Share this content on Facebook!
28 Sep 2016
Mobile app penetration testing

Not enough security standards at any market place makes it tough to manage security controls in an application level. Having a strong security checklist set up not only improves app security but the ecosystem active in the development process, too. Also, robust security standards and well set guidelines differentiate a platform from the others.

This checklist can help you turned into a leading marketplace when it comes to application security.

1. SSL implementation check

Checking SSL implementation is key to a lot of apps. This protects the app from MITM attacks plus secures communication relating to the mobile app and server.

2. Sensitive information management at client side

An application shouldn't store sensitive information like encryption keys, username, passwords in shared preferences, files etc in local pool or memory. Just in case a credit application stores sensitive information inside the database, encrypting the database with SQLCipher library is advised. Sensitive information should be included as the app is uploaded for the market place.

3. Code obfuscation

Strong code obfuscation standards should be available. Applications should encrypt or obfuscate the code to avoid reverse engineering.

4. Obsolete cryptographic libraries identification

Apps must always make use of the latest cryptographic algorithms that happen to be safe and recommended. App developers should avoid using their own implementation of cryptography.

5. Validation checks at both client side and server side

Sometimes developers perform validations only at the customer side. This leaves the server susceptible to MITM attacks. Check for input validations possible scenarios.

6. Input sanitisation

Sanitise an individual inputs to free them from malicious characters. Apps should use whitelisting to generate a set of allowable characters.

7. Encode and decode

Apps should always work with a standard encoding for encoding user inputs from client side and implement the decoding mechanism to decode the information on the client that's sent in the server side. All encoding and decoding standards will likely be tested.

8. Implement checksums and tokens

An ideal practice for developers is to implement checksums for the data that is passed from client towards the server to check the integrity of the data. Implement tokens for protecting the app from CSRF attacks.

9. Secure response headers

Pay attention to implementation of secure response headers.

10. Authorisation testing

Test authorisation at each level. Apps should have resources at the server side properly configured based on the user roles in the application.

11. Session management

Sessions needs to be properly carried out avoid session based attacks. Developers should generate random sessions and ensure the sessions are terminated after having a particular period of time or after inactive usage. You will need to search for the expiration of sessions after logout or the previous session can be used as account takeover.

12. Protect the OS components

A checklist to discover the exported=false for that components in android application when not desired for that other applications to get with all the components with your app.

13. Implementing password policy

Most mobile phone applications still make use of weak password policies. By using a minimum password length of 8 and ensuring the password contains at least one numeric, one uppercase, one lowercase, one special character will assure security at human level.

14. Implement Captcha
Mobile app penetration testing
To stop brute force attacks, apps should implement reCAPTCHA from google.


There isn't any comment in this page yet!

Do you want to be the first commenter?

New Comment

Full Name:
E-Mail Address:
Your website (if exists):
Your Comment:
Security code: