Android Checklist

How to approach a target ?

When performing Android penetration testing we first need to split the test into two phases

  • Client Side Pentest (Mobile)

  • Server Side Pentest (API / Web)

The client side part is for mobile APK, in this phase you should perform a static/dynamic code analysis. Reversing the application in order to look for code quality, bypass root detection if exist. Looking for insecure data logging, etc...

The server side part is about API/Web pentesting, in this phase you should be able to test for web vulnerabilities like IDOR, SQL, SSRF, Command injection and any server side vulnerability that affect web application.

Client Side Vulnerabilities

Memory/Storage Analysis

  • Sensitive information disclosed in storage of the mobile device

  • Sensitive information found in logs

  • Sensitive information found in cache

  • Sensitive information found in installed application folder

  • Sensitive information stored in SQLite database in cleartext

  • Check if sensitive information remains there even after log out

  • Sensitive information stored in shared preference files Code level vulnerabilities

  • Source code obfuscation not found

  • Sensitive information disclosed in application error message

  • Binary reverse engineering

Transport layer security

  • Older version of SSL used

  • SSL pinning bypass

  • Weak ssl ciphers and other SSL related vulnerabilities (sslscan, sslyze, osaft etc.)

Server side Vulnerabilities

Business Logic Check

  • User account compromise of other user

  • Admin account compromise from user account

  • Bruteforce authentication/otp/other services

  • Check for server side validation

  • Check for root detection method / bypass it

  • Check for vulnerable android components

Server Side Check

  • Check for SQL injection

  • CAPTCHA implementation flaws & bypass

  • Check for all HTTP methods (PUT, DELETE etc. Use burp intruder using HTTP verb tampering)

  • Check for client side injection (XSS)

  • Username enumeration

  • Other user's sensitive details enumeration

  • User detail's enumeration using IDOR

  • Malicious file upload

  • Server side flaws (IIS, APACHE, TOMCAT etc.)

  • Run nikto, dirb on web content URL

  • Check for session management (cookie flaws, session overriding, session fixation etc.)

PreviousNetwork Traffic

Last updated