The Ultimate Mobile

Application Security Audit

& Penetration Testing
(VAPT) Checklist

&

With ever-advancing mobile technology, mobile application security has become an important
topic that every major enterprise must consider and understand. Corporations nowadays leverage
mobile applications to distribute relevant, critical data to their workforce, partners, or customers.

Creating an App for your services can go a long way in increasing your internet presence. But what
if your mobile app is insecure? It can turn your efforts into a fiasco, to say the least. Therefore it
important to do a proper Mobile app security audit before releasing it to the public. A careful
mobile app security audit can go a long way in protecting your customer’s data.

Architecture, Design Network

& Threat Modeling Communication

Data Storage and Privacy Platform Interaction

Cryptography Code Quality & Build

Verification Settings

Authentication & Resiliency Against

Session Management Reverse Engineering

This document guides Mobile app developers & customers that are running their business via
mobile apps on how to attain the maximum level of protection for their Mobile app framework and
the sensitive data stored within, by conducting an effective security audit. A vulnerability
assessment & penetration testing checklist for Android/iOS mobile app will ensure that you don't
miss any crucial area of your app services and ensure they are configured correctly with the
highest level of security.

Know more: getastra.com/mobile-app-vapt 1

 Mobile Application
Security Requirements
- Android & iOS
# Detailed Verification Requirements for

Architecture, Design & Threat Modeling

1 Check all app components are identified and known to be needed. (Testing for
Insecure configuration of Instant Apps)

2 Check security controls are never enforced only on the client side, but on the
respective remote endpoints. (Implemented authentication verification)

3 Check for a high-level architecture for the mobile app and all connected remote
services has been defined and security has been addressed in that architecture.

4 Make sure the data considered sensitive in the context of the mobile app is
clearly identified.

5 Check if all the app components are defined in terms of the business functions
and/or security functions they provide. (Environmental information)

6 A threat model for the mobile app and the associated remote services has been
produced that identifies potential threats and countermeasures.

7 All security controls have a centralized implementation. (Testing for insecure

configuration of Instant Apps)

8 Check if there is an explicit policy for how cryptographic keys (if any) are
managed, and the lifecycle of cryptographic keys is enforced.

9 Check if all the app components are defined in terms of the business functions
and/or security functions they provide. (Environmental information)

10 Ensure a mechanism for enforcing updates of the mobile app exists. (To test
enforced updating)

11 Check if the security is addressed within all parts of the software development
lifecycle with SAST, DAST & manual validation checkpoints between phases.

12 Check if a responsible disclosure policy is in the place and effectively applied.

13 Make sure the app should comply with privacy laws and regulations.

Mobile Application Security Requirements - Android & iOS 2

 # Detailed Verification Requirements for

Data Storage and Privacy

1 System credential storage facilities need to be used to store sensitive data, such
as PII, user credentials or cryptographic keys. (Testing local sensitive data)

2 No sensitive data should be stored outside of the app container or system

credential storage facilities.

3 Make sure no sensitive data is written to application logs.

4 Make sure no sensitive data is shared with third parties unless it is a necessary
part of the architecture.

5 Check if all the app components are defined in terms of the business functions
and/or security functions they provide. (Environmental information)

6 Make sure the keyboard cache is disabled on text inputs that process sensitive
data.

7 Make sure no sensitive data is exposed via IPC mechanisms. (Determining

Whether Sensitive Stored Data Has Been Exposed via IPC)

8 No sensitive data, such as passwords or pins, is exposed through the user

interface. (Check for sensitive data exposure trhough the app UI)

9 Make sure no sensitive data is included in backups generated by the mobile

operating system.

10 Make sure your app removes sensitive data from views when moved to the
background.

11 Make sure the app does not hold sensitive data in memory longer than
necessary, and memory is cleared explicitly after use.

12 Make sure the app enforces a minimum device-access-security policy, such as

requiring the user to set a device passcode.

13 Make sure no sensitive data is stored locally on the mobile device. Instead, data
is retrieved from a remote endpoint when needed and only be kept in memory.

14 If sensitive data is still required to be stored locally, it should be encrypted

using a key derived from hardware backed storage which requires
authentication.

15 Make sure the app’s local storage is wiped after an excessive number of failed
authentication attempts.

Mobile Application Security Requirements - Android & iOS 3

 # Detailed Verification Requirements for

Cryptography

1 Make sure the app does not rely on symmetric cryptography with hardcoded
keys as a sole method of encryption. (Testing Key Management)

2 Check if the app uses proven implementations of cryptographic primitives to

avoid common configuration issues.

3 Make sure the app uses cryptographic primitives that are appropriate for the
particular use-case, configured with parameters that adhere to industry best
practices.

4 Make sure the app does not use cryptographic protocols or algorithms that are
widely considered deprecated for security purposes.

5 Make sure the app doesn't re-use the same cryptographic key for multiple
purposes.

6 Make sure that all the random values are generated using a sufficiently secure
random number generator.

# Detailed Verification Requirements for

Authentication & Session Management

1 Make sure if the app provides users access to a remote service, some form of
authentication, such as username/password authentication, is performed at
the remote endpoint.

2 Check if the stateful session management is used, the remote endpoint uses
randomly generated session identifiers to authenticate client requests without
sending the user's credentials.

3 Check if the stateless token-based authentication is used, the server provides a

token that has been signed using a secure algorithm.

4 Make sure the remote endpoint terminates the existing session when the user
logs out.

5 Make sure a password policy exists and is enforced at the remote endpoint.

6 Make sure the remote endpoint implements a mechanism to protect against

the submission of credentials an excessive number of times.

Mobile Application Security Requirements - Android & iOS 4

 7 Make sure the sessions are invalidated at the remote endpoint after a
predefined period of inactivity and access tokens expire. (Session Timeout)
#8 Check biometric authentication, if any, is not event-bound (i.e. using an API that
simply returns "true" or "false"). Instead, it is based on unlocking the
keychain/keystore.

9 Make sure a second factor of authentication exists at the remote endpoint and
the 2FA requirement is consistently enforced.

10 Make sure the sensitive transactions require step-up authentication.

11 Make sure the the app informs the user of all sensitive activities with their
account. Users are able to view a list of devices, view contextual information (IP
address, location, etc.), and to block specific devices.

12 Make sure the authorization models should be defined and enforced at the
remote endpoint.

# Detailed Verification Requirements for

Network Communication

1 Check if the data is encrypted on the network using TLS. The secure channel
is used consistently throughout the app.

2 Make sure the TLS settings are in line with current best practices, or as close as
possible if the mobile operating system does not support the recommended
standards.

3 Make sure the app verifies the X.509 certificate of the remote endpoint when
the secure channel is established. Only certificates signed by a trusted CA are
accepted.

4 Make sure the app either uses its own certificate store, or pins the endpoint
certificate or public key, and subsequently does not establish connections with
endpoints that offer a different certificate or key, even if signed by a trusted CA.

5 Make sure the app doesn't rely on a single insecure communication channel
(email or SMS) for critical operations, such as enrollments and account
recovery.

6 Make sure that the app only depends on up-to-date connectivity and security
libraries.

Mobile Application Security Requirements - Android & iOS 5

 # Detailed Verification Requirements for

Platform Interaction

1 Make sure the app only requests the minimum set of permissions necessary to
avoid fragment inject attacks.

2 Make sure the app does not export sensitive functionality via custom URL
schemes, unless these mechanisms are properly protected.

3 Make sure JavaScript is disabled in WebViews unless explicitly required.

4 Check if the app does not export sensitive functionality through IPC facilities,
unless these mechanisms are properly protected.

5 If native methods of the app are exposed to a WebView, verify that the
WebView only renders JavaScript contained within the app package.

6 Make sure the object deserialization, if any, is implemented using safe

serialization APIs.

7 Make sure the app protects itself against screen overlay attacks. (Android only)

8 A WebView's cache, storage, and loaded resources (JavaScript, etc.) should be

cleared before the WebView is destroyed.

9 Make sure all the inputs from external sources and the user are validated and if
necessary sanitized. This includes data received via the UI, IPC mechanisms
such as intents, custom URLs, and network sources.

10 Check if the WebViews are configured to allow only the minimum set of
protocol handlers required (ideally, only https is supported). Potentially
dangerous handlers, such as file, tel and app-id, are disabled.

11 Verify that the app prevents usage of custom third-party keyboards

whenever sensitive data is entered.

Mobile Application Security Requirements - Android & iOS 6

 # Detailed Verification Requirements for

Code Quality & Build Settings

1 Make sure the app is signed and provisioned with a valid certificate, of
which the private key is properly protected.

2 Check if the app has been built in release mode, with settings appropriate for a
release build (e.g. non-debuggable).

3 Make sure the debugging symbols are removed from native binaries.

4 Check if the debugging code and developer assistance code (e.g. test code,
backdoors, hidden settings) are removed. The app does not log verbose errors
or debugging messages.

7 Check if all third party components used by the mobile app, such as libraries
and frameworks, are identified, and checked for known vulnerabilities.

8 Check if the app catches and handles possible exceptions.

9 Check if the error handling logic in security controls denies access by default.

10 Make sure that in the unmanaged code, memory is allocated, freed and
used securely.

11 Make sure that Free security features offered by the toolchain, such as
byte-code minification, stack protection, PIE support and automatic
reference counting, are activated.

Mobile Application Security Requirements - Android & iOS 7

 Android App
Penetration Tests &
Attacks Checklist

Information Gathering

Reverse Engineering the Application Code

Testing for Common Libraries and Fingerprinting

Enumeration of Application Known Controllers

Information Disclosure by Logcat

Application Local Storage Flaws

Hidden Secrets in the Code

Cryptographic Based Storage Strength

Content Providers Access Permissions

Content Providers SQL Injection

Privacy and Metadata Leaks

Storing Sensitive Data on Shared Storage (exposed to all

applications without any restrictions)

Privacy Breaches

Exposing Device Specific Identifiers in Attacker Visible Elements

Exposure of Private User Data to Attacker Visible Components

Tracking Application Installations in Insecure Means

Android / iOS App Penetration Tests & Attacks Checklist 8

 IPC Security

User Propriety Data in Logcat

Technical Valuable Data in Logcat

Exposed Components and Cross Application Authorization

Permissions & Digital Signature Data Sharing Issues

Clipboard Separation

Public Intents and Unauthenticated Data Sources

Public Intents and Authorization Flaws

Code Puzzling and Abusing Application State

Race Conditions, Deadlocks and Concurrency Threats

In Device Denial of Service attacks

UI Security

Hidden Secrets in the Code

Cryptographic Based Storage Strength

Business Logic Testing

Bypassing Business Logic

Android SandBox Security

Shared User Resources & Excessive Permissions

Disclosure of Privileged Data to Public Resources

Android / iOS App Penetration Tests & Attacks Checklist 9

 Execution of Untrusted Code

WebView Security

Exposing External Java Interfaces in WebViews DOM

JavaScript Execution Risks at WebViews

Code Signing

Loading Dynamic DEX onto Dalvik

Abusing Dynamic Code Execution Decisions

Stack Based Buffer Overflows

Heap Based Buffer Overflows

Object Lifetime Vulnerabilities (Use-after-free, double free’s)

Format Strings Vulnerabilities

NDK Exposed Code Secrets

Integer Overflows

Integer Underflows

Transport Layer Security

Insecure Transport Layer Protocols

TLS Authenticity Flaws

TLS Weak Encryption

Bypassing TLS Certificate Pinning

TLS Known Issues – CRIME, BREACH, BEAST, Lucky13, RC4, etc.

Disable certificate validation

Android / iOS App Penetration Tests & Attacks Checklist 10

 Authentication Flaws

Using Insecure Authentication Vectors (IMEI, MAC, etc..)

Cross Application Authentication

Local Authentication Bypass Threats

Client Side Based Authentication Flaws

Client Side Authorization Breaches

iOS App Penetration

Tests & Attacks
Checklist
Information Gathering

Testing for Common Libraries and Fingerprinting

Enumeration of Application Known Controllers

Information Disclosure by Apple System Log (ASL)

Privacy Breaches

Exposing Device Specific Identifiers in Attacker Visible Elements

Exposure of Private User Data to Attacker Visible Components

Tracking Application Installations in Insecure Means

Android / iOS App Penetration Tests & Attacks Checklist 11

 Application Local Storage Flaws

Hidden Secrets in the Code

Storing Sensitive Data on Shared Storage

Storing Sensitive Data in application Cache files

Cryptographic Based Storage Strength

Content Providers Access Permissions

Content Providers SQL Injection

Privacy and Metadata Leaks

IPC Security

User Propriety Data in ASL

Technical Valuable Data in ASL

Exposed Components and Cross Application Authorization

Permissions & Digital Signature Data Sharing Issues

Clipboard Separation

Code Puzzling and Abusing Application State

Race Conditions, Deadlocks and Concurrency Threats

In Device Denial of Service attacks

UI Security

Tap Jacking

Client Side based Authorization Decisions

Android / iOS App Penetration Tests & Attacks Checklist 12

 Business Logic Testing

Bypassing business logic

Bypassing controllers hierarchy

Execution of Untrusted Code

WebView Security

Exposing External Java Interfaces in WebViews DOM

JavaScript Execution Risks at WebViews

Code Signing

Abusing Dynamic Code Execution Decisions

Stack Based Buffer Overflows

Heap Based Buffer Overflows

Object Lifetime Vulnerabilities (Use-after-free, double free’s)

Format Strings Vulnerabilities

Integer Overflows

Integer Underflows

Authentication Flaws

Using Insecure Authentication Vectors (IMEI, MAC, etc..)

Cross Application Authentication

Local Authentication Bypass Threats

Client Side Based Authentication Flaws

Client Side Authorization Breaches

Android / iOS App Penetration Tests & Attacks Checklist 13

 Transport Layer Security

Insecure Transport Layer Protocols

TLS Authenticity Flaws

TLS Weak Encryption

Bypassing TLS Certificate Pinning

TLS Known Issues – CRIME, BREACH, BEAST, Lucky13, RC4, etc.

Disable certificate validation

Application Sandbox Security

Shared User Resources

Excessive Permissions

Disclosure of Privileged Data to Public Resources

Application Sandbox Security

Keychain Resources

Misuse of keychain storage

Developer Group Keychain usage

Android / iOS App Penetration Tests & Attacks Checklist 14

 Mobile App Penetration
Testing Tools

For Android App Pen-testing

For Reverse Engineering For Dynamic and

and Static Analysis Runtime Analysis

1. APK Tool 1. Cydia Substrate

2. Bytecode Viewer 2. Xposed framework
3. JadX 3. Inspeckage
4. APK Studio 4. Frida
5. Qark 5. Fridump
6. AndroBugs 6. AndBug
7. Android Backup Extractor 7. Drozer

Network Analysis and Bypassing Root Detection

Server Side Testing and SSL Pinning

1. Tcpdump 1. Magisk
2. Wireshark 2. Xposed Module: Just Trust Me
3. Canape 3. Xposed Module: SSLUnpinning
4. Mallory 4. Cydia Substrate Modules
5. Burp Suite 5. Android-ssl-bypass
6. OWASP ZAP 6. Frida CodeShare
7. ProxyDroid

Security Libraries

1. PublicKey Pinning
2. Android Pinning
3. ProGuard
4. SQLCipher
5. RootBeer
6. Secure Preferences
7. Trusted Intents

Mobile App Penetration Testing Tools 15

 For iOS App Pen-testing

Access Filesystem on Reverse Engineering

iDevice and Static Analysis

1. otool
1. Filezila 2. Clutch
2. Cyberduck 3. Fridpa
3. iTunnel 4. Frida-iOS-Dump
4. iProxy 5. Bagback
5. iFunbox 6. HopperApp
7. XReSign

Dynamic and Runtime Network Analysis and

Analysis Server Side Testing

1. Cycript
1. Canape
2. iNalyzer
2. Mallory
3. Passionfruit
3. Burp Suite
4. Introspy-iOS
4. OWASP ZAP
5. keychaindumper
5. Charles Proxy
6. BinaryCookieReader
7. Apple configurator 2

Bypassing Root Detection

Security Libraries
and SSL Pinning

1. SSL Kill Switch 2

1. PublicKey Pinning
2. iOS TrustMe
2. SwiftShield
3. tsProtector
3. IOSSecuritySuite
4. JailProtect
4. OWASP iMAS
5. Shadow
6. Frida CodeShare

Mobile App Penetration Testing Tools 16

Looking for a professional Security Audit
& VAPT for your Android / iOS App?
Astra Security can help.

Security audit
based on industry
leading practices
such as OWASP,
OSSTMM, WASC,
CREST, NIST etc.

Astra Security's vulnerability management dashboard comes with a birds eye

view for management keeping you always on the top of security assessment
status.

Video PoCs, selenium scripts & collaboration with security team enables your
developers to fix the vulnerabilities in record time. With Astra Security, VAPT
takes 40% less time than other solutions.

Contact us to get a free demo

hello@getastra.com fb.com/getAstra

Schedule a Call @getastra

www.getastra.com linkedin.com/company/getastra

References: 1) https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet