# Checklist

## **Information Gathering**

* Identify the product information, such as the library and framework in use
* Those used libraries and framework is the up-to-date version & applied the latest patches
* Outdated components or known vulnerability (CVE) found in the identified product
* Access to the default URL or admin page of the identified product
* Any hardcoded secrets (API Key, Credentials)

## **Application Analysis**

* Standard Error Handling
* Cached sensitive data
* Any sensitive or unnecessary data send in plain text
* ALLOWBACKUP flag disabled
* DEBUG flag disabled

## **Data Storage**

* Saved sensitive data in plain text
* Log files securely stored with protection
* Logging any sensitive data locally

## **Backend API Server**

* Reference to the Web Application PenTest – [Service API](https://calvin-lai.gitbook.io/calvin-lai-security/web-application-pentest#web-service-api) 

## Others

* Improper platform usage, such as permission, toucjID, keychain
* Insecure communication, such as SSL Cert, Cert Pinning
* Insecure authentication & authorization 
* insufficient cryptography
* Reverse engineering