Android/iOS application security testing checklist

Question

According to OWASP, we have a list of top ten mobile application vulnerabilities.

But we are damn sure that the number of vulnerabilities on mobile apps, especially android apps are far more than listed here. And also I couldn't find a comprehensive checklist for either android or iOS penetration testing anywhere in the internet. If anyone have such a list with mobile application vulnerabilities and their testing methodologies please share here. Anything like a link to any such sources are also entertained.

Answer 1

There is a project called OASAM that aims to define a methodology to test Android devices.

You can find it here: http://oasam.org/en

The guide has the following sections:

1. OASAM-INFO: Information Gathering: Information gathering and attack surface definition.
2. OASAM-CONF: Configuration and Deploy Management: Configuration and deploy assessment.
3. OASAM-AUTH: Authentication: Authentication assessment.
4. OASAM-CRYPT: Cryptography: Cryptography use assessment.
5. OASAM-LEAK: Information Leak: Confidential information leak assessment.
6. OASAM-DV: Data Validation:User entry management assessment.
7. OASAM-IS: Intent Spoofing: Intent reception management assessment.
8. OASAM-UIR: Unauthorized Intent Receipt:Intent resolution assessment.
9. OASAM-BL Business Logic: Application business logic assessment.

Answer 2

AppSec has a nice list:

• Reverse Engineering the Application Code
• Testing for Common Libraries and Fingerprinting
• Enumeration of Application Known Controllers
• Information Disclosure by Logcat
• Hidden Secrets in the Code
• Storing Sensitive Data on Shared Storage (exposed to all applications without any restrictions)
• Cryptographic Based Storage Strength
• Content Providers Access Permissions
• Content Providers SQL Injection
• Privacy and Metadata Leaks
• User Propriety Data in Logcat
• Technical Valuable Data in Logcat
• Exposed Components and Cross Application Authorization
• Permissions & Digital Signature Data Sharing Issues
• Clipboard Separation
• Public Intents and Unauthenticated Data Sources
• Public Intents and Authorization Flaws
• Code Puzzling and Abusing Application State
• Race Conditions, Deadlocks and Concurrency Threats
• In Device Denial of Service attacks
• Exposing Device Specific Identifiers in Attacker Visible Elements
• Exposure of Private User Data to Attacker Visible Components
• Tracking Application Installations in Insecure Means
• Tap Jacking
• Client Side based Authorization Decisions
• Bypassing business logic
• WebView Security
• Exposing External Java Interfaces in WebViews DOM
• JavaScript Execution Risks at WebViews
• Code Signing
• Loading Dynamic DEX onto Dalvik
• Abusing Dynamic Code Execution Decisions
• Stack Based Buffer Overflows
• Heap Based Buffer Overflows
• Object Lifetime Vulnerabilities (Use-after-free, double free’s)
• Format Strings Vulnerabilities
• NDK Exposed Code Secrets
• Integer Overflows
• Integer Underflows
• Insecure Transport Layer Protocols
• TLS Authenticity Flaws
• TLS Weak Encryption
• Bypassing TLS Certificate Pinning
• TLS Known Issues – CRIME, BREACH, BEAST, Lucky13, RC4, etc…
• Disable certificate validation
• Using Insecure Authentication Vectors (IMEI, MAC, etc..)
• Cross Application Authentication
• Local Authentication Bypass Threats
• Client Side Based Authentication Flaws
• Client Side Authorization Breaches
• Shared User Resources
• Excessive Permissions
• Disclosure of Privileged Data to Public Resources

Answer 3

The OWASP Mobile Security Testing Guide -- https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_Testing UPDATE -- here -- https://docs.google.com/document/d/1N7zMXlFHtWfc00xa6lRHnVB60U4BZO4SbUrWYMbojVM/edit?usp=sharing

(a link to the GDocs file as well as a huge overview)