Monday, 5 July 2021

Security Checklist  II

Security checklist II


This is the second part of the Mobile App testing checklist series. The first part is presented here. Continuing the series, we present a checklist of test cases for some more categories.

Network Communication Requirements

Network Communication Requirements



Apps serve as the front end and frequently make network calls to backend systems. This interaction involves exchanging critical information like personal details, bank information. Communication with external systems, particularly over the WWW, requires that the data sent should be over a secure channel to prevent it from being compromised.

For Android and iOS

Verify All network traffic goes via SSL

Verify SSL Pinning is enabled.

i.e. Using MITM tools like Charles, verify that the https traffic cannot be decrypted Platform Interaction Requirements

Platform Interaction Requirements

Platform integration requirements

Modern smartphones offer a bevy of features. Camera, location, Bluetooth, gyroscope, and many more. Apps that use any such feature have to ask for the user’s consent to use the same. It is necessary to verify if the user is prompted to wilfully permit the app to use any feature outside of itself.

For Android

  • Verify for dangerous permissions, for all the below permissions an explicit prompt should be displayed to the user
  • READ_CALENDAR
  • WRITE_CALENDAR
  • READ_CALL_LOG
  • WRITE_CALL_LOG
  • PROCESS_OUTGOING_CALLS
  • CAMERA
  • READ_CONTACTS
  • WRITE_CONTACTS
  • GET_ACCOUNTS
  • ACCESS_FINE_LOCATION
  • ACCESS_COARSE_LOCATION
  • RECORD_AUDIO
  • READ_PHONE_STATE
  • READ_PHONE_NUMBERS
  • CALL_PHONE
  • ANSWER_PHONE_CALLS
  • ADD_VOICEMAIL
  • USE_SIP
  • BODY_SENSORS
  • SEND_SMS
  • RECEIVE_SMS
  • READ_SMS
  • RECEIVE_WAP_PUSH
  • RECEIVE_MMS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE
  • Verify unnecessary permission are not added in Android.manifest file
  • Verify app authentication is required when using Deep Links in the app
  • If webviews are displayed inside the app, ensure the url is https, and cannot be decrypted via Charles
  • Disable local file access in Code. Check with the developer and see if these restrictions are in place.
  • webView.getSettings().setAllowFileAccess(false);
  • webView.getSettings().setAllowFileAccessFromFileURLs(false);
  • webView.getSettings().setAllowUniversalAccessFromFileURLs(false);
  • webView.getSettings().setAllowContentAccess(false);
  • Verify that App can be force updated.

For iOS

  • Verify app ask user permissions for the following
  • Bluetooth peripherals
  • Calendar data
  • Camera
  • Contacts
  • Health sharing
  • Health updating
  • HomeKit
  • Location
  • Microphone
  • Motion Music and the media library
  • Photos
  • Reminders
  • Siri
  • Speech recognition
  • the TV provider
  • Verify app authentication is required when using Deep Links in the app
  • Verify webviews only load https content. Check the code for WKWebView and verify the following flag “hasOnlySecureContent” is set to true
  • Verify Webviews cannot be decrypted via Charles
  • Verify Both allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs are set to “0”, on webviews are set. Check with developers
  • Verify that App can be force updated.

Code Quality and Build setting requirements

Code quality requirements

Apps have a minimum of two configurations; a debug version where the app is not yet optimized for release or customer use.

For example, logs would be enabled in the debug version to track bugs while developing. In the debug version, the app can get away with being slower and “fatter”. Apps also have a production version, meant for end-users. Here the app is “thinned” down for the target device on which the app is running. This version is optimized. So when it comes to the production version of the app, it is essential to test the build settings and other aspects used only for the debug version such that it does not leak into the production version.

For Android

  • Verify APK is Signed correctly.
  • Test using the following command,
  • apksigner verify –verbose Desktop/example.apk,

Following output should be displayed

for example,

Verified using v1 scheme (JAR signing): true

Verified using v2 scheme (APK Signature Scheme v2): true

Verified using v3 scheme (APK Signature Scheme v3): true

Number of signers: 1

  • Verify the store build is generated as a “Release” build and not “Debug” build.
  • Using apktool decompile apk and check AndroidManifest.xml, android:debuggable should false
  • Verify APK is Obfuscated (i.e, Proguard is enabled) and no sensitive data is visible.Decompile the apk using apktool. Convert classes.dex to .jar using d2j-dextojar. View the jar file via JDGUI
  • Verify all debug logs are disabled. Run adb logcat and check if the apk is displaying any sensitive information

For iOS

  • Check the ipa is Release Mode and not in Debug Mode. Use Xcode and Check if the app can be debugged.
  • Check all debug logs are disabled and no sensitive information is logged in Xcode
  • Verify “Strip Debug Symbols During Copy”“Strip Linked Product”“Strip Swift Symbols” are set to Yes in Xcode build settings
  • Check for vulnerabilities in 3rd party Pods. Run OWASPs tool
  • dependency-check –enableExperimental –out . –scan Podfile.lock
  • Resiliency

For Android

  • Verify apk does not launch on rooted devices.
  • Checksum of apks should be created and validated against the server every time it’s launched.

For iOS

  • Verify app does not launch on Jailbroken phones
  • Obfuscate code with iXGuard and verify via MachoView tool