Penetration testing checklist based on OWASP Top 10 Mobile 2016

M1. Improper Platform

Usage
M1-01
M1-02
M1-03
M1-04
M1-05
M1-06
M1-07
M1-08
M1-09
M1-10
M1-11
M1-12
M1-13
M1-14

M2. Insecure Data

Storage
M2-01
M2-02
M2-03
M2-04
M2-05
M2-06
M2-07
M2-08

M3. Insecure
Communication
M3-01
M3-02
M3-03
M3-04
M3-05

M4. Insecure
Authentication
M4-01
M4-02
M4-03
M4-04
M4-05
M4-06
M4-07

M5. Insufficient
Cryptography
M5-01
 M5-02
M5-03
M5-04

M6. Insecure
Authorization
M6-01
M6-02
M6-03
M6-04

M7 Client Code Quality

M7-01
M7-02
M7-03
M7-04
M7-05
M7-06
M7-07
M7-08

M8. Code Tampering

M8-01
M8-02
M8-03

M9. Reverse Engineering

M9-01
M9-02

M10. Extraneous
Functionality
M10-01
M10-02
M10-03
Penetration testing checklist based on OWASP Top 10 Mobile 2016

Test Name
Misuse of App permissions
Insecure version of OS Installation Allowed
Abusing Android Components through IPC intents ("exported" and "intent-filter")
Misuse of Keychain , Touch ID and other security related controls
Minimum Device Security Requirements absent
Excessive port opened at Firewall
Default credentials on Application Server
Weak password policy Implementation
Exposure of Webservices through WSDL document
Security Misconfiguration on Server API
Security Patching on Server API
Input validation on API
Information Exposure through API response message
Control of interaction frequency on API (Replay Attack)

Test Name
Unrestricted Backup file
Unencrypted Database files
Insecure Shared Storage
Insecure Application Data Storage
Information Disclosure through Logcat/Apple System Log (ASL)
Application Backgrounding (Screenshot)
Copy/Paste Buffer Caching
Keyboard Press Caching

Test Name
Insecure Transport Layer Protocols
Use of Insecure and Deprecated algorithms
Use of Disabling certificate validation
SSL pinning Implementation
End-to-end encryption

Test Name
Remember Credentials Functionality (Persistent authentication)
Client Side Based Authentication Flaws
Session invalidation on Backend
Session Timeout Protection
Cookie Rotation
Multiple concurrent logins
Exposing Device Specific Identifiers in Attacker Visible Elements

Test Name
Cryptographic Based Storage Strength
Poor key management process
Use of custom encryption protocols
Token/Session Creation and handling

Test Name
Client Side Authorization Breaches
Insecure Direct Object references
Missing function level access control
Bypassing business logic flaws

Test Name
Content Providers: SQL Injection and Local File Inclusion
Broadcast Receiver
Service component
Insufficient WebView hardening
Injection (SQLite Injection, XML Injection)
Local File Inclusion through NSFileManager or Webviews
Abusing URL schemes or Deeplinks
Sensitive Information Masking

Test Name
Unauthorized Code Modification
Runtime Manipulation
Rooted or Jail-broken device checking

Test Name
Reverse Engineering the Application Code (Code Obfuscating Checking)
Information leakage/Hardcoded credential in the binaries

Test Name
Debuggable Application
Passwords/ Connection String disclosure
Hidden and Unscrutinised functionalities
Result
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue

Result
Issue
Issue
Issue
Issue
Issue
Issue
Issue
Issue

Result
Issue
Issue
Issue
Issue
Issue

Result
Issue
Issue
Issue
Issue
Issue
Issue
Issue

Result
Issue
Issue
Issue
Issue

Result
Issue
Issue
Issue
Issue

Result
Issue
Issue
Issue
Issue
Issue

Issue

Result
Issue
Issue
Issue

Result
Issue
Issue

Result
Issue
Issue
Issue
 Penetration testing checklist based on OWASP To

Test Name

Reverse Engineering the Application Code (Code

Obfuscating Checking)
Information leakage/Hardcoded credential in the
binaries

Unauthorized Code Modification

Misuse of App permissions

Insecure version of OS Installation Allowed

Static analysis

Abusing Android Components through IPC intents

("exported" and "intent-filter")

Unrestricted Backup file

Cryptographic Based Storage Strength

Poor key management process

Use of custom encryption protocols
Debuggable Application

Test Name

Misuse of Keychain , Touch ID and other security

related controls

Minimum Device Security Requirements absent

Unencrypted Database files
Insecure Shared Storage

Insecure Application Data Storage

Information Disclosure through Logcat/Apple System

Log (ASL)
Application Backgrounding (Screenshot)
Copy/Paste Buffer Caching
 Keyboard Press Caching
Dynamic and Runtime analysis

Unrestricted Backup file

Remember Credentials Functionality (Persistent

authentication)

Client Side Based Authentication Flaws

Client Side Authorization Breaches

Content Providers: SQL Injection and Local File

Inclusion

Broadcast Receiver
Service component
Insufficient WebView hardening
Injection (SQLite Injection, XML Injection)
Local File Inclusion through Webviews

Abusing URL schemes or Deeplinks

Sensitive Information Masking

Runtime Manipulation

Rooted or Jail-broken device checking

Passwords/ Connection String disclosure

Hidden and Unscrutinised functionalities

Test Name

Insecure Transport Layer Protocols

hannel
 Use of Insecure and Deprecated algorithms
Communication Channel

Use of Disabling certificate validation

SSL pinning Implementation

End-to-end encryption

Test Name
Excessive port opened at Firewall
Default credentials on Application Server

Weak password policy Implementation

Exposure of Webservices through WSDL document

Security Misconfiguration on Server API

Security Patching on Server API
Input validation on API

Information Exposure through API response message

Control of interaction frequency on API (Replay

Attack)
s and API
Server Side - Webservices and API Session invalidation on Backend

Session Timeout Protection

Cookie Rotation

Multiple concurrent logins

Exposing Device Specific Identifiers in Attacker Visible

Elements

Token/Session Creation and handling

Insecure Direct Object references

Missing function level access control

Bypassing business logic flaws
Penetration testing checklist based on OWASP Top 10 Mobile 2016

Description Tool

Disassembling and Decompiling the application apktool, dex2jar, Clutch, Classdump

Identify sensitive information through binary/source code string, jdgui, IDA, Hopper

Static code modification, Binary patching, Bypass check sum

apktool, Hopper
mechanism
Identify excessive App permissions apktool, MobSF

Identify "minSdkVersion" on apktool.yml, the value be set over

apktool, idb
than 17. For iOS, identify minOS using idb.

MobSF
Identify android exported components
Androidmanifest.xml

Check "android:allowBackup" attribute which should be set to apktool

"false" Androidmanifest.xml

Identify insecure/deprecated cryptographic algorithms (RC4,

jdgui, MobSF, Qark, Hopper, iFunbox
MD5, SHA1) on sourcecode
Identify hardcoded key in application or Keys may be intercepted
jdgui, MobSF, Qark, Hopper, iFunbox
via Binary attacks
Identify implementing their own protocol jdgui, MobSF, Qark, Hopper, iFunbox
Identify "android:debuggable" attribute adb, MobSF

Description Tool

Identify misuse of Data protection API on Keychain, Misuse of

iDevice
TouchID (Retrieve credentials from Local Storage, Local Authen)

Ensure that app cannot execute when the PIN or Pattern lock is
Device
not enabled.
Check encryption on database files adb, idb, iFunbox
Identify Sensitive Data on Shared Storage, SD card storage
adb
encryption, Shared preferences MODE_WORLD_READABLE
Identify Sensitive Data in application files (application log, Cache
adb, idb, iFunbox,BinaryCookieReader
file, Cookie)

Identify sensitive information through application log adb logcat, idb, libimobiledevice
Identify application snapshot/screenshot backgrounding Device, iFunbox
Identify disabling Copy/Paste function for sensitive part of the
idb, iFunbox
application on EditText/UITextField
Identify keyboard cache file located in:
/var/mobile/Library/Keyboard
/ Device, idb, iFunbox
data/data/com.android.providers.userdictionary/databases/user_
dict.db
For Android, Check "android:allowBackup" attribute which should
be set to "false"
apktool,iPhone Backup Extractor
For iOS, Use iTune to backup application folder in order to check
sensitive info from backup folder

Identify user's password or sessions on the device adb, idb, iFunbox

Perform binary attacks against the mobile app in order to bypass adb, Drozer, Cycript, Snoop-it, Burpsuite
offline authentication
Perform binary attacks against the mobile app and try to execute
privileged functionality that should only be executable with a user adb, Drozer, Cycript, Snoop-it, Burpsuite
of higher privilege

Identify SQLi and LFI on Content provider component Drozer

Identify intent-filter on broadcast and receiver component in order

Drozer
to directly access and sniff the information
Invoke Service component directly Drozer
Identify misconfiguration on "android.webkit.WebSettings"
jdgui, iDevice
(Javascript/File access/Plugins), XSS through UIWebview
Identify SQLi and XMLi on application adb, iDevice, Burpsuite
Check LFI on application(../ , ../../blah\0) Webviews FileAccess
jdgui, iDevice
attack through setAllowFileAccess
For iOS: Identify URL schemes through info.plist and
Clutch+Strings to obtain URL scheme structures
apktool, jdgui, Clutch, Strings
For Android: Identify URL schemes through source code or
manifest file
Identify sensitive information masking (Creditcard no. on UI and
Device, Burpsuite
HTTPs traffic)
Run-time manipulation, Method swizzling Frida, Cycript, Snoop-it
Detect root/jb detection code in the reverse engineered app file.If
found, delete/ change the access control of the file containing the
tsProtector, RootCloak2
code and restart the app. Or Install tools like hidemyroot and run
the apps
Identify sensitive information (Credential) between mobile and
jdgui, Burpsuite
API
Identify extraneous functionality (Hidden back-end URL) jdgui, Burpsuite

Description Tool

Observe the device's network traffic through a proxy that SSL is

Burpsuite
implemented or not
Identify SSL/TLS Encryption Algorithms testssl.sh, Qualys SSL Labs

Allow tester to intercept SSL traffic without Certificate installation

jdgui, MobSF, Qark
(checkServerTrusted with nobody)
Check whether application accepts a certificate from any trusted
CA (Burpsuite) or not. E.g. Check
jdgui, MobSF, Qark
setAllowsAnyHTTPSCertificate(iOS) and
AllowAllHostnameVerifier(Android)

Identify end-to-end encryption on application layer Burpsuite

Description Tool
Identify opened port at Server-side URL/IP Address Nmap
Identify default credentials on Backend server (e.g. Tomcat
Web Browser
Application server using tomcat/tomcat, admin/tomcat)

Identify weak password policy implementation both mobile and

Burpsuite
server side (e.g. Bypass password complexity checking on UI)

Identify webservices help pages (*.asmx) which show methods

Web Browser
and structure
Identify webserver configuration (e.g. Error handling, HTTP
Web Browser, Burpsuite
response banner)
Identify vulnerability on server API Nessus
Check input validation (e.g. SQL Injection, XXE) on
Burpsuite
API/Webservices

Identify sensitive information on API response message/header Burpsuite

Conduct simultaneous attack on API (e.g. OTP, email sending) Burpsuite (Intruder)
Ensure that all session invalidation events are executed on the Burpsuite
server side and not just on the mobile app

Mobile app must have adequate timeout protection on the

Burpsuite
backend components

Ensure that reset cookies is properly implemented during

authentication state changes Burpsuite
(Anonymous<->User, User A<->User B, Timeout)
Simultaneously login from multiple device with the same Burpsuite
credential

Observe the device's network traffic through a proxy that Device's

Burpsuite
information (UDID) is sent during the transmission or not.

They should be standard algorithm, sufficiently long, complex,

and pseudo-random so as to be resistant to guessing/anticipation Burpsuite
attacks.

Directly access unauthorised object/var through HTTPs traffic Burpsuite

Directly access unauthorised function through HTTPs traffic Burpsuite

Bypass business logic data validation, Circumvention of Work
Burpsuite
Flows
Applicable
OWASP Result
Platform

All M9 Issue

All M9 Issue

All M8 Issue
Android M1 Issue

All M1 Issue

Android M1 Issue

Android M2 Issue

All M5 Issue

All M5 Issue
All M5 Issue
Android M10 Issue

Applicable
OWASP Result
Platform

iOS M1 Issue

All M1 Issue
All M2 Issue
Android M2 Issue

All M2 Issue

All M2 Issue
All M2 Issue
All M2 Issue
 All M2 Issue

All M2 Issue

All M4 Issue

All M4 Issue

All M6 Issue

Android M7 Issue

Android M7 Issue
Android M7 Issue
All M7 Issue
All M7 Issue
All M7 Issue

All M7 Issue

All M7 Issue
All M8 Issue

All M8 Issue

All M10 Issue

All M10 Issue

Applicable
OWASP Result
Platform

All M3 Issue
 All M3 Issue

All M3 Issue

All M3 Issue

All M3 Issue

Applicable
OWASP Result
Platform
All M1 Issue
All M1 Issue

All M1 Issue

All M1 Issue

All M1 Issue
All M1 Issue
All M1 Issue

All M1 Issue

All M1 Issue
All M4 Issue
around 10-15 minutes

All M4 Issue

All M4 Issue

All M4 Issue

All M4 Issue

All M5 Issue

All M6 Issue 1. /cgi-bin/

2. /img/
All M6 Issue
All M6 Issue