Professional Documents
Culture Documents
M3. Insecure
Communication
M3-01
M3-02
M3-03
M3-04
M3-05
M4. Insecure
Authentication
M4-01
M4-02
M4-03
M4-04
M4-05
M4-06
M4-07
M5. Insufficient
Cryptography
M5-01
M5-02
M5-03
M5-04
M6. Insecure
Authorization
M6-01
M6-02
M6-03
M6-04
M10. Extraneous
Functionality
M10-01
M10-02
M10-03
Penetration testing checklist based on OWASP Top 10 Mobile 2016
Test Name
Misuse of App permissions
Insecure version of OS Installation Allowed
Abusing Android Components through IPC intents ("exported" and "intent-filter")
Misuse of Keychain , Touch ID and other security related controls
Minimum Device Security Requirements absent
Excessive port opened at Firewall
Default credentials on Application Server
Weak password policy Implementation
Exposure of Webservices through WSDL document
Security Misconfiguration on Server API
Security Patching on Server API
Input validation on API
Information Exposure through API response message
Control of interaction frequency on API (Replay Attack)
Test Name
Unrestricted Backup file
Unencrypted Database files
Insecure Shared Storage
Insecure Application Data Storage
Information Disclosure through Logcat/Apple System Log (ASL)
Application Backgrounding (Screenshot)
Copy/Paste Buffer Caching
Keyboard Press Caching
Test Name
Insecure Transport Layer Protocols
Use of Insecure and Deprecated algorithms
Use of Disabling certificate validation
SSL pinning Implementation
End-to-end encryption
Test Name
Remember Credentials Functionality (Persistent authentication)
Client Side Based Authentication Flaws
Session invalidation on Backend
Session Timeout Protection
Cookie Rotation
Multiple concurrent logins
Exposing Device Specific Identifiers in Attacker Visible Elements
Test Name
Cryptographic Based Storage Strength
Poor key management process
Use of custom encryption protocols
Token/Session Creation and handling
Test Name
Client Side Authorization Breaches
Insecure Direct Object references
Missing function level access control
Bypassing business logic flaws
Test Name
Content Providers: SQL Injection and Local File Inclusion
Broadcast Receiver
Service component
Insufficient WebView hardening
Injection (SQLite Injection, XML Injection)
Local File Inclusion through NSFileManager or Webviews
Abusing URL schemes or Deeplinks
Sensitive Information Masking
Test Name
Unauthorized Code Modification
Runtime Manipulation
Rooted or Jail-broken device checking
Test Name
Reverse Engineering the Application Code (Code Obfuscating Checking)
Information leakage/Hardcoded credential in the binaries
Test Name
Debuggable Application
Passwords/ Connection String disclosure
Hidden and Unscrutinised functionalities
Result
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Result
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Result
Issue
Issue
Issue
Issue
Issue
Result
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Result
Issue
Issue
Issue
Issue
Result
Issue
Issue
Issue
Issue
Result
Issue
Issue
Issue
Issue
Issue
Issue
Result
Issue
Issue
Issue
Result
Issue
Issue
Result
Issue
Issue
Issue
Penetration testing checklist based on OWASP To
Test Name
Test Name
Broadcast Receiver
Service component
Insufficient WebView hardening
Injection (SQLite Injection, XML Injection)
Local File Inclusion through Webviews
Test Name
End-to-end encryption
Test Name
Excessive port opened at Firewall
Default credentials on Application Server
Cookie Rotation
Description Tool
Identify sensitive information through binary/source code string, jdgui, IDA, Hopper
MobSF
Identify android exported components
Androidmanifest.xml
Description Tool
Ensure that app cannot execute when the PIN or Pattern lock is
Device
not enabled.
Check encryption on database files adb, idb, iFunbox
Identify Sensitive Data on Shared Storage, SD card storage
adb
encryption, Shared preferences MODE_WORLD_READABLE
Identify Sensitive Data in application files (application log, Cache
adb, idb, iFunbox,BinaryCookieReader
file, Cookie)
Identify sensitive information through application log adb logcat, idb, libimobiledevice
Identify application snapshot/screenshot backgrounding Device, iFunbox
Identify disabling Copy/Paste function for sensitive part of the
idb, iFunbox
application on EditText/UITextField
Identify keyboard cache file located in:
/var/mobile/Library/Keyboard
/ Device, idb, iFunbox
data/data/com.android.providers.userdictionary/databases/user_
dict.db
For Android, Check "android:allowBackup" attribute which should
be set to "false"
apktool,iPhone Backup Extractor
For iOS, Use iTune to backup application folder in order to check
sensitive info from backup folder
Perform binary attacks against the mobile app in order to bypass adb, Drozer, Cycript, Snoop-it, Burpsuite
offline authentication
Perform binary attacks against the mobile app and try to execute
privileged functionality that should only be executable with a user adb, Drozer, Cycript, Snoop-it, Burpsuite
of higher privilege
Description Tool
Description Tool
Identify opened port at Server-side URL/IP Address Nmap
Identify default credentials on Backend server (e.g. Tomcat
Web Browser
Application server using tomcat/tomcat, admin/tomcat)
Conduct simultaneous attack on API (e.g. OTP, email sending) Burpsuite (Intruder)
Ensure that all session invalidation events are executed on the Burpsuite
server side and not just on the mobile app
All M9 Issue
All M9 Issue
All M8 Issue
Android M1 Issue
All M1 Issue
Android M1 Issue
Android M2 Issue
All M5 Issue
All M5 Issue
All M5 Issue
Android M10 Issue
Applicable
OWASP Result
Platform
iOS M1 Issue
All M1 Issue
All M2 Issue
Android M2 Issue
All M2 Issue
All M2 Issue
All M2 Issue
All M2 Issue
All M2 Issue
All M2 Issue
All M4 Issue
All M4 Issue
All M6 Issue
Android M7 Issue
Android M7 Issue
Android M7 Issue
All M7 Issue
All M7 Issue
All M7 Issue
All M7 Issue
All M7 Issue
All M8 Issue
All M8 Issue
Applicable
OWASP Result
Platform
All M3 Issue
All M3 Issue
All M3 Issue
All M3 Issue
All M3 Issue
Applicable
OWASP Result
Platform
All M1 Issue
All M1 Issue
All M1 Issue
All M1 Issue
All M1 Issue
All M1 Issue
All M1 Issue
All M1 Issue
All M1 Issue
All M4 Issue
around 10-15 minutes
All M4 Issue
All M4 Issue
All M4 Issue
All M4 Issue
All M5 Issue