# Checklist ## **Information Gathering** * Identify the product information, such as the library and framework in use * Those used libraries and framework is the up-to-date version & applied the latest patches * Outdated components or known vulnerability (CVE) found in the identified product * Access to the default URL or admin page of the identified product * Any hardcoded secrets (API Key, Credentials) ## **Application Analysis** * Standard Error Handling * Cached sensitive data * Any sensitive or unnecessary data send in plain text * ALLOWBACKUP flag disabled * DEBUG flag disabled ## **Data Storage** * Saved sensitive data in plain text * Log files securely stored with protection * Logging any sensitive data locally ## **Backend API Server** * Reference to the Web Application PenTest – [Service API](/calvin-lai-security/penetration-testing/web-application-pentest.md#web-service-api) ## Others * Improper platform usage, such as permission, toucjID, keychain * Insecure communication, such as SSL Cert, Cert Pinning * Insecure authentication & authorization * insufficient cryptography * Reverse engineering --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://calvin-lai.gitbook.io/calvin-lai-security/penetration-testing/mobile-penetration-test/checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.