Professional Documents
Culture Documents
Mobiile Security Checklist-V1
Mobiile Security Checklist-V1
Mobiile Security Checklist-V1
Pass
Fail
Not Applicable
Vulnerabilities
Android
P2 system
No Vulnerability Found
Vulnerability Found
Vulnerability not applicable to Application
Vulnerability Name
System credential storage facilities need to be used to store sensitive data,
such as PII, user credentials or cryptographic keys.
No sensitive data should be stored outside of the app container or system
credential storage facilities.
No sensitive data is written to application logs.
No sensitive data is shared with third parties unless it is a necessary part of
the architecture.
The keyboard cache is disabled on text inputs that process sensitive data.
No sensitive data is exposed via IPC mechanisms.
No sensitive data, such as passwords or pins, is exposed through the user
interface.
No sensitive data is included in backups generated by the mobile operating
system.
The app removes sensitive data from views when moved to the background.
The app does not hold sensitive data in memory longer than necessary, and
memory is cleared explicitly after use.
Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Vulnerability Name
The app does not rely on symmetric cryptography with hardcoded keys as
a sole method of encryption.
The app uses cryptographic primitives that are appropriate for the
particular use-case, configured with parameters that adhere to industry
best practices.
The app does not use cryptographic protocols or algorithms that are
widely considered deprecated for security purposes.
The app doesn't re-use the same cryptographic key for multiple purposes.
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Andorid Only
File Upload
No Vulnerability Found
Vulnerability Found
Vulnerability not applicable to Application
Vulnerability Name
The app only requests the minimum set of permissions
necessary.
Sensitive Data Is Exposed via IPC Mechanisms
Pixel Flooding
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Session ID Vulnerabilities
OAuth
No Vulnerability Found
Vulnerability Found
Vulnerability not applicable to Application
Vulnerability Name
Session Fixation
Session Hijacking
Session Timeout
Session Not Invalidated After Logout
Server does not validate the Session ID
Cookie contains sensitive information
JWT Token discloses Sensitive Information
Server Does not validate the JWT token
NONE Algorithm Attack
Expired JWT tokens are accepted by server
Lack of JWT signature validation
Authentication bypass via OAuth implicit flow
Forced OAuth profile linking
OAuth account hijacking via redirect_uri
Stealing OAuth access tokens via an open redirect
OAuth 2.0 Authorization Code Can Be Used More Than
Once
Verdict
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
Results
Application Name
Pass
Fail
Not Applicable
Vulnerabilities
Security Misconfiguration
Weak Encryption
Captcha Bypass
ClickJacking
Race Condition
Sub-domain Takeover
No Vulnerability Found
Vulnerability Found
Vulnerability not applicable to Application
Vulnerability Name
Default Credentials
Disclosure of Sensitive information
Default Server files exposed publicly
Web Server Banner Grabbing
Unencrypted Credentials sent over HTTP protocol
XML External Entity
Insecure Deserialization
Server Side Request Forgery
HTTP request smuggling
Web cache poisoning
Business logic vulnerabilities
HTTP Host header attacks
Open URL Redirect
Verdict
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
No Vulnerability Found
Results