Penetration testing checklist based on OWASP Top 10 Mobile

M1. Weak Server Side

Control
M1-01
M1-02
M1-03
M1-04
M1-05

M2. Insecure Data

Storage
M2-01
M2-02
M2-03
M2-04
M2-05

M3. Insufficient
Transport Layer
Protection
M3-01
M3-02
M3-03
M3-04

M4. Unintended Data

Leakage
M4-01
M4-02
M4-03
M4-04
M4-05
M4-06

M5. Poor
Authorization and
Authentication
M5-01
M5-02
M5-03
M5-04
M5-05

M6. Broken
Cryptography
M6-01
M6-02
M6-03

M7. Client Side

Injection
M7-01
 M7-02
M7-03
M7-04

M8. Security
Decisions Via
Untrusted Inputs
M8-01
M8-02

M9. Improper
Session Handling
M9-01
M9-02
M9-03
M9-04

M10. Lack of Binary

Protections
M10-01
M10-02
M10-03
Penetration testing checklist based on OWASP Top 10 Mobile

Test Name Result

Excessive port opened at Firewall Issue
Default credentials on Application Server Issue
Exposure of Webservices through WSDL document Issue
Security Misconfiguration on Webserver Issue
Input validation on API Issue

Test Name Result

Unrestricted Backup file Issue
Unencrypted Database files Issue
Hard-coded credentials Issue
Insecure Shared Storage Issue
Insecure Application Data Storage Issue

Test Name Result

Insecure Transport Layer Protocols Issue

SSL/TLS Weak Encryption Issue
Disable certificate validation Issue
Self-signed certificate Issue

Test Name Result

Information Disclosure through Logcat/Apple System Log (ASL) Issue
Exposing Device Specific Identifiers in Attacker Visible Elements Issue
Application Backgrounding (Screenshot) Issue
URL Caching (HTTP Request and Response) Issue
Keyboard Press Caching Issue
Copy/Paste Buffer Caching Issue

Test Name Result

Bypassing business logic flaws Issue

Remember Credentials Functionality (Persistent authentication) Issue
Client Side Based Authentication Flaws Issue
Client Side Authorization Breaches Issue
Insecure version of Android OS Installation Allowed Issue

Test Name Result

Cryptographic Based Storage Strength Issue
Poor key management process Issue
Use of custom encryption protocols Issue

Test Name Result

Insufficient WebView hardening (XSS) Issue
Content Providers: SQL Injection and Local File Inclusion Issue
Injection (SQLite Injection, XML Injection) Issue
Local File Inclusion through NSFileManager or Webviews Issue

Test Name Result

Abusing Android Components through IPC intents ("exported" and "intent-filter") Issue
Abusing iOS URL schemes Issue

Test Name Result

Session invalidation on Backend Issue
Session Timeout Protection Issue
Cookie Rotation Issue
Token Creation Issue

Test Name Result

Reverse Engineering the Application Code Issue
Unauthorized Code Modification Issue
Debug the application behavior through runtime analysis Issue
 Penetration testing checklist based on OWASP T

Test Name

Reverse Engineering the Application Code

Hard-coded credentials on sourcecode
Insecure version of Android OS Installation Allowed

Cryptographic Based Storage Strength

Poor key management process

Use of custom encryption protocols
Unrestricted Backup file
Unencrypted Database files
Insecure Shared Storage
Client Side - Static and Dynamic analysis

Insecure Application Data Storage

Information Disclosure through Logcat/Apple System
Log (ASL)
Application Backgrounding (Screenshot)
URL Caching (HTTP Request and Response) on
cache.db
Keyboard Press Caching

Copy/Paste Buffer Caching

Remember Credentials Functionality (Persistent
authentication)
Client Side Based Authentication Flaws

Client Side Authorization Breaches

Insufficient WebView hardening (XSS)

Content Providers: SQL Injection and Local File
Inclusion
Injection (SQLite Injection, XML Injection)
Local File Inclusion through NSFileManager or
Webviews
Abusing Android Components through IPC intents
("exported" and "intent-filter")
Abusing iOS URL schemes

Unauthorized Code Modification

Debug the application behavior through runtime
analysis
Communication Channel Test Name

Insecure Transport Layer Protocols

SSL/TLS Weak Encryption
Disable certificate validation

Self-signed certificate

Exposing Device Specific Identifiers in Attacker Visible

Elements

Test Name
Excessive port opened at Firewall
Default credentials on Application Server
Server Side - Webservices and API

Exposure of Webservices through WSDL document

Security Misconfiguration on Webserver

Input validation on API
Bypassing business logic flaws

Session invalidation on Backend

Session Timeout Protection

Cookie Rotation

Token Creation
Penetration testing checklist based on OWASP Top 10 Mobile

Description Tool OWASP

Disassembling and Decompiling the application, Obfuscation apktool, dex2jar, Clutch,
M10
checking Classdump
Identify sensitive information on sourecode string, jdgui, IDA, Hopper M2
Identify "minSdkVersion" on apktool.yml, the value be set over apktool
M5
than 17 Androidmanifest.xml
Identify insecure/deprecated cryptographic algorithms (RC4, MD5,
jdgui, YSO, Qark, AndroBugs M6
SHA1) on sourcecode
Identify hardcoded key in application or Keys may be intercepted
jdgui, YSO, Qark, AndroBugs M6
via Binary attacks
Identify implementing their own protocol jdgui, YSO, Qark, AndroBugs M6
Check "android:allowBackup" attribute which should be set to apktool
M2
"false" Androidmanifest.xml
Check encryption on database files adb, idb, iFunbox M2
Identify Sensitive Data on Shared Storage, SD card storage
adb, keychaindumper M2
encryption, Shared preferences MODE_WORLD_READABLE
Identify Sensitive Data in application files (application log, Cache adb, idb,
M2
file, Cookie) iFunbox,BinaryCookieReader
Identify sensitive information through application log CatLog, idb, Snoop-it M4
Identify application snapshot/screenshot backgrounding adb, iFunbox M4
Identify HTTP caching which is stored in Cache.db idb, iFunbox M4
Identify keyboard cache file located in:
idb, iFunbox M4
/var/mobile/Library/Keyboard
Identify disabling Copy/Paste function for sensitive part of the
idb, iFunbox M4
application on EditText/UITextField
Identify user's password or sessions on the device idb, iFunbox M5

Perform binary attacks against the mobile app in order to bypass adb, Drozer, Cycript, Snoop-it,
M5
offline authentication Burpsuite
Perform binary attacks against the mobile app and try to execute
adb, Drozer, Cycript, Snoop-it,
privileged functionality that should only be executable with a user M5
Burpsuite
of higher privilege
Identify misconfiguration on "android.webkit.WebSettings"
jdgui, Burpsuite M7
(Javascript/File access/Plugins), XSS through UIWebview
Identify SQLi and LFI on Content provider component Drozer M7
Identify SQLi and XMLi on application adb, iFunbox, Burpsuite M7
Check LFI on application(../ , ../../blah\0) Webviews FileAccess
iDevice, Drozer M7
attack through setAllowFileAccess
apktool
Identify android exported components M8
Androidmanifest.xml
Identify URL schemes through info.plist and Clutch+Strings to
iFunbox, Clutch, Strings M8
obtain URL scheme structures
Binary attack through run-time manipulation and code modification apktool, Frida, cycript, snoop-it M10
Identify "android:debuggable" attribute
adb jdwp, jdb, GDB, LLDB M10
Using GDB/LLDB attach to application
 Description Tool OWASP
Observe the device's network traffic through a proxy that SSL is
Burpsuite M3
implemented or not
Identify SSL/TLS Encryption Algorithms testssl.sh, Qualys SSL Labs M3
Allow tester to intercept SSL traffic without Certificate installation
jdgui, YSO, Qark, AndroBugs M3
(checkServerTrusted with nobody)

Application accepts a certificate from any trusted CA (Burpsuite).

Check setAllowsAnyHTTPSCertificate(iOS) and jdgui, YSO, Qark, AndroBugs M3
AllowAllHostnameVerifier(Android)

Observe the device's network traffic through a proxy that Device's

Burpsuite M4
information (UDID) is sent during the transmission or not.

Description Tool OWASP

Identify opened port at Server-side URL/IP Address Nmap M1
Identify default credentials on Backend server (e.g. Tomcat
Web Browser M1
Application server using tomcat/tomcat, admin/tomcat)
Identify webservices help pages (*.asmx) which show methods
Web Browser M1
and structure
Identify webserver configuration (e.g. Error handling, HTTP
Web Browser, Burpsuite M1
response banner)
Check input validation on API/Webservices Burpsuite M1
Identify Missing Function Level Access Control, Negative value
Burpsuite M5
testing
Ensure that all session invalidation events are executed on the
Burpsuite M9
server side and not just on the mobile app
Mobile app must have adequate timeout protection on the
Burpsuite M9
backend components
Ensure that reset cookies is properly implemented during
authentication state changes Burpsuite M9
(Anonymous<->User, User A<->User B, Timeout)
They should be standard algorithm, sufficiently long, complex, and
pseudo-random so as to be resistant to guessing/anticipation Burpsuite M9
attacks.
Applicable
Result
Platform
All Issue
All Issue
Android Issue

Android Issue

Android Issue
Android Issue
Android Issue
All Issue
All Issue

All Issue

All Issue
All Issue
iOS Issue

iOS Issue

All Issue

All Issue

All Issue

All Issue

All Issue

Android Issue
All Issue
All Issue

Android Issue

iOS Issue

All Issue

All Issue
Applicable
Result
Platform
All Issue
All Issue
All Issue

All Issue

All Issue

Applicable
Result
Platform
All Issue
All Issue

All Issue

All Issue
All Issue
All Issue

All Issue

All Issue

All Issue

All Issue