Security Checklist — II

This is the second part of the Mobile App testing checklist series. The first part is presented here. Continuing the series, we present a checklist of test cases for some more categories.

Network Communication Requirements

Apps serve as the front end and frequently make network calls to backend systems. This interaction involves exchanging critical information like personal details, bank information. Communication with external systems, particularly over the WWW, requires that the data sent should be over a secure channel to prevent it from being compromised.

For Android and iOS

Verify All network traffic goes via SSL

Verify SSL Pinning is enabled.

i.e. Using MITM tools like Charles, verify that the https traffic cannot be decrypted

Platform Interaction Requirements

Modern smartphones offer a bevy of features. Camera, location, Bluetooth, gyroscope, and many more. Apps that use any such feature have to ask for the user’s consent to use the same. It is necessary to verify if the user is prompted to wilfully permit the app to use any feature outside of itself.

For Android

  1. Verify for dangerous permissions, for all the below permissions an explicit prompt should be displayed to the user
  2. READ_CALENDAR
  3. WRITE_CALENDAR
  4. READ_CALL_LOG
  5. WRITE_CALL_LOG
  6. PROCESS_OUTGOING_CALLS
  7. CAMERA
  8. READ_CONTACTS
  9. WRITE_CONTACTS
  10. GET_ACCOUNTS
  11. ACCESS_FINE_LOCATION
  12. ACCESS_COARSE_LOCATION
  13. RECORD_AUDIO
  14. READ_PHONE_STATE
  15. READ_PHONE_NUMBERS
  16. CALL_PHONE
  17. ANSWER_PHONE_CALLS
  18. ADD_VOICEMAIL
  19. USE_SIP
  20. BODY_SENSORS
  21. SEND_SMS
  22. RECEIVE_SMS
  23. READ_SMS
  24. RECEIVE_WAP_PUSH
  25. RECEIVE_MMS
  26. READ_EXTERNAL_STORAGE
  27. WRITE_EXTERNAL_STORAGE
  28. Verify unnecessary permission are not added in Android.manifest file
  29. Verify app authentication is required when using Deep Links in the app
  30. If webviews are displayed inside the app, ensure the url is https, and cannot be decrypted via Charles
  31. Disable local file access in Code. Check with the developer and see if these restrictions are in place.
  32. webView.getSettings().setAllowFileAccess(false);
  33. webView.getSettings().setAllowFileAccessFromFileURLs(false);
  34. webView.getSettings().setAllowUniversalAccessFromFileURLs(false);
  35. webView.getSettings().setAllowContentAccess(false);
  36. Verify that App can be force updated.

For iOS

  1. Verify app ask user permissions for the following
  2. Bluetooth peripherals
  3. Calendar data
  4. Camera
  5. Contacts
  6. Health sharing
  7. Health updating
  8. HomeKit
  9. Location
  10. Microphone
  11. Motion
  12. Music and the media library
  13. Photos
  14. Reminders
  15. Siri
  16. Speech recognition
  17. the TV provider
  18. Verify app authentication is required when using Deep Links in the app
  19. Verify webviews only load https content. Check the code for WKWebView and verify the following flag “hasOnlySecureContent” is set to true
  20. Verify Webviews cannot be decrypted via Charles
  21. Verify Both allowFileAccessFromFileURLs and allowUniversalAccessFromFileURLs are set to “0”, on webviews are set. Check with developers
  22. Verify that App can be force updated.

Code Quality and Build setting requirements

Apps have a minimum of two configurations; a debug version where the app is not yet optimized for release or customer use. For example, logs would be enabled in the debug version to track bugs while developing. In the debug version, the app can get away with being slower and “fatter.” Apps also have a production version, meant for end-users. Here the app is “thinned” down for the target device on which the app is running. This version is optimized. So when it comes to the production version of the app, it is essential to test the build settings and other aspects used only for the debug version such that it does not leak into the production version.

For Android

Verify APK is Signed correctly.

a. Test using the following command,

apksigner verify — verbose Desktop/example.apk, Following output should be displayed for example,

b. Verified using v1 scheme (JAR signing): true

c. Verified using v2 scheme (APK Signature Scheme v2): true

d. Verified using v3 scheme (APK Signature Scheme v3): true

e. Number of signers: 1

Verify the store build is generated as a “Release” build and not “Debug” build. Using apktool decompile apk and check AndroidManifest.xml, android:debuggable should false

Verify APK is Obfuscated (i.e, Proguard is enabled) and no sensitive data is visible. Decompile the apk using apktool. Convert classes.dex to .jar using d2j-dextojar. View the jar file via JDGUI

Verify all debug logs are disabled. Run adb logcat and check if the apk is displaying any sensitive information

For iOS

Check the ipa is Release Mode and not in Debug Mode. Use Xcode and Check if the app can be debugged.

Check all debug logs are disabled and no sensitive information is logged in Xcode

Verify “Strip Debug Symbols During Copy”, “Strip Linked Product”, “Strip Swift Symbols” are set to Yes in Xcode build settings

Check for vulnerabilities in 3rd party Pods. Run OWASPs tool

dependency-check — enableExperimental — out . — scan Podfile.lock

Resiliency

For Android

Verify apk does not launch on rooted devices.

Checksum of apks should be created and validated against the server every time it’s launched.

For iOS

Verify app does not launch on Jailbroken phones

Obfuscate code with iXGuard and verify via MachoView tool

Source: Security Checklist II

--

--

--

A leading mobile app development company specialising on iPhone, Android, Cloud solutions, User Experience and UI Design.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Strategy Knotworking: turning ideas and ambitions into reality

RAIDers Of The Lost Art Of Digital Project Management.

How to Add Log Messages from UI in Odoo

About KWoC

Oracle Database Link to PostgreSQL Database

Introduction to Big Data with Spark and Hadoop — Week 2. Introduction to Hadoop

Understanding “yield” in Ruby

Setting up a multi node private ethereum swarm network without a blockchain

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CodeCraft

CodeCraft

A leading mobile app development company specialising on iPhone, Android, Cloud solutions, User Experience and UI Design.

More from Medium

A web portal where to upload photos: Photobook

OAuth Signature Generation Using LoadRunner

Can I build my own SAML / OAuth IDP?

Configuring Auth0 with WSO2 API Manager for SSO