You are on page 1of 14



Application should mask any sensitive

information on screen to prevent it from
being leaked via automatic snapshots taken
by the device

Information contained in the

saved documents should be
encrypted to prevent from
accessing sensitive info such as
account numbers, email ids etc.
For best practice- sensitive data
should never be stored at client
Application's plist should not save
sensitive informations. Instead, it
should be saved in the keychain
which will limit the access from
one app to other app's data.

Secured Client/Server
communication should be
established every time when
required. (i.e., proper encryption
should be done for the data being
sent over the media)

In registration/profiles/details/info
screens: submitting mobile
number/email id.

Privacy settings.

“Remember Me (OR) Keep me signed in”


Page 1

Auto Sign out.

Forgot username/password.

Change email id/ password/ phone number/


If the app is social, options should be

present to block/unblock users.

Support from the developer.


Length of the username/password.


Page 2

Steps to verify

1. Launch the app. (client-server app or standalone)

2. Work with the app screens which shows up custom images/screen.
3. Connect the device. Launch Xcode and Open the organizer window and select
'Applications' link on the left side for the connected device.
4. Save the application data to Desktop by clicking on app icon in the tray and
dragging to desktop. The folder saved as, for example,
com.spoonjuice.nightstandhd 2011-05-30
5. Open the app's saved data folder and select Documents > Caches > Images
Library > Caches.

1. Open the app's Saved data folder and select Documents > Caches > And
Library > Caches.
2. Try to open the cache files with an SQLiteManager

Download SQLiteManager

1. Open the app's Saved data folder.

2. Open the plist file which is present in the Library > Preferences or any other

1. Install the client-server application to be tested on iphone

2. Download Little Snitch app for mac.
3. Install the app and Restart mac.
4. Launch iphone simulator and launch the testing application
and connect to internet. Observe the dialog prompted by Little
snatch for network access permission.

Download Little Snatch for mac

1. Visit the Sign Up/ Registration screen of the app.

2. Enter the details including mobile number/ email id.
3. Submit.

View the profile details/settings screen in the app.

1. Sign in to app by checking 'Remember Me' or 'Keep signed in' option.

2. Sign out of the app.

Page 3

Sign in to a client-server app. Leave the app idle for a definite duration, say 15
minutes 30 minutes etc.

1. Select Forgot password or Forgot username option.

2. Submit appropriate username or email id along with answering the predefined
security question etc.

1. Sign in.
2. Navigate to Settings screen.
3. Submit the new email id/ password/ phone number.

1. Sign in to the social app.

2. Search for a friend or any person on the network.

View the info screen or Settings screen or Credits screen or Home screen or any
reference screen in the app.

Try to delete the user saved data such as tasks/todo/contacts etc all at once.

1. Type username/password in the respective fields in the sign in screen.

Attempt to Sign in.
2. Type password in Change-Password screen.
Save password.

1. Launch the app.

2. Go through each and every screen/page of the app. Observe in all screens.

Page 4

Expected Result

The images/screenshots saved in these

locations should be encrypted, which
cannot be opened to view.

Click below link to see the example

showing simulator data.


The cache files are encrypted.

No sensitive info is stored in the plist

like login credentials, other
confidential datas.

Click on the example and refer the

annotated area in the snapshot. Https
is showed here if the app is using
secured network)

Confirmation email/code sent to email
id/ mobile and only after
confirmation, they are considered

Options are available to show private

details to All/ Friends/ Selected/

Password is cleared on signing out.

Page 5

Current user is signed out.

The login detail are sent to the

respective email id or the option to
reset the password too is sent to the
email id.

Confirmation link/code sent to new

email id/ mobile.

Block/unblock option should be

available while viewing them OR
It should be present in privacy settings

There should be an info on how to

contact the Development/Support
Team on any concerns about the app.

Passcode should be prompted on

attempting to delete the data which is

Length of the password should be

decided based on the strength of
network, type of encryption etc.

This might vary from app to app.

App should not reveal any

confidential info related to the app
itself or about the developer/products
used etc.

Page 6


Page 7


Page 8


Page 9

Page 10


Page 11

Page 12

Page 13

Page 14