# Android Checklist ## How to approach a target ? When performing Android penetration testing we first need to split the test into two phases * Client Side Pentest (Mobile) * Server Side Pentest (API / Web) *The client side part is for mobile APK, in this phase you should perform a static/dynamic code analysis. Reversing the application in order to look for code quality, bypass root detection if exist. Looking for insecure data logging, etc...* *The server side part is about API/Web pentesting, in this phase you should be able to test for web vulnerabilities like IDOR, SQL, SSRF, Command injection and any server side vulnerability that affect web application.* ### Client Side Vulnerabilities #### Memory/Storage Analysis * Sensitive information disclosed in storage of the mobile device * Sensitive information found in logs * Sensitive information found in cache * Sensitive information found in installed application folder * Sensitive information stored in SQLite database in cleartext * Check if sensitive information remains there even after log out * Sensitive information stored in shared preference files Code level vulnerabilities * Source code obfuscation not found * Sensitive information disclosed in application error message * Binary reverse engineering #### **Transport layer security** * Older version of SSL used * SSL pinning bypass * Weak ssl ciphers and other SSL related vulnerabilities (sslscan, sslyze, osaft etc.) ### **Server side Vulnerabilities** #### **Business Logic Check** * User account compromise of other user * Admin account compromise from user account * Bruteforce authentication/otp/other services * Check for server side validation * Check for root detection method / bypass it * Check for vulnerable android components #### Server Side Check * Check for SQL injection * CAPTCHA implementation flaws & bypass * Check for all HTTP methods (PUT, DELETE etc. Use burp intruder using HTTP verb tampering) * Check for client side injection (XSS) * Username enumeration * Other user's sensitive details enumeration * User detail's enumeration using IDOR * Malicious file upload * Server side flaws (IIS, APACHE, TOMCAT etc.) * Run nikto, dirb on web content URL * Check for session management (cookie flaws, session overriding, session fixation etc.)