Virginia Finance

May 15 2018

Mobile app security testing tools

#mobile #app #security #testing #tools


#

But we are damn sure that the number of vulnerabilities on mobile apps, especially android apps are far more than listed here. And also I couldn’t find a comprehensive checklist for either android or iOS penetration testing anywhere in the internet. If anyone have such a list with mobile application vulnerabilities and their testing methodologies please share here. Anything like a link to any such sources are also entertained.

asked Nov 25 ’14 at 6:54

AppSec has a nice list :

  • Reverse Engineering the Application Code
  • Testing for Common Libraries and Fingerprinting
  • Enumeration of Application Known Controllers
  • Information Disclosure by Logcat
  • Hidden Secrets in the Code
  • Storing Sensitive Data on Shared Storage (exposed to all applications without any restrictions)
  • Cryptographic Based Storage Strength
  • Content Providers Access Permissions
  • Content Providers SQL Injection
  • Privacy and Metadata Leaks
  • User Propriety Data in Logcat
  • Technical Valuable Data in Logcat
  • Exposed Components and Cross Application Authorization
  • Permissions Digital Signature Data Sharing Issues
  • Clipboard Separation
  • Public Intents and Unauthenticated Data Sources
  • Public Intents and Authorization Flaws
  • Code Puzzling and Abusing Application State
  • Race Conditions, Deadlocks and Concurrency Threats
  • In Device Denial of Service attacks
  • Exposing Device Specific Identifiers in Attacker Visible Elements
  • Exposure of Private User Data to Attacker Visible Components
  • Tracking Application Installations in Insecure Means
  • Tap Jacking
  • Client Side based Authorization Decisions
  • Bypassing business logic
  • WebView Security
  • Exposing External Java Interfaces in WebViews DOM
  • JavaScript Execution Risks at WebViews
  • Code Signing
  • Loading Dynamic DEX onto Dalvik
  • Abusing Dynamic Code Execution Decisions
  • Stack Based Buffer Overflows
  • Heap Based Buffer Overflows
  • Object Lifetime Vulnerabilities (Use-after-free, double free’s)
  • Format Strings Vulnerabilities
  • NDK Exposed Code Secrets
  • Integer Overflows
  • Integer Underflows
  • Insecure Transport Layer Protocols
  • TLS Authenticity Flaws
  • TLS Weak Encryption
  • Bypassing TLS Certificate Pinning
  • TLS Known Issues – CRIME, BREACH, BEAST, Lucky13, RC4, etc…
  • Disable certificate validation
  • Using Insecure Authentication Vectors (IMEI, MAC, etc..)
  • Cross Application Authentication
  • Local Authentication Bypass Threats
  • Client Side Based Authentication Flaws
  • Client Side Authorization Breaches
  • Shared User Resources
  • Excessive Permissions
  • Disclosure of Privileged Data to Public Resources

answered Feb 6 ’15 at 17:26


Written by admin


Leave a Reply

Your email address will not be published. Required fields are marked *