5

When arranging a pen test it's common practice to ask the client a set of questions, and use the answers either as the basis for further discussions, or to directly provide a test plan and quotation.

For a mobile app specifically, what questions are helpful to include? For example:

  • What platforms does the app support? e.g. iOS, Android
  • Was the app developed using a cross-platform framework? e.g. PhoneGap, Kivy
  • Does the app connect to it's own back-end service? e.g. bespoke REST, Firebase
    • Do these connections use SSL pinning?
  • Does the app provide additional UI secuity? e.g. PIN, FLAG_SECURE
  • Does the app provide IPC interfaces? e.g. URL handler, intent
  • Does the app interface with hardware? e.g. bluetooth card reader
  • Is the app obfuscated?
  • How is the app delivered? e.g. public store, private app in store, alternate store, sideloading
  • What authentication is used? e.g. pairing, user name & password, connect with Facebook
  • How many views/pages does the app have?
  • What permissions does the app request?
  • Does the app make arbitrary network connections or listen on ports?

If you have any other ideas, please let me know!

paj28
  • 32,736
  • 8
  • 92
  • 130

1 Answers1

1

I found it rather important to say that not all apps are purely created with Java and XML, there are people who like to convert their website into an android app, in fact that's just a copy of their website displayed on 5" screen., not only because it's cheaper but also because it saves them time.

Some suggestions,

  • Is it a converted app? (in case it is converted from a webpage)
  • Which technologies has been used during the development process or in the app, such as HTML5 or javascript?
CriticalSYS
  • 194
  • 1
  • 13