Comment on page

Mobile Application PenTest

Information Gathering

  • Identify the product information, such as the library and framework in use
  • Those used libraries and framework is the up-to-date version & applied the latest patches
  • Outdated components or known vulnerability (CVE) found in the identified product
  • Access to the default URL or admin page of the identified product
  • Any hardcoded secrets (API Key, Credentials)

Application Analysis

  • Standard Error Handling
  • Cached sensitive data
  • Any sensitive or unnecessary data send in plain text
  • ALLOWBACKUP flag disabled
  • DEBUG flag disabled

Data Storage

  • Saved sensitive data in plain text
  • Log files securely stored with protection
  • Logging any sensitive data locally

Backend API Server

  • Reference to the Web Application PenTest – Service API


  • Improper platform usage, such as permission, toucjID, keychain
  • Insecure communication, such as SSL Cert, Cert Pinning
  • Insecure authentication & authorization
  • insufficient cryptography
  • Reverse engineering