Mobiile Security Checklist-V1

Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Android & IOS
Android
P2 system
No Vulnerability Found
Vulnerability Found
Vulnerability not applicable to Application
Vulnerability Name
System credential storage facilities need to be used to store sensitive data,
such as PII, user credentials or cryptographic keys.
No sensitive data should be stored outside of the app container or system
credential storage facilities.
No sensitive data is written to application logs.
No sensitive data is shared with third parties unless it is a necessary part of
the architecture.
The keyboard cache is disabled on text inputs that process sensitive data.
No sensitive data is exposed via IPC mechanisms.
No sensitive data, such as passwords or pins, is exposed through the user
interface.
No sensitive data is included in backups generated by the mobile operating
system.
The app removes sensitive data from views when moved to the background.
The app does not hold sensitive data in memory longer than necessary, and
memory is cleared explicitly after use.
The app enforces a minimum device-access-security policy, such as requiring

the user to set a device passcode.
Verdict
Vulnerability Found
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Android and IOS

Vulnerability Found
Vulnerability Name
The app does not rely on symmetric cryptography with hardcoded keys as
a sole method of encryption.
The app uses proven implementations of cryptographic primitives.
The app uses cryptographic primitives that are appropriate for the
particular use-case, configured with parameters that adhere to industry
best practices.
The app does not use cryptographic protocols or algorithms that are
widely considered deprecated for security purposes.
The app doesn't re-use the same cryptographic key for multiple purposes.
All random values are generated using a sufficiently secure random

number generator.
Verdict
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Andorid And IOS
Andorid Only
File Upload
Vulnerability Found
Vulnerability Name
The app only requests the minimum set of permissions
necessary.
Sensitive Data Is Exposed via IPC Mechanisms
The app does not export sensitive functionality through IPC

facilities, unless these mechanisms are properly protected.
WebViews are configured to allow only the minimum set

of protocol handlers required (ideally, only https is
supported). Potentially dangerous handlers, such as file, tel
and app-id, are disabled.
Sensitive Data Disclosure Through the User Interface
Sensitive Information in Auto-Generated Screenshots
Remote File Inclusion

Virus File Upload
Unrestricted File upload
Allowed file size is more than expected
Disk Flooding
Pixel Flooding
Directory / File Traversal

Verdict
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Session ID Vulnerabilities
JWT Token Vulnerability
OAuth
Vulnerability Found
Vulnerability Name
Session Fixation
Session Hijacking
Session Timeout
Session Not Invalidated After Logout
Server does not validate the Session ID
Cookie contains sensitive information
JWT Token discloses Sensitive Information
Server Does not validate the JWT token
NONE Algorithm Attack
Expired JWT tokens are accepted by server
Lack of JWT signature validation
Authentication bypass via OAuth implicit flow
Forced OAuth profile linking
OAuth account hijacking via redirect_uri
Stealing OAuth access tokens via an open redirect
OAuth 2.0 Authorization Code Can Be Used More Than
Once
Verdict
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Security Misconfiguration
Sensitive Data Exposure

XML External Entity
Insecure Deserialization
Server Side Request Forgery
HTTP request smuggling
Web cache poisoning
Business logic vulnerabilities
HTTP Host header attacks
Open URL Redirect
Parameter Tampering
HTTP Parameter Pollution
Host Header Redirection
Host Header Cache Poisoning
Host Header Reset Poisoning
HTTP Response Spilitting
TLS 1.0 & 1.1 Protocol Detection
TLS not Enforced Properly
Weak Encryption
HTTP Verbs Enabled (PUT & DELETE)
Cross Site Tracing

Infrastructure Admin Interfaces
Application Admin Interfaces
Database Exposure to External Network
Improper Error Handling
Application Buffer Overflows
Captcha Bypass
Directory Indexing Disabled
Insecure Configurations of Protocol
Restrict Device Access - User Agent
CGI Remote Code Execution
Shellshock Vulnerability (CGI)
ClickJacking
Race Condition
Sub-domain Takeover
Content Security Policy Bypasses

P2 system
Vulnerability Found
Vulnerability Name
Default Credentials
Disclosure of Sensitive information
Default Server files exposed publicly
Web Server Banner Grabbing
Unencrypted Credentials sent over HTTP protocol
XML External Entity
Insecure Deserialization
Server Side Request Forgery
HTTP request smuggling
Web cache poisoning
Business logic vulnerabilities
HTTP Host header attacks
Open URL Redirect
Verdict
Results

Mobiile Security Checklist-V1

Uploaded by

Copyright:

Available Formats

You might also like

Mobiile Security Checklist-V1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mobiile Security Checklist-V1

Uploaded by

Copyright:

Available Formats

Application Name

Android & IOS

The app enforces a minimum device-access-security policy, such as requiring

Android and IOS

The app uses proven implementations of cryptographic primitives.

All random values are generated using a sufficiently secure random

Andorid And IOS

The app does not export sensitive functionality through IPC

WebViews are configured to allow only the minimum set

Remote File Inclusion

Directory / File Traversal

JWT Token Vulnerability

Sensitive Data Exposure

HTTP Parameter Pollution

Host Header Redirection

Host Header Cache Poisoning

Host Header Reset Poisoning

HTTP Response Spilitting

TLS 1.0 & 1.1 Protocol Detection

TLS not Enforced Properly

HTTP Verbs Enabled (PUT & DELETE)

Cross Site Tracing

Application Admin Interfaces

Database Exposure to External Network

Improper Error Handling

Application Buffer Overflows

Directory Indexing Disabled

Insecure Configurations of Protocol

Restrict Device Access - User Agent

CGI Remote Code Execution

Shellshock Vulnerability (CGI)

Content Security Policy Bypasses

You might also like