Penetration testing checklist based on OWASP Top 10 Mobile 2016 | ||
M1. Improper Platform Usage | Test Name | Result |
M1-01 | Misuse of App permissions | Issue |
M1-02 | Insecure version of OS Installation Allowed | Issue |
M1-03 | Abusing Android Components through IPC intents ("exported" and "intent-filter") | Issue |
M1-04 | Misuse of Keychain , Touch ID and other security related controls | Issue |
M1-05 | Minimum Device Security Requirements absent | Issue |
M1-06 | Excessive port opened at Firewall | Issue |
M1-07 | Default credentials on Application Server | Issue |
M1-08 | Weak password policy Implementation | Issue |
M1-09 | Exposure of Webservices through WSDL document | Issue |
M1-10 | Security Misconfiguration on Server API | Issue |
M1-11 | Security Patching on Server API | Issue |
M1-12 | Input validation on API | Issue |
M1-13 | Information Exposure through API response message | Issue |
M1-14 | Control of interaction frequency on API (Replay Attack) | Issue |
M2. Insecure Data Storage | Test Name | Result |
M2-01 | Unrestricted Backup file | Issue |
M2-02 | Unencrypted Database files | Issue |
M2-03 | Insecure Shared Storage | Issue |
M2-04 | Insecure Application Data Storage | Issue |
M2-05 | Information Disclosure through Logcat/Apple System Log (ASL) | Issue |
M2-06 | Application Backgrounding (Screenshot) | Issue |
M2-07 | Copy/Paste Buffer Caching | Issue |
M2-08 | Keyboard Press Caching | Issue |
M3. Insecure Communication | Test Name | Result |
M3-01 | Insecure Transport Layer Protocols | Issue |
M3-02 | Use of Insecure and Deprecated algorithms | Issue |
M3-03 | Use of Disabling certificate validation | Issue |
M3-04 | SSL pinning Implementation | Issue |
M3-05 | End-to-end encryption | Issue |
M4. Insecure Authentication | Test Name | Result |
M4-01 | Remember Credentials Functionality (Persistent authentication) | Issue |
M4-02 | Client Side Based Authentication Flaws | Issue |
M4-03 | Session invalidation on Backend | Issue |
M4-04 | Session Timeout Protection | Issue |
M4-05 | Cookie Rotation | Issue |
M4-06 | Multiple concurrent logins | Issue |
M4-07 | Exposing Device Specific Identifiers in Attacker Visible Elements | Issue |
M5. Insufficient Cryptography | Test Name | Result |
M5-01 | Cryptographic Based Storage Strength | Issue |
M5-02 | Poor key management process | Issue |
M5-03 | Use of custom encryption protocols | Issue |
M5-04 | Token/Session Creation and handling | Issue |
M6. Insecure Authorization | Test Name | Result |
M6-01 | Client Side Authorization Breaches | Issue |
M6-02 | Insecure Direct Object references | Issue |
M6-03 | Missing function level access control | Issue |
M6-04 | Bypassing business logic flaws | Issue |
M7 Client Code Quality | Test Name | Result |
M7-01 | Content Providers: SQL Injection and Local File Inclusion | Issue |
M7-02 | Broadcast Receiver | Issue |
M7-03 | Service component | Issue |
M7-04 | Insufficient WebView hardening | Issue |
M7-05 | Injection (SQLite Injection, XML Injection) | Issue |
M7-06 | Local File Inclusion through NSFileManager or Webviews | |
M7-07 | Abusing URL schemes or Deeplinks | |
M7-08 | Sensitive Information Masking | Issue |
M8. Code Tampering | Test Name | Result |
M8-01 | Unauthorized Code Modification | Issue |
M8-02 | Runtime Manipulation | Issue |
M8-03 | Rooted or Jail-broken device checking | Issue |
M9. Reverse Engineering | Test Name | Result |
M9-01 | Reverse Engineering the Application Code (Code Obfuscating Checking) | Issue |
M9-02 | Information leakage/Hardcoded credential in the binaries | Issue |
M10. Extraneous Functionality | Test Name | Result |
M10-01 | Debuggable Application | Issue |
M10-02 | Passwords/ Connection String disclosure | Issue |
M10-03 | Hidden and Unscrutinised functionalities | Issue |
Penetration testing checklist based on OWASP Top 10 Mobile 2016 | ||||||
Static analysis | Test Name | Description | Tool | Applicable Platform | OWASP | Result |
Reverse Engineering the Application Code (Code Obfuscating Checking) | Disassembling and Decompiling the application | apktool, dex2jar, Clutch, Classdump | All | M9 | Issue | |
Information leakage/Hardcoded credential in the binaries | Identify sensitive information through binary/source code | string, jdgui, IDA, Hopper | All | M9 | Issue | |
Unauthorized Code Modification | Static code modification, Binary patching, Bypass check sum mechanism | apktool, Hopper | All | M8 | Issue | |
Misuse of App permissions | Identify excessive App permissions | apktool, MobSF | Android | M1 | Issue | |
Insecure version of OS Installation Allowed | Identify "minSdkVersion" on apktool.yml, the value be set over than 17. For iOS, identify minOS using idb. | apktool, idb | All | M1 | Issue | |
Abusing Android Components through IPC intents ("exported" and "intent-filter") | Identify android exported components | MobSF Androidmanifest.xml | Android | M1 | Issue | |
Unrestricted Backup file | Check "android:allowBackup" attribute which should be set to "false" | apktool Androidmanifest.xml | Android | M2 | Issue | |
Cryptographic Based Storage Strength | Identify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on sourcecode | jdgui, MobSF, Qark, Hopper, iFunbox | All | M5 | Issue | |
Poor key management process | Identify hardcoded key in application or Keys may be intercepted via Binary attacks | jdgui, MobSF, Qark, Hopper, iFunbox | All | M5 | Issue | |
Use of custom encryption protocols | Identify implementing their own protocol | jdgui, MobSF, Qark, Hopper, iFunbox | All | M5 | Issue | |
Debuggable Application | Identify "android:debuggable" attribute | adb, MobSF | Android | M10 | Issue | |
Dynamic and Runtime analysis | Test Name | Description | Tool | Applicable Platform | OWASP | Result |
Misuse of Keychain , Touch ID and other security related controls | Identify misuse of Data protection API on Keychain, Misuse of TouchID (Retrieve credentials from Local Storage, Local Authen) | iDevice | iOS | M1 | Issue | |
Minimum Device Security Requirements absent | Ensure that app cannot execute when the PIN or Pattern lock is not enabled. | Device | All | M1 | Issue | |
Unencrypted Database files | Check encryption on database files | adb, idb, iFunbox | All | M2 | Issue | |
Insecure Shared Storage | Identify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLE | adb | Android | M2 | Issue | |
Insecure Application Data Storage | Identify Sensitive Data in application files (application log, Cache file, Cookie) | adb, idb, iFunbox,BinaryCookieReader | All | M2 | Issue | |
Information Disclosure through Logcat/Apple System Log (ASL) | Identify sensitive information through application log | adb logcat, idb, libimobiledevice | All | M2 | Issue | |
Application Backgrounding (Screenshot) | Identify application snapshot/screenshot backgrounding | Device, iFunbox | All | M2 | Issue | |
Copy/Paste Buffer Caching | Identify disabling Copy/Paste function for sensitive part of the application on EditText/UITextField | idb, iFunbox | All | M2 | Issue | |
Keyboard Press Caching | Identify keyboard cache file located in: /var/mobile/Library/Keyboard /data/data/com.android.providers.userdictionary/databases/user_dict.db | Device, idb, iFunbox | All | M2 | Issue | |
Unrestricted Backup file | For Android, Check "android:allowBackup" attribute which should be set to "false" For iOS, Use iTune to backup application folder in order to check sensitive info from backup folder | apktool,iPhone Backup Extractor | All | M2 | Issue | |
Remember Credentials Functionality (Persistent authentication) | Identify user's password or sessions on the device | adb, idb, iFunbox | All | M4 | Issue | |
Client Side Based Authentication Flaws | Perform binary attacks against the mobile app in order to bypass offline authentication | adb, Drozer, Cycript, Snoop-it, Burpsuite | All | M4 | Issue | |
Client Side Authorization Breaches | Perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege | adb, Drozer, Cycript, Snoop-it, Burpsuite | All | M6 | Issue | |
Content Providers: SQL Injection and Local File Inclusion | Identify SQLi and LFI on Content provider component | Drozer | Android | M7 | Issue | |
Broadcast Receiver | Identify intent-filter on broadcast and receiver component in order to directly access and sniff the information | Drozer | Android | M7 | Issue | |
Service component | Invoke Service component directly | Drozer | Android | M7 | Issue | |
Insufficient WebView hardening | Identify misconfiguration on "android.webkit.WebSettings" (Javascript/File access/Plugins), XSS through UIWebview | jdgui, iDevice | All | M7 | Issue | |
Injection (SQLite Injection, XML Injection) | Identify SQLi and XMLi on application | adb, iDevice, Burpsuite | All | M7 | Issue | |
Local File Inclusion through Webviews | Check LFI on application(../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccess | jdgui, iDevice | All | M7 | Issue | |
Abusing URL schemes or Deeplinks | For iOS: Identify URL schemes through info.plist and Clutch+Strings to obtain URL scheme structures For Android: Identify URL schemes through source code or manifest file | apktool, jdgui, Clutch, Strings | All | M7 | Issue | |
Sensitive Information Masking | Identify sensitive information masking (Creditcard no. on UI and HTTPs traffic) | Device, Burpsuite | All | M7 | Issue | |
Runtime Manipulation | Run-time manipulation, Method swizzling | Frida, Cycript, Snoop-it | All | M8 | Issue | |
Rooted or Jail-broken device checking | Detect root/jb detection code in the reverse engineered app file.If found, delete/ change the access control of the file containing the code and restart the app. Or Install tools like hidemyroot and run the apps | tsProtector, RootCloak2 | All | M8 | Issue | |
Passwords/ Connection String disclosure | Identify sensitive information (Credential) between mobile and API | jdgui, Burpsuite | All | M10 | Issue | |
Hidden and Unscrutinised functionalities | Identify extraneous functionality (Hidden back-end URL) | jdgui, Burpsuite | All | M10 | Issue | |
Communication Channel | Test Name | Description | Tool | Applicable Platform | OWASP | Result |
Insecure Transport Layer Protocols | Observe the device's network traffic through a proxy that SSL is implemented or not | Burpsuite | All | M3 | Issue | |
Use of Insecure and Deprecated algorithms | Identify SSL/TLS Encryption Algorithms | testssl.sh, Qualys SSL Labs | All | M3 | Issue | |
Use of Disabling certificate validation | Allow tester to intercept SSL traffic without Certificate installation (checkServerTrusted with nobody) | jdgui, MobSF, Qark | All | M3 | Issue | |
SSL pinning Implementation | Check whether application accepts a certificate from any trusted CA (Burpsuite) or not. E.g. Check setAllowsAnyHTTPSCertificate(iOS) and AllowAllHostnameVerifier(Android) | jdgui, MobSF, Qark | All | M3 | Issue | |
End-to-end encryption | Identify end-to-end encryption on application layer | Burpsuite | All | M3 | Issue | |
Server Side - Webservices and API | Test Name | Description | Tool | Applicable Platform | OWASP | Result |
Excessive port opened at Firewall | Identify opened port at Server-side URL/IP Address | Nmap | All | M1 | Issue | |
Default credentials on Application Server | Identify default credentials on Backend server (e.g. Tomcat Application server using tomcat/tomcat, admin/tomcat) | Web Browser | All | M1 | Issue | |
Weak password policy Implementation | Identify weak password policy implementation both mobile and server side (e.g. Bypass password complexity checking on UI) | Burpsuite | All | M1 | Issue | |
Exposure of Webservices through WSDL document | Identify webservices help pages (*.asmx) which show methods and structure | Web Browser | All | M1 | Issue | |
Security Misconfiguration on Server API | Identify webserver configuration (e.g. Error handling, HTTP response banner) | Web Browser, Burpsuite | All | M1 | Issue | |
Security Patching on Server API | Identify vulnerability on server API | Nessus | All | M1 | Issue | |
Input validation on API | Check input validation (e.g. SQL Injection, XXE) on API/Webservices | Burpsuite | All | M1 | Issue | |
Information Exposure through API response message | Identify sensitive information on API response message/header | Burpsuite | All | M1 | Issue | |
Control of interaction frequency on API (Replay Attack) | Conduct simultaneous attack on API (e.g. OTP, email sending) | Burpsuite (Intruder) | All | M1 | Issue | |
Session invalidation on Backend | Ensure that all session invalidation events are executed on the server side and not just on the mobile app | Burpsuite | All | M4 | Issue | |
Session Timeout Protection | Mobile app must have adequate timeout protection on the backend components | Burpsuite | All | M4 | Issue | |
Cookie Rotation | Ensure that reset cookies is properly implemented during authentication state changes (Anonymous<->User, User A<->User B, Timeout) | Burpsuite | All | M4 | Issue | |
Multiple concurrent logins | Simultaneously login from multiple device with the same credential | Burpsuite | All | M4 | Issue | |
Exposing Device Specific Identifiers in Attacker Visible Elements | Observe the device's network traffic through a proxy that Device's information (UDID) is sent during the transmission or not. | Burpsuite | All | M4 | Issue | |
Token/Session Creation and handling | They should be standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks. | Burpsuite | All | M5 | Issue | |
Insecure Direct Object references | Directly access unauthorised object/var through HTTPs traffic | Burpsuite | All | M6 | Issue | |
Missing function level access control | Directly access unauthorised function through HTTPs traffic | Burpsuite | All | M6 | Issue | |
Bypassing business logic flaws | Bypass business logic data validation, Circumvention of Work Flows | Burpsuite | All | M6 | Issue |