| Client Side – Static and Dynamic analysis | Test Name | Description | Tool | OWASP | Applicable Platform | Result |
| Reverse Engineering the Application Code | Disassembling and Decompiling the application, Obfuscation checking | apktool, dex2jar, Clutch, Classdump | M10 | All | Issue | |
| Hard-coded credentials on sourcecode | Identify sensitive information on sourecode | string, jdgui, IDA, Hopper | M2 | All | Issue | |
| Insecure version of Android OS Installation Allowed | Identify “minSdkVersion” on apktool.yml, the value be set over than 17 | apktool Androidmanifest.xml |
M5 | Android | Issue | |
| Cryptographic Based Storage Strength | Identify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on sourcecode | jdgui, YSO, Qark, AndroBugs | M6 | Android | Issue | |
| Poor key management process | Identify hardcoded key in application or Keys may be intercepted via Binary attacks | jdgui, YSO, Qark, AndroBugs | M6 | Android | Issue | |
| Use of custom encryption protocols | Identify implementing their own protocol | jdgui, YSO, Qark, AndroBugs | M6 | Android | Issue | |
| Unrestricted Backup file | Check “android:allowBackup” attribute which should be set to “false” | apktool Androidmanifest.xml |
M2 | Android | Issue | |
| Unencrypted Database files | Check encryption on database files | adb, idb, iFunbox | M2 | All | Issue | |
| Insecure Shared Storage | Identify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLE | adb, keychaindumper | M2 | All | Issue | |
| Insecure Application Data Storage | Identify Sensitive Data in application files (application log, Cache file, Cookie) | adb, idb, iFunbox,BinaryCookieReader | M2 | All | Issue | |
| Information Disclosure through Logcat/Apple System Log (ASL) | Identify sensitive information through application log | CatLog, idb, Snoop-it | M4 | All | Issue | |
| Application Backgrounding (Screenshot) | Identify application snapshot/screenshot backgrounding | adb, iFunbox | M4 | All | Issue | |
| URL Caching (HTTP Request and Response) on cache.db | Identify HTTP caching which is stored in Cache.db | idb, iFunbox | M4 | iOS | Issue | |
| Keyboard Press Caching | Identify keyboard cache file located in: /var/mobile/Library/Keyboard | idb, iFunbox | M4 | iOS | Issue | |
| Copy/Paste Buffer Caching | Identify disabling Copy/Paste function for sensitive part of the application on EditText/UITextField | idb, iFunbox | M4 | All | Issue | |
| Remember Credentials Functionality (Persistent authentication) | Identify user’s password or sessions on the device | idb, iFunbox | M5 | All | Issue | |
| Client Side Based Authentication Flaws | Perform binary attacks against the mobile app in order to bypass offline authentication | adb, Drozer, Cycript, Snoop-it, Burpsuite | M5 | All | Issue | |
| Client Side Authorization Breaches | Perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege | adb, Drozer, Cycript, Snoop-it, Burpsuite | M5 | All | Issue | |
| Insufficient WebView hardening (XSS) | Identify misconfiguration on “android.webkit.WebSettings” (Javascript/File access/Plugins), XSS through UIWebview |
jdgui, Burpsuite | M7 | All | Issue | |
| Content Providers: SQL Injection and Local File Inclusion | Identify SQLi and LFI on Content provider component | Drozer | M7 | Android | Issue | |
| Injection (SQLite Injection, XML Injection) | Identify SQLi and XMLi on application | adb, iFunbox, Burpsuite | M7 | All | Issue | |
| Local File Inclusion through NSFileManager or Webviews | Check LFI on application(../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccess | iDevice, Drozer | M7 | All | Issue | |
| Abusing Android Components through IPC intents (“exported” and “intent-filter”) | Identify android exported components | apktool Androidmanifest.xml |
M8 | Android | Issue | |
| Abusing URL schemes | For iOS: Identify URL schemes through info.plist and Clutch+Strings to obtain URL scheme structures For Android: Identify URL schemes through source code or apk file |
iFunbox, Clutch, Strings | M8 | All | Issue | |
| Unauthorized Code Modification | Binary attack through run-time manipulation and code modification | apktool, Frida, cycript, snoop-it | M10 | All | Issue | |
| Debug the application behavior through runtime analysis | Identify “android:debuggable” attribute Using GDB/LLDB attach to application |
adb jdwp, jdb, GDB, LLDB | M10 | All | Issue | |
| Communication Channel | Test Name | Description | Tool | OWASP | Applicable Platform | Result |
| Insecure Transport Layer Protocols | Observe the device’s network traffic through a proxy that SSL is implemented or not | Burpsuite | M3 | All | Issue | |
| SSL/TLS Weak Encryption | Identify SSL/TLS Encryption Algorithms | testssl.sh, Qualys SSL Labs | M3 | All | Issue | |
| Disable certificate validation | Allow tester to intercept SSL traffic without Certificate installation (checkServerTrusted with nobody) | jdgui, YSO, Qark, AndroBugs | M3 | All | Issue | |
| Self-signed certificate | Application accepts a certificate from any trusted CA (Burpsuite). Check setAllowsAnyHTTPSCertificate(iOS) and AllowAllHostnameVerifier(Android) |
jdgui, YSO, Qark, AndroBugs | M3 | All | Issue | |
| Exposing Device Specific Identifiers in Attacker Visible Elements | Observe the device’s network traffic through a proxy that Device’s information (UDID) is sent during the transmission or not. | Burpsuite | M4 | All | Issue | |
| Server Side – Webservices and API | Test Name | Description | Tool | OWASP | Applicable Platform | Result |
| Excessive port opened at Firewall | Identify opened port at Server-side URL/IP Address | Nmap | M1 | All | Issue | |
| Default credentials on Application Server | Identify default credentials on Backend server (e.g. Tomcat Application server using tomcat/tomcat, admin/tomcat) | Web Browser | M1 | All | Issue | |
| Exposure of Webservices through WSDL document | Identify webservices help pages (*.asmx) which show methods and structure | Web Browser | M1 | All | Issue | |
| Security Misconfiguration on Webserver | Identify webserver configuration (e.g. Error handling, HTTP response banner) | Web Browser, Burpsuite | M1 | All | Issue | |
| Input validation on API | Check input validation on API/Webservices | Burpsuite | M1 | All | Issue | |
| Information Exposure through API response message | Identify sensitive information on API response message/header | Burpsuite | M1 | All | Issue | |
| Bypassing business logic flaws | Identify Missing Function Level Access Control, Negative value testing | Burpsuite | M5 | All | Issue | |
| Session invalidation on Backend | Ensure that all session invalidation events are executed on the server side and not just on the mobile app | Burpsuite | M9 | All | Issue | |
| Session Timeout Protection | Mobile app must have adequate timeout protection on the backend components | Burpsuite | M9 | All | Issue | |
| Cookie Rotation | Ensure that reset cookies is properly implemented during authentication state changes (Anonymous<->User, User A<->User B, Timeout) |
Burpsuite | M9 | All | Issue | |
| Token Creation | They should be standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks. | Burpsuite | M9 | All | Issue |
- How Machine Learning Enhances Cloud Security – A Comprehensive Guide
- The Role of Social Engineering in Penetration Testing
- A Beginner’s Guide to Digital Forensics and Cyber Investigations
- Blue Teaming – Tools and Strategies for Cyber Resilience
- Top 9 Best Practices for Securing Cloud Environments
- Top 10 Python Libraries for Visualizing Data
- Top 10 Emerging Threats in Cloud Security You Need To Know
- CTEM – A Strategic Approach to Mitigating Cyber Risks
- AI in Penetration Testing – Revolutionizing Security Assessments
- Protecting Your Organization from AI-Enhanced Social Engineering Attacks
