Mobile Application PenTest
Information Gathering
Identify the product information, such as the library and framework in use
Those used libraries and framework is the up-to-date version & applied the latest patches
Outdated components or known vulnerability (CVE) found in the identified product
Access to the default URL or admin page of the identified product
Any hardcoded secrets (API Key, Credentials)
Application Analysis
Standard Error Handling
Cached sensitive data
Any sensitive or unnecessary data send in plain text
ALLOWBACKUP flag disabled
DEBUG flag disabled
Data Storage
Saved sensitive data in plain text
Log files securely stored with protection
Logging any sensitive data locally
Backend API Server
Reference to the Web Application PenTest – Service API
Others
Improper platform usage, such as permission, toucjID, keychain
Insecure communication, such as SSL Cert, Cert Pinning
Insecure authentication & authorization
insufficient cryptography
Reverse engineering
Last updated