> For the complete documentation index, see [llms.txt](https://calvin-lai.gitbook.io/calvin-lai-security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://calvin-lai.gitbook.io/calvin-lai-security/penetration-testing/mobile-penetration-test/checklist.md).

# Checklist

## **Information Gathering**

* Identify the product information, such as the library and framework in use
* Those used libraries and framework is the up-to-date version & applied the latest patches
* Outdated components or known vulnerability (CVE) found in the identified product
* Access to the default URL or admin page of the identified product
* Any hardcoded secrets (API Key, Credentials)

## **Application Analysis**

* Standard Error Handling
* Cached sensitive data
* Any sensitive or unnecessary data send in plain text
* ALLOWBACKUP flag disabled
* DEBUG flag disabled

## **Data Storage**

* Saved sensitive data in plain text
* Log files securely stored with protection
* Logging any sensitive data locally

## **Backend API Server**

* Reference to the Web Application PenTest – [Service API](/calvin-lai-security/penetration-testing/web-application-pentest.md#web-service-api)&#x20;

## Others

* Improper platform usage, such as permission, toucjID, keychain
* Insecure communication, such as SSL Cert, Cert Pinning
* Insecure authentication & authorization&#x20;
* insufficient cryptography
* Reverse engineering
