Scribd Logo
Upload

Welcome to Scribd!

  • OWASP Mobile Checklist Final 2016

    Uploaded by

    Samsung India
    17 views4 pages
    This document contains a checklist of 91 mobile application security vulnerabilities organized into client side and server side checks. The vulnerabilities cover a wide range of issues including improper authentication, authorization and session management, injection flaws, cryptographic weaknesses, privacy concerns, and more. Each vulnerability is given a classification of platform applicability and whether it can be checked via static analysis, dynamic analysis, or both.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains a checklist of 91 mobile application security vulnerabilities organized into client side and server side checks. The vulnerabilities cover a wide range of issues including improper authentication, authorization and session management, injection flaws, cryptographic weaknesses, privacy concerns, and more. Each vulnerability is given a classification of platform applicability and whether it can be checked via static analysis, dynamic analysis, or both.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views4 pages

    OWASP Mobile Checklist Final 2016

    Uploaded by

    Samsung India
    This document contains a checklist of 91 mobile application security vulnerabilities organized into client side and server side checks. The vulnerabilities cover a wide range of issues including improper authentication, authorization and session management, injection flaws, cryptographic weaknesses, privacy concerns, and more. Each vulnerability is given a classification of platform applicability and whether it can be checked via static analysis, dynamic analysis, or both.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    LE

    OWASP Mobile Checklist Final 2016

    AS

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17

    Applicable Compliant Classification


    Platform ?
    Yes/No/N
    A
    Application is Vulnerable to Reverse Engineering Attack/Lack of Code All
    Static Checks
    Account Lockout not Implemented
    All
    Dynamic Checks
    Application is Vulnerable to XSS
    All
    Static + Dynamic Chec
    Authentication bypassed
    All
    Dynamic Checks
    Hard coded sensitive information in Application Code (including Crypt All
    Static Checks
    Malicious File Upload
    All
    Dynamic Checks
    Session Fixation
    All
    Dynamic Checks
    Application does not Verify MSISDN
    WAP
    Unknown
    Privilege Escalation
    All
    Dynamic Checks
    SQL Injection
    All
    Static + Dynamic Chec
    Attacker can bypass Second Level Authentication
    All
    Dynamic Checks
    Application is vulnerable to LDAP Injection
    All
    Dynamic Checks
    Application is vulnerable to OS Command Injection
    All
    Dynamic Checks
    iOS snapshot/backgrounding Vulnerability
    iOS
    Dynamic Checks
    Debug is set to TRUE
    Android
    Static Checks
    Application makes use of Weak Cryptography
    All
    Static Checks
    Cleartext information under SSL Tunnel
    All
    Dynamic Checks

    MO

    Vulnerability Name

    OW

    Sr.

    BI

    CLIENT SIDE CHECKS

    OWASP Mobile Checklist Final 2016

    LE

    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    All
    JAVA
    Android
    All
    All
    All
    iOS

    AS

    MO

    BI

    Client Side Validation can be bypassed


    Invalid SSL Certificate
    Sensitive Information is sent as Clear Text over network/Lack of Data
    CAPTCHA is not implemented on Public Pages/Login Pages
    Improper or NO implementation of Change Password Page
    Application does not have Logout Functionality
    Sensitive information in Application Log Files
    Sensitive information sent as a querystring parameter
    URL Modification
    Sensitive information in Memory Dump
    Weak Password Policy
    Autocomplete is not set to OFF
    Application is accessible on Rooted or Jail Broken Device
    Back-and-Refresh attack
    Directory Browsing
    Usage of Persistent Cookies
    Open URL Redirects are possible
    Improper exception Handling: In code
    Insecure Application Permissions
    Application build contains Obsolete Files
    Certificate Chain is not Validated
    Last Login information is not displayed
    Private IP Disclosure
    UI Impersonation through RMS file modification [1]
    UI Impersonation through JAR file modification
    Operation on a resource after expiration or release
    No Certificate Pinning
    Cached Cookies or information not cleaned after application removal/
    ASLR Not Used

    OW

    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46

    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Static + Dynamic Chec
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Static Checks
    Static Checks
    Static + Dynamic Chec
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks

    OWASP Mobile Checklist Final 2016

    AS

    Insecure permissions on Unix domain sockets


    Insecure use of network sockets

    LE

    All
    iOS
    Android
    All
    All
    Android
    All
    All
    All
    Android
    Android
    All
    Android
    All
    Android
    Android
    All
    All
    All
    Android
    Android
    Android
    Android
    Android
    All
    iOS
    Android

    BI

    MO

    Clipboard is not disabled


    Cache smashing protection is not enabled
    Android Backup Vulnerability
    Unencrypted Credentials in Databases (sqlite db)
    Store sensitive information outside App Sandbox (on SDCard)
    Allow Global File Permission on App Data
    Store Encryption Key Locally/Store Sensitive Data in ClearText
    Bypass Certificate Pinning
    Third-party Data Transit on Unencrypted Channel
    Failure to Implement Trusted Issuers
    Allow All Hostname Verifier
    Ignore SSL Certificate Error
    Weak Custom Hostname Verifier
    App/Web Caches Sensitive Data Leak
    Leaking Content Provider
    Redundancy Permission Granted
    Use Spoof-able Values for Authenticating User (IMEI, UDID)
    Use of Insecure and/or Deprecated Algorithms
    Local File Inclusion (might be through XSS Vulnerability)
    Activity Hijacking
    Service Hijacking
    Broadcast Thief
    Malicious Broadcast Injection
    Malicious Activity/Service Launch
    Using Device Identifier as Session
    Symbols Remnant
    Lack of Check-sum Controls/Altered Detection

    OW

    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75

    Android
    Android

    Dynamic Checks
    Static Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Static Checks
    Static Checks
    Static Checks
    Dynamic Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Static Checks
    Static + Dynamic Chec
    Static Checks
    Static Checks
    Static Checks
    Static Checks
    Static Checks
    Dynamic Checks
    Static Checks
    Dynamic Checks
    Static Checks
    Static Checks

    OWASP Mobile Checklist Final 2016

    MO

    AS

    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91

    Applicable Compliant
    Platform ?
    Yes/No/N
    A
    Cleartext password in Response
    All
    Dynamic Checks
    Direct Reference to internal resource without authentication
    All
    Dynamic Checks
    Application has NO or improper Session Management/Failure to Invali All
    Dynamic Checks
    Cross Domain Scripting Vulnerability
    All
    Dynamic Checks
    Cross Origin Resource Sharing
    All
    Dynamic Checks
    Improper Input Validation - Server Side
    All
    Dynamic Checks
    Detailed Error page shows internal sensitive information
    All
    Dynamic Checks
    Application allows HTTP Methods besides GET and POST
    All
    Dynamic Checks
    Cross Site Request Forgery (CSRF)/SSRF
    All
    Dynamic Checks
    Cacheable HTTPS Responses
    All
    Dynamic Checks
    Path Attribute not set on a Cookie
    All
    Dynamic Checks
    HttpOnly Attribute not set for a cookie
    All
    Dynamic Checks
    Secure Attribute not set for a cookie
    All
    Dynamic Checks
    Application is Vulnerable to Clickjacking/Tapjacking attack
    All
    Dynamic Checks
    Server/OS fingerprinting is possible
    All
    Dynamic Checks
    Lack of Adequate Timeout Protection
    All
    Dynamic Checks

    BI

    Vulnerability Name

    OW

    Sr.

    LE

    SERVER SIDE CHECKS

    By OWASP Mobile Team


    4

    You might also like