-it, Burpsuite | All | M6 | Issue | |
| Content Providers: SQL Injection and Local File Inclusion | Identify SQLi and LFI on Content provider component | Drozer | Android | M7 | Issue | |
| Broadcast Receiver | Identify intent-filter on broadcast and receiver component in order to directly access and sniff the information | Drozer | Android | M7 | Issue | |
| Service component | Invoke Service component directly | Drozer | Android | M7 | Issue | |
| Insufficient WebView hardening | Identify misconfiguration on "android.webkit.WebSettings" (Javascript/File access/Plugins), XSS through UIWebview |
jdgui, iDevice | All | M7 | Issue | |
| Injection (SQLite Injection, XML Injection) | Identify SQLi and XMLi on application | adb, iDevice, Burpsuite | All | M7 | Issue | |
| Local File Inclusion through Webviews | Check LFI on application(../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccess | jdgui, iDevice | All | M7 | Issue | |
| Abusing URL schemes or Deeplinks | For iOS: Identify URL schemes through info.plist and Clutch+Strings to obtain URL scheme structures For Android: Identify URL schemes through source code or manifest file |
apktool, jdgui, Clutch, Strings | All | M7 | Issue | |
| Sensitive Information Masking | Identify sensitive information masking (Creditcard no. on UI and HTTPs traffic) | Device, Burpsuite | All | M7 | Issue | |
| Runtime Manipulation | Run-time manipulation, Method swizzling | Frida, Cycript, Snoop-it | All | M8 | Issue | |
| Rooted or Jail-broken device checking |
Detect root/jb detection code in the reverse engineered app file.If found, delete/ change the access control of the file containing the code and restart the app. Or Install tools like hidemyroot and run the apps |
tsProtector, RootCloak2 | All | M8 | Issue | |
| Passwords/ Connection String disclosure | Identify sensitive information (Credential) between mobile and API | jdgui, Burpsuite | All | M10 | Issue | |
| Hidden and Unscrutinised functionalities | Identify extraneous functionality (Hidden back-end URL) | jdgui, Burpsuite | All | M10 | Issue | |
| Communication Channel | Test Name | Description | Tool | Applicable Platform | OWASP | Result |
| Insecure Transport Layer Protocols | Observe the device's network traffic through a proxy that SSL is implemented or not | Burpsuite | All | M3 | Issue | |
| Use of Insecure and Deprecated algorithms | Identify SSL/TLS Encryption Algorithms | testssl.sh, Qualys SSL Labs | All | M3 | Issue | |
| Use of Disabling certificate validation | Allow tester to intercept SSL traffic without Certificate installation (checkServerTrusted with nobody) | jdgui, MobSF, Qark | All | M3 | Issue | |
| SSL pinning Implementation |
Check whether application accepts a certificate from any trusted CA (Burpsuite) or not. E.g. Check setAllowsAnyHTTPSCertificate(iOS) and AllowAllHostnameVerifier(Android) |
jdgui, MobSF, Qark | All | M3 | Issue | |
| End-to-end encryption | Identify end-to-end encryption on application layer | Burpsuite | All | M3 | Issue | |
|
Server Side - Webservices and API |
Test Name | Description | Tool | Applicable Platform | OWASP | Result |
| Excessive port opened at Firewall | Identify opened port at Server-side URL/IP Address | Nmap | All | M1 | Issue | |
| Default credentials on Application Server | Identify default credentials on Backend server (e.g. Tomcat Application server using tomcat/tomcat, admin/tomcat) | Web Browser | All | M1 | Issue | |
| Weak password policy Implementation | Identify weak password policy implementation both mobile and server side (e.g. Bypass password complexity checking on UI) | Burpsuite | All | M1 | Issue | |
| Exposure of Webservices through WSDL document | Identify webservices help pages (*.asmx) which show methods and structure | Web Browser | All | M1 | Issue | |
| Security Misconfiguration on Server API | Identify webserver configuration (e.g. Error handling, HTTP response banner) | Web Browser, Burpsuite | All | M1 | Issue | |
| Security Patching on Server API | Identify vulnerability on server API | Nessus | All | M1 | Issue | |
| Input validation on API | Check input validation (e.g. SQL Injection, XXE) on API/Webservices | Burpsuite | All | M1 | Issue | |
| Information Exposure through API response message | Identify sensitive information on API response message/header | Burpsuite | All | M1 | Issue | |
| Control of interaction frequency on API (Replay Attack) | Conduct simultaneous attack on API (e.g. OTP, email sending) | Burpsuite (Intruder) | All | M1 | Issue | |
| Session invalidation on Backend | Ensure that all session invalidation events are executed on the server side and not just on the mobile app | Burpsuite | All | M4 | Issue | |
| Session Timeout Protection | Mobile app must have adequate timeout protection on the backend components | Burpsuite | All | M4 | Issue | |
| Cookie Rotation | Ensure that reset cookies is properly implemented during authentication state changes (Anonymous<->User, User A<->User B, Timeout) |
Burpsuite | All | M4 | Issue | |
| Multiple concurrent logins | Simultaneously login from multiple device with the same credential | Burpsuite | All | M4 | Issue | |
| Exposing Device Specific Identifiers in Attacker Visible Elements | Observe the device's network traffic through a proxy that Device's information (UDID) is sent during the transmission or not. | Burpsuite | All | M4 | Issue | |
| Token/Session Creation and handling | They should be standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks. | Burpsuite | All | M5 | Issue | |
| Insecure Direct Object references | Directly access unauthorised object/var through HTTPs traffic | Burpsuite | All | M6 | Issue | |
| Missing function level access control | Directly access unauthorised function through HTTPs traffic | Burpsuite | All | M6 | Issue | |
| Bypassing business logic flaws | Bypass business logic data validation, Circumvention of Work Flows | Burpsuite | All | M6 | Issue | |