Mobile Application PenTest

Information Gathering

  • Identify the product information, such as the library and framework in use

  • Those used libraries and framework is the up-to-date version & applied the latest patches

  • Outdated components or known vulnerability (CVE) found in the identified product

  • Access to the default URL or admin page of the identified product

  • Any hardcoded secrets (API Key, Credentials)

Application Analysis

  • Standard Error Handling

  • Cached sensitive data

  • Any sensitive or unnecessary data send in plain text

  • ALLOWBACKUP flag disabled

  • DEBUG flag disabled

Data Storage

  • Saved sensitive data in plain text

  • Log files securely stored with protection

  • Logging any sensitive data locally

Backend API Server

  • Reference to the Web Application PenTest – Service API

Others

  • Improper platform usage, such as permission, toucjID, keychain

  • Insecure communication, such as SSL Cert, Cert Pinning

  • Insecure authentication & authorization

  • insufficient cryptography

  • Reverse engineering

Last updated