Android Checklist  - Android Penetration Testing 1 - Android Checklist – Android Penetration Testing

Mobile platforms provide many different services, from authentication, to secure data storage, to secure network communications. Failing to use some part of the platform correctly, therefore, could expose data, allow connections to untrusted hosts. With part 12, we summarized the  .

Test Name Description
Cryptographic Based Storage Strength Identify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on source code
Poor key management process Identify hardcoded key in application or Keys may be intercepted via Binary attacks
Use of custom encryption protocols Identify implementing their own protocol

 

Also Read Complete penetration testing guide for Android Pentesting and Checklist

M6 – Insecure Authorization – Android Checklist

Test Name Description
Remember Credentials Functionality (Persistent authentication) Identify user’s password or sessions on the device
Client Side Based Authentication Flaws Perform binary attacks against the mobile app in order to bypass offline authentication
Client Side Authorization Breaches Perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege
Bypassing business logic flaws Identify Missing Function Level Access Control, Negative value
User Propriety Data in Logcat

Technical Valuable Data in Logcat

Check for adb logcat
Code Puzzling and Abusing Application State Bypass efficient authentication enforcement mechanisms and impersonate legitimate users.

Elevate the privileges of a malicious user account, in an environment that would otherwise be considered fool proof.(Privilege escalations)

Manipulate server-side values in indirect methods that cannot be predicted or detected.

Bypassing business logic flaws Identify Missing Function Level Access Control, Negative value testing
User Propriety Data in Logcat

Technical Valuable Data in Logcat

Check for adb logcat
Code Puzzling and Abusing Application State Bypass efficient authentication enforcement mechanisms and impersonate legitimate users.

Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof.(Privilege escalations)

Manipulate server-side values in indirect methods that cannot be predicted or detected.

Public Intents Check defined Explicit and Implicit intents.
Permissions & Digital Signature

Clipboard Separation

Check if it is possible for Removing signatures in a digital signature field.

Check if unwanted permissions define in android manifest can be exploitable

Race Conditions, Deadlocks and Concurrency Threats Race Conditions: Check if there are Running more than one thread inside the same application does not by itself.

Deadlocks: Check if concurrent modules are stuck waiting for each other to do something.

Concurrency Threats: Check how threads in the system collaborate to complete the jobs they are given.

Device Denial of Service attacks DoS tools like LOIC and Packet Generator with user-friendly interfaces from verified sources like ’s Play store.

 

M7 – Client Code Quality – Android Checklist

Test Name Description
Insufficient WebView hardening (XSS) Identify misconfiguration on “android.webkit.WebSettings”

(Javascript/File access/Plugins), XSS through UIWebview

Content Providers: SQL Injection and Local File Inclusion Identify SQLi and LFI on Content provider component
Injection (SQLite Injection, XML Injection) Identify SQLi and XMLi on application
Local File Inclusion through NSFileManager or Webviews Check LFI on application (../ , ../../blah

LEAVE A REPLY

Please enter your comment!
Please enter your name here