0x01 Client Side - Static and Dynamic analysis
| Test Name | Description | Tool | OWASP | Applicable Platform | Result |
| Reverse Engineering the Application Code | Disassembling and Decompiling the application, Obfuscation checking | apktool, dex2jar, Clutch, Classdump | M10 | All | Issue |
| Hard-coded credentials on sourcecode | Identify sensitive information on sourecode | string, jdgui, IDA, Hopper | M2 | All | Issue |
| Insecure version of Android OS Installation Allowed | Identify "minSdkVersion" on apktool.yml, the value be set over than 17 | apktool Androidmanifest.xml | M5 | Android | Issue |
| Cryptographic Based Storage Strength | Identify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on sourcecode | jdgui, YSO, Qark, AndroBugs | M6 | Android | Issue |
| Poor key management process | Identify hardcoded key in application or Keys may be intercepted via Binary attacks | jdgui, YSO, Qark, AndroBugs | M6 | Android | Issue |
| Use of custom encryption protocols | Identify implementing their own protocol | jdgui, YSO, Qark, AndroBugs | M6 | Android | Issue |
| Unrestricted Backup file | Check "android:allowBackup" attribute which should be set to "false" | apktool Androidmanifest.xml | M2 | Android | Issue |
| Unencrypted Database files | Check encryption on database files | adb, idb, iFunbox | M2 | All | Issue |
| Insecure Shared Storage | Identify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLE | adb, keychaindumper | M2 | All | Issue |
| Insecure Application Data Storage | Identify Sensitive Data in application files (application log, Cache file, Cookie) | adb, idb, iFunbox,BinaryCookieReader | M2 | All | Issue |
| Information Disclosure through Logcat/Apple System Log (ASL) | Identify sensitive information through application log | CatLog, idb, Snoop-it | M4 | All | Issue |
| Application Backgrounding (Screenshot) | Identify application snapshot/screenshot backgrounding | adb, iFunbox | M4 | All | Issue |
| URL Caching (HTTP Request and Response) on cache.db | Identify HTTP caching which is stored in Cache.db | idb, iFunbox | M4 | iOS | Issue |
| Keyboard Press Caching | Identify keyboard cache file located in: /var/mobile/Library/Keyboard | idb, iFunbox | M4 | iOS | Issue |
| Copy/Paste Buffer Caching | Identify disabling Copy/Paste function for sensitive part of the application on EditText/UITextField | idb, iFunbox | M4 | All | Issue |
| Remember Credentials Functionality (Persistent authentication) | Identify user's password or sessions on the device | idb, iFunbox | M5 | All | Issue |
| Client Side Based Authentication Flaws | Perform binary attacks against the mobile app in order to bypass offline authentication | adb, Drozer, Cycript, Snoop-it, Burpsuite | M5 | All | Issue |
| Client Side Authorization Breaches | Perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege | adb, Drozer, Cycript, Snoop-it, Burpsuite | M5 | All | Issue |
| Insufficient WebView hardening (XSS) | Identify misconfiguration on "android.webkit.WebSettings" (Javascript/File access/Plugins), XSS through UIWebview | jdgui, Burpsuite | M7 | All | Issue |
| Content Providers: SQL Injection and Local File Inclusion | Identify SQLi and LFI on Content provider component | Drozer | M7 | Android | Issue |
| Injection (SQLite Injection, XML Injection) | Identify SQLi and XMLi on application | adb, iFunbox, Burpsuite | M7 | All | Issue |
| Local File Inclusion through NSFileManager or Webviews | Check LFI on application(../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccess | iDevice, Drozer | M7 | All | Issue |
| Abusing Android Components through IPC intents ("exported" and "intent-filter") | Identify android exported components | apktool Androidmanifest.xml | M8 | Android | Issue |
| Abusing iOS URL schemes | Identify URL schemes through info.plist and Clutch+Strings to obtain URL scheme structures | iFunbox, Clutch, Strings | M8 | iOS | Issue |
| Unauthorized Code Modification | Binary attack through run-time manipulation and code modification | apktool, Frida, cycript, snoop-it | M10 | All | Issue |
| Debug the application behavior through runtime analysis | Identify "android:debuggable" attribute Using GDB/LLDB attach to application | adb jdwp, jdb, GDB, LLDB | M10 | All | Issue |
0x02 Communication Channel
| Test Name | Description | Tool | OWASP | Applicable Platform | Result |
| Insecure Transport Layer Protocols | Observe the device's network traffic through a proxy that SSL is implemented or not | Burpsuite | M3 | All | Issue |
| SSL/TLS Weak Encryption | Identify SSL/TLS Encryption Algorithms | testssl.sh, Qualys SSL Labs | M3 | All | Issue |
| Disable certificate validation | Allow tester to intercept SSL traffic without Certificate installation (checkServerTrusted with nobody) | jdgui, YSO, Qark, AndroBugs | M3 | All | Issue |
| Self-signed certificate | Application accepts a certificate from any trusted CA (Burpsuite). Check setAllowsAnyHTTPSCertificate(iOS) and AllowAllHostnameVerifier(Android) | jdgui, YSO, Qark, AndroBugs | M3 | All | Issue |
| Exposing Device Specific Identifiers in Attacker Visible Elements | Observe the device's network traffic through a proxy that Device's information (UDID) is sent during the transmission or not. | Burpsuite | M4 | All | Issue |
0x03 Server Side - Webservices and API
| Test Name | Description | Tool | OWASP | Applicable Platform | Result |
| Excessive port opened at Firewall | Identify opened port at Server-side URL/IP Address | Nmap | M1 | All | Issue |
| Default credentials on Application Server | Identify default credentials on Backend server (e.g. Tomcat Application server using tomcat/tomcat, admin/tomcat) | Web Browser | M1 | All | Issue |
| Exposure of Webservices through WSDL document | Identify webservices help pages (*.asmx) which show methods and structure | Web Browser | M1 | All | Issue |
| Security Misconfiguration on Webserver | Identify webserver configuration (e.g. Error handling, HTTP response banner) | Web Browser, Burpsuite | M1 | All | Issue |
| Input validation on API | Check input validation on API/Webservices | Burpsuite | M1 | All | Issue |
| Bypassing business logic flaws | Identify Missing Function Level Access Control, Negative value testing | Burpsuite | M5 | All | Issue |
| Session invalidation on Backend | Ensure that all session invalidation events are executed on the server side and not just on the mobile app | Burpsuite | M9 | All | Issue |
| Session Timeout Protection | Mobile app must have adequate timeout protection on the backend components | Burpsuite | M9 | All | Issue |
| Cookie Rotation | Ensure that reset cookies is properly implemented during authentication state changes (Anonymous<->User, User A<->User B, Timeout) | Burpsuite | M9 | All | Issue |
| Token Creation | They should be standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks. | Burpsuite | M9 | All | Issue |
欢迎大家分享更好的思路,热切期待^^_^^
905
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
