Android

Android Pentesting

MOBILE CHECKLIST TEMPLATE

M1 – Improper Platform Usage

  • Excessive port opened at Firewall => Identify opened port at Server-side URL/IP Address
  • Default credentials on Application Server => Identify default credentials on Backend server (e.g. Tomcat Application server using tomcat/tomcat, admin/tomcat)
  • Exposure of Webservices through WSDL document => Identify webservices help pages (*.asmx) which show methods and structure
  • Security Misconfiguration on Webserver => Identify webserver configuration (e.g. Error handling, HTTP response banner)
  • Input validation on API => Check input validation on API/Web services
  • Information Exposure through API response message => Identify sensitive information on API response message/header
  • Touch ID and the Keychain => Check if  bypassing LocalAuthentication either via modification of the local check at runtime |Check if we can get password or sensitive info from keychain
  • Insecure File Permissions => Check if the application is Using the ‘world readable’ and ‘world writeable’ file permissions can cause data leaks and expose apps to attackers who are able to overwrite the app’s data.
  • Intent Sniffing => Check if A malicious Android application can register to receive broadcast or implicit intents from any other app.

M2 – Insecure Data Storage

  • Hard-coded credentials on source code => Identify sensitive information on sour code
  • Unrestricted Backup file => Check “android:allowBackup” attribute which should be set to “false”
  • Unencrypted Database files => Check encryption on database files
  • Insecure Shared Storage => Identify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLE
  • Insecure Application Data Storage => Identify Sensitive Data in application files (application log, Cache file, Cookie)

M3 – Insecure Communication

  • Insecure Transport Layer Protocols | Bypassing TLS Certificate Pinning
  • TLS Authenticity Flaws | Check Poodle, Beast, CRIME, BREACH, Heartbleed
  • TLS Weak Encryption | Check TLS/SSL Cipher Hardening
  • Bypassing TLS Certificate Pinning | Check TLS/SSL pining

M4 – Insecure Authentication

  • Information Disclosure through Logcat/Apple System Log (ASL) => Identify sensitive information through application log
  • Application Backgrounding (Screenshot) => Identify application snapshot/screenshot backgrounding
  • URL Caching (HTTP Request and Response) on cache.db => Identify HTTP caching which is stored in Cache.db
  • Keyboard Press Caching => Identify keyboard cache file located in: /var/mobile/Library/Keyboard
  • Copy/Paste Buffer Caching => Identify disabling Copy/Paste function for sensitive part of the application on EditText/UITextField
  • Exposing Device Specific Identifiers in Attacker Visible Elements => Observe the device’s network traffic through a proxy that Device’s information (UDID) is sent during the transmission or not.
  • Using Insecure Authentication Vectors => Check for any Hidden Service Requests, Password Policy
  • Local Authentication Bypass Threats => Check access policy or a weak authentication that allows a valid identity to be forged. Check for default Username and passwords.
  • Client Side Based Authentication Flaws => Check if HTTP is embed several different types of authentication protocols. e.g  Basic- Base-64 encode, Digest, NTLM, Microsoft Passport – A single-sign-in (SSI) service, Negotiate and Form-based

M5 – Insufficient Cryptography

  • Cryptographic Based Storage Strength => Identify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on source code
  • Poor key management process => Identify hardcoded key in application or Keys may be intercepted via Binary attacks
  • Use of custom encryption protocols => Identify implementing their own protocol

M6 – Insecure Authorization

  • Remember Credentials Functionality (Persistent authentication) => Identify user’s password or sessions on the device
  • Client Side Based Authentication Flaws => Perform binary attacks against the mobile app in order to bypass offline authentication
  • Client Side Authorization Breaches => Perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege
  • Bypassing business logic flaws => Identify Missing Function Level Access Control, Negative value testing
  • User Propriety Data in Logcat => Check for adb logcat
  • Technical Valuable Data in Logcat => Check for adb logcat
  • Code Puzzling and Abusing Application State => Bypass efficient authentication enforcement mechanisms and impersonate legitimate users. Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof (Privilege escalations). Manipulate server-side values in indirect methods that cannot be predicted or detected.
  • Bypassing business logic flaws => Identify Missing Function Level Access Control, Negative value testing
  • User Propriety Data in Logcat => Check for adb logcat
  • Technical Valuable Data in Logcat => Check for adb logcat
  • Code Puzzling and Abusing Application State => Bypass efficient authentication enforcement mechanisms and impersonate legitimate users. Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof (Privilege escalations). Manipulate server-side values in indirect methods that cannot be predicted or detected.
  • Public Intents => Check defined Explicit and Implicit intents.
  • Permissions & Digital Signature, Clipboard Separation => Check if it is possible for Removing signatures in a digital signature field. Check if unwanted permissions define in android manifest can be exploitable
  • Race Conditions, Deadlocks, and Concurrency Threats => Race Conditions: Check if there are Running more than one thread inside the same application does not by itself. Deadlocks: Check if concurrent modules are stuck waiting for each other to do something. Concurrency Threats: Check how threads in the system collaborate to complete the jobs they are given.
  • Device Denial of Service attacks => DoS tools like LOIC and Packet Generator with user-friendly interfaces from verified sources like Google’s Play store.

M7 – Client Code Quality

  • Insufficient WebView hardening (XSS) => Identify misconfiguration on “android.webkit.WebSettings” (Javascript/File access/Plugins), XSS through UIWebview
  • Content Providers: SQL Injection and Local File Inclusion => Identify SQLi and LFI on Content provider component
  • Injection (SQLite Injection, XML Injection) => Identify SQLi and XMLi on application
  • Local File Inclusion through NSFileManager or Webviews => Check LFI on application (../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccess
  • Code Signing => Check if application is digitally sign and its .apk files optimize
  • Exposing External Java Interfaces in Web Views DOM, JavaScript Execution Risks at WebViews => Check for webviews – two most important callbacks are WebChromeClient for browser events and WebViewClient for web events.
  • Loading Dynamic DEX onto Dalvik => Check if android application Instead of loading Dalvik executable (“dex”) files from the default location, it can load them from alternative locations such as internal storage or over the network.
  • NDK Exposed Code Secrets => Check for ndk exposed code On path ANDROID_HOME and ANDROID_NDK_HOME at local installation of SDK and NDK.
  • Tapjacking => Check if activities in one android application can gather input while an overlay is active of other application
  • Abusing Dynamic Code Execution Decisions => In Android, the DexClassLoader allows an application to load classes from jar and apk files.
  • Check if we can create apk files to be loaded into another application during runtime.

M8 – Code Tampering

  • Abusing Android Components through IPS intents (“exported” and “intent-filter”) => Identify android exported components
  • Abusing URL schemes => Identify URL schemes through source code or apk

M9 – Reverse Engineering

  • Reverse Engineering the Application Code => Disassembling and Decompiling the application, Obfuscation checking
  • Unauthorized Code Modification => Binary attack through run-time manipulation and code modification
  • Debug the application behavior through runtime analysis => Identify “android:debuggable” attribute using GDB/LLDB attach to application

M10 – Extraneous Functionality

  • Session invalidation on Backend => Ensure that all session invalidation events are executed on the server side and not just on the mobile app
  • Session Timeout Protection => Mobile app must have adequate timeout protection on the backend components
  • Cookie Rotation => Ensure that reset cookies are properly implemented during authentication state changes
  • Token Creation => They should be a standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks.

Checklist ufficiale owasp: https://github.com/OWASP/owasp-mstg/releases