Monday, December 23, 2024
HomeAndroidMost Important Android Application Penetration Testing Checklist

Most Important Android Application Penetration Testing Checklist

Published on

SIEM as a Service

In this article, we will see the Most Important Android Application Penetration Testing Checklist. Android is the biggest organized base of any mobile platform and developing fast—every day.

Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.

However, as far as security, no data related to the new vulnerabilities that could prompt weak programming at this stage is being revealed, realizing that this stage has an outstanding attack surface.

- Advertisement - SIEM as a Service

Also Read: Web Server Penetration Testing Checklist

Information gathering

Information Gathering is the most basic stride of an application security test. The security test should attempt to test however much of the code base as could reasonably be possible.

Therefore mapping every conceivable way through the code to encourage exhaustive testing is principal.

  • General Information. Rundown of general application information.
  • Testing for Common Libraries and Fingerprinting.
  • A rundown of application components and Component authorizations.
  • Reverse Engineering the Application Code.

Application Local Storage Flaws

Android gives a few alternatives to you to spare persevering application information. The storage you pick relies on your particular needs.

For example, regardless of whether the information should be private to your application or open to different applications (and the client) and how much space your data requires.

  • Sensible data found in logs and cache.
  • Putting away Sensitive Data on Shared Storage (presented to all applications with no restrictions).
  • Content Providers SQL Injection and Access Permissions.
  • Check if sensitive data stays there even after logging out.
  • Privacy and Metadata Leaks.

Also Read:   Network Penetration Testing Checklist

Transport Layer Security

Encryption with Transport Layer Security continues prying eyes far from your messages while they’re flying.

TLS is a protocol that encodes and conveys data safely, for both inbound and outbound traffic data, it avoids spying.

  • Older Insecure Transport Layer Protocols.
  • TLS Weak Encryption(CRIME, BREACH, BEAST, Lucky13, RC4, etc) can be found with tools like (sslscan, sslyze, osaft etc.).
  • Insecure Data Storage.
  • Bypassing TLS Certificate Pinning.
  • TLS Authenticity Flaws.

IPC Security(Inter-process communication)

The Android IPC mechanisms allow you to verify the identity of the application connecting to your IPC and set a security policy for each IPC mechanism.

  • Device Denial of Service attacks.
  • Permissions & Digital Signature Data Sharing Issues.
  • An illegitimate application could get access to sensitive data.
  • Uncovered Components and Cross-Application Authorization.

Untrusted Code

  •  Sensitive information is disclosed in the application error message.
  • JavaScript Execution Risks at WebViews.
  • Insecure permissions are set by the application through AndroidManifest.xml file.
  • Integer, Heap, and Stack Based Buffer Overflow.

Authentication Flaws

Authentication is a basic part of this procedure, yet even strong validation authentication can be undermined by imperfect credential management functions, including password change, forgot my password, remember my password, account update, and other related functions.

  • Authentication Inconsistency.
  • Cross Application Authentication.
  • Session handling errors.
  • Client Side-Based Authentication Flaws.
  • The absence of an account lockout policy.

Business logic vulnerability

vulnerabilities with components more centered around design rather than codification are incorporated. Both execution trick and the capacity of the application to work in a startling way influencing its work process are incorporated.

  • Check for server-side validation.
  • Admin/user account compromise.
  • Check for root detection method/bypass it.
  • Bruteforce authentication.

Penetration Testing Android Server side checks

  • Check for client-side injection (XSS).
  • Username enumeration.
  • SQL injection
  • Malicious file upload.
  • Check for all HTTP methods (PUT, DELETE, etc. Use burp intruder using HTTP verb tampering).
  • Check for session management (cookie flaws, session overriding, session fixation, etc.).
  • CAPTCHA implementation flaws & bypass.
  • Run nikto, dirb websever scanner.

Open Android Security Assessment Methodology

Android Security controls are structured in the following section for reference framework on Android application vulnerability assessments.

  • OASAM-INFO: Information Gathering: Information gathering and attack surface definition.
  • OASAM-CONF: Configuration and Deploy Management: Configuration and deploy assessment.
  • OASAM-AUTH: Authentication: Authentication assessment.
  • OASAM-CRYPT: Cryptography: Cryptography use assessment.
  • OASAM-LEAK: Information Leak: Confidential information leak assessment.
  • OASAM-DV: Data Validation: User entry management assessment.
  • OASAM-IS: Intent Spoofing: Intent reception management assessment.
  • OASAM-UIR: Unauthorized Intent Receipt: Intent resolution assessment.
  • OASAM-BL Business Logic: Application business logic assessment.

Read, More

Over 60,000 Android Apps Silently Install Malware on Devices

Malware Spotted on the Google Play Store

7 Android Apps on the Google Play Drop Malware

Latest articles

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

BADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with...

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals,...

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...