Home
/Checklists
/Mobile App Security Checklist

Mobile27 items

Mobile App Security Checklist

A comprehensive security testing checklist for iOS and Android mobile applications. Covers local data storage, network communication, authentication, cryptographic implementation, and reverse engineering protections based on the OWASP MASTG.

OWASP MASVSOWASP MASTGNIST SP 800-163

Progress: 0 of 27 items

Obtain application binaries (APK/IPA) and identify target platformsinfo

Download the app from official stores or receive builds from the client for both iOS and Android.

Set up mobile testing environment with rooted/jailbroken devices

Configure test devices with Frida, Objection, and proxy certificates installed.

Install proxy certificates and configure traffic interception

Set up Burp Suite with SSL pinning bypass using Frida scripts or Objection.

Identify backend API endpoints used by the mobile app

Decompile the app to extract hardcoded URLs, API endpoints, and service configurations.

Review app store descriptions and permissions requested

Document permissions requested and compare against functionality requirements.

Decompile application and review source code for hardcoded secretscritical

Search for API keys, passwords, encryption keys, and credentials in decompiled code.

Check for insecure data storage in shared preferences and plistshigh

Review local storage mechanisms for sensitive data stored in plaintext.

Analyze cryptographic implementations for weaknesseshigh

Check for weak algorithms (DES, MD5), hardcoded keys, and improper IV usage.

Review AndroidManifest.xml or Info.plist for security misconfigurationshigh

Check for exported components, backup flags, debuggable settings, and ATS exceptions.

Check for vulnerable third-party libraries and SDKsmedium

Identify outdated dependencies with known CVEs using dependency analysis tools.

Verify code obfuscation and anti-tampering protectionslow

Assess the effectiveness of ProGuard, R8, or iOS obfuscation mechanisms.

Test SSL/TLS certificate validation and pinning implementationhigh

Verify the app rejects invalid certificates and test certificate pinning bypass resistance.

Intercept and analyze all network traffic for sensitive datahigh

Monitor API calls for credentials, tokens, and PII transmitted over the network.

Test authentication and session management mechanismshigh

Verify token expiration, session handling, biometric authentication, and logout functionality.

Perform runtime manipulation using Frida hookingcritical

Hook security-critical functions to bypass authentication, root detection, and integrity checks.

Test deep links and custom URL schemes for injectionmedium

Craft malicious deep links to test for unauthorized actions or data access.

Check for sensitive data in application logs and clipboardmedium

Review logcat/Console output and clipboard access for leaked credentials or tokens.

Bypass root/jailbreak detection mechanismsmedium

Use Frida scripts to circumvent root and jailbreak detection and test app behavior.

Extract and decrypt locally stored sensitive datahigh

Access SQLite databases, Keychain/Keystore entries, and encrypted files on the device.

Test for intent/activity hijacking (Android) or URL scheme abuse (iOS)high

Exploit exported components and unvalidated URL schemes for unauthorized access.

Test backend API security from the mobile contextcritical

Replay, modify, and forge API requests to test authorization and input validation server-side.

Attempt to patch and repackage the application binarymedium

Modify the app to remove security controls and test for integrity verification.

Map findings to OWASP MASVS verification requirements

Reference specific MASVS controls (e.g., STORAGE-1, NETWORK-2) for each finding.

Provide platform-specific remediation for iOS and Android

Include code-level fixes for each platform, referencing secure coding guidelines.

Include Frida scripts and reproduction steps for dynamic findings

Provide hooks and step-by-step instructions for developers to reproduce issues.

Document data flow diagrams for sensitive information

Illustrate how sensitive data moves between the app, device storage, and backend services.

Remove test data, proxy certificates, and testing tools from devices

Clean up all modifications made to test devices during the assessment.

Related Vulnerabilities

Insecure Design

high

Cryptographic Failures

high

Identification and Authentication Failures

high

Security Misconfiguration

medium

Industries Using This Checklist

Financial Services & Banking

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Vulnsy

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Contact

luke@vulnsy.com

Mobile App Security Checklist

Pre-Engagement

Static Analysis

Dynamic Analysis

Exploitation & Testing

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy