Penetration testing checklist based on OWASP Top 10 Mobile

0x01 Client Side - Static and Dynamic analysis

Test NameDescriptionToolOWASPApplicable PlatformResultReverse Engineering the Application CodeDisassembling and Decompiling the application, Obfuscation checkingapktool, dex2jar, Clutch, ClassdumpM10AllIssueHard-coded credentials on sourcecodeIdentify sensitive information on sourecodestring, jdgui, IDA, HopperM2AllIssueInsecure version of Android OS Installation AllowedIdentify "minSdkVersion" on apktool.yml, the value be set over than 17apktool
Androidmanifest.xmlM5AndroidIssueCryptographic Based Storage StrengthIdentify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on sourcecodejdgui, YSO, Qark, AndroBugsM6AndroidIssuePoor key management processIdentify hardcoded key in application or Keys may be intercepted via Binary attacksjdgui, YSO, Qark, AndroBugsM6AndroidIssueUse of custom encryption protocolsIdentify implementing their own protocol jdgui, YSO, Qark, AndroBugsM6AndroidIssueUnrestricted Backup fileCheck "android:allowBackup" attribute which should be set to "false"apktool
Androidmanifest.xmlM2AndroidIssueUnencrypted Database filesCheck encryption on database filesadb, idb, iFunboxM2AllIssueInsecure Shared StorageIdentify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLEadb, keychaindumperM2AllIssueInsecure Application Data StorageIdentify Sensitive Data in application files (application log, Cache file, Cookie)adb, idb, iFunbox,BinaryCookieReaderM2AllIssueInformation Disclosure through Logcat/Apple System Log (ASL)Identify sensitive information through application logCatLog, idb, Snoop-itM4AllIssueApplication Backgrounding (Screenshot)Identify application snapshot/screenshot backgroundingadb, iFunboxM4AllIssueURL Caching (HTTP Request and Response) on cache.dbIdentify HTTP caching which is stored in Cache.dbidb, iFunboxM4iOSIssueKeyboard Press CachingIdentify keyboard cache file located in: /var/mobile/Library/Keyboardidb, iFunboxM4iOSIssueCopy/Paste Buffer CachingIdentify disabling Copy/Paste function for sensitive part of the application on EditText/UITextFieldidb, iFunboxM4AllIssueRemember Credentials Functionality (Persistent authentication)Identify user's password or sessions on the deviceidb, iFunboxM5AllIssueClient Side Based Authentication FlawsPerform binary attacks against the mobile app in order to bypass offline authenticationadb, Drozer, Cycript, Snoop-it, BurpsuiteM5AllIssueClient Side Authorization BreachesPerform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilegeadb, Drozer, Cycript, Snoop-it, BurpsuiteM5AllIssueInsufficient WebView hardening (XSS)Identify misconfiguration on "android.webkit.WebSettings"
(Javascript/File access/Plugins), XSS through UIWebviewjdgui, BurpsuiteM7AllIssueContent Providers: SQL Injection and Local File InclusionIdentify SQLi and LFI on Content provider componentDrozerM7AndroidIssueInjection (SQLite Injection, XML Injection)Identify SQLi and XMLi on applicationadb, iFunbox, BurpsuiteM7AllIssueLocal File Inclusion through NSFileManager or WebviewsCheck LFI on application(../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccessiDevice, DrozerM7AllIssueAbusing Android Components through IPC intents ("exported" and "intent-filter")Identify android exported componentsapktool
Androidmanifest.xmlM8AndroidIssueAbusing iOS URL schemesIdentify URL schemes through info.plist and Clutch+Strings to obtain URL scheme structuresiFunbox, Clutch, StringsM8iOSIssueUnauthorized Code ModificationBinary attack through run-time manipulation and code modificationapktool, Frida, cycript, snoop-itM10AllIssueDebug the application behavior through runtime analysisIdentify "android:debuggable" attribute
Using GDB/LLDB attach to applicationadb jdwp, jdb, GDB, LLDBM10AllIssue

0x02 Communication Channel

Test NameDescriptionToolOWASPApplicable PlatformResultInsecure Transport Layer ProtocolsObserve the device's network traffic through a proxy that SSL is implemented or notBurpsuiteM3AllIssueSSL/TLS Weak EncryptionIdentify SSL/TLS Encryption Algorithmstestssl.sh, Qualys SSL LabsM3AllIssueDisable certificate validationAllow tester to intercept SSL traffic without Certificate installation (checkServerTrusted with nobody)jdgui, YSO, Qark, AndroBugsM3AllIssueSelf-signed certificateApplication accepts a certificate from any trusted CA (Burpsuite).
Check setAllowsAnyHTTPSCertificate(iOS) and AllowAllHostnameVerifier(Android)jdgui, YSO, Qark, AndroBugsM3AllIssueExposing Device Specific Identifiers in Attacker Visible ElementsObserve the device's network traffic through a proxy that Device's information (UDID) is sent during the transmission or not.BurpsuiteM4AllIssue

0x03 Server Side - Webservices and API

Test NameDescriptionToolOWASPApplicable PlatformResultExcessive port opened at FirewallIdentify opened port at Server-side URL/IP AddressNmapM1AllIssueDefault credentials on Application ServerIdentify default credentials on Backend server (e.g. Tomcat Application server using tomcat/tomcat, admin/tomcat)Web BrowserM1AllIssueExposure of Webservices through WSDL documentIdentify webservices help pages (*.asmx) which show methods and structureWeb BrowserM1AllIssueSecurity Misconfiguration on WebserverIdentify webserver configuration (e.g. Error handling, HTTP response banner)Web Browser, BurpsuiteM1AllIssueInput validation on APICheck input validation on API/WebservicesBurpsuiteM1AllIssueBypassing business logic flawsIdentify Missing Function Level Access Control, Negative value testingBurpsuiteM5AllIssueSession invalidation on BackendEnsure that all session invalidation events are executed on the server side and not just on the mobile appBurpsuiteM9AllIssueSession Timeout ProtectionMobile app must have adequate timeout protection on the backend componentsBurpsuiteM9AllIssueCookie RotationEnsure that reset cookies is properly implemented during authentication state changes
(Anonymous<->User, User A<->User B, Timeout)BurpsuiteM9AllIssueToken CreationThey should be standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks.BurpsuiteM9AllIssue

欢迎大家分享更好的思路，热切期待^^_^^