Home
/Checklists
/Mobile App Security Checklist

Mobile27 items

Mobile App Security Checklist

A comprehensive security testing checklist for iOS and Android mobile applications. Covers local data storage, network communication, authentication, cryptographic implementation, and reverse engineering protections based on the OWASP MASTG.

OWASP MASVSOWASP MASTGNIST SP 800-163

Progress: 0 of 27 items

Obtain application binaries (APK/IPA) and identify target platformsinfo

Download the app from official stores or receive builds from the client for both iOS and Android.

Set up mobile testing environment with rooted/jailbroken devices

Configure test devices with Frida, Objection, and proxy certificates installed.

Install proxy certificates and configure traffic interception

Set up Burp Suite with SSL pinning bypass using Frida scripts or Objection.

Identify backend API endpoints used by the mobile app

Decompile the app to extract hardcoded URLs, API endpoints, and service configurations.

Review app store descriptions and permissions requested

Document permissions requested and compare against functionality requirements.

Decompile application and review source code for hardcoded secretscritical

Search for API keys, passwords, encryption keys, and credentials in decompiled code.

Commands

apktool d target.apk -o target_decoded

jadx -d output target.apk

mobsf

Evidence to capture

snippet of decompiled source with the hardcoded secret highlighted plus the file/line reference and proof the credential is valid against the live API.

References

OWASP MASTG - Code Quality and Build Settings
OWASP MASVS V8 - Resilience Requirements

Check for insecure data storage in shared preferences and plistshigh

Review local storage mechanisms for sensitive data stored in plaintext.

Commands

adb shell run-as <package> cat /data/data/<package>/shared_prefs/<file>.xml

References

OWASP MASVS V2 - Storage Requirements

Analyze cryptographic implementations for weaknesseshigh

Check for weak algorithms (DES, MD5), hardcoded keys, and improper IV usage.

References

OWASP MASVS V3 - Cryptography Requirements

Review AndroidManifest.xml or Info.plist for security misconfigurationshigh

Check for exported components, backup flags, debuggable settings, and ATS exceptions.

Commands

apktool d target.apk && cat target/AndroidManifest.xml

References

OWASP MASTG - Android Platform APIs

Check for vulnerable third-party libraries and SDKsmedium

Identify outdated dependencies with known CVEs using dependency analysis tools.

Commands

mobsf

Verify code obfuscation and anti-tampering protectionslow

Assess the effectiveness of ProGuard, R8, or iOS obfuscation mechanisms.

Test SSL/TLS certificate validation and pinning implementationhigh

Verify the app rejects invalid certificates and test certificate pinning bypass resistance.

Commands

objection --gadget com.target.app explore --startup-command "android sslpinning disable"

frida -U -l frida-android-pinning-bypass.js -f com.target.app

References

OWASP MASVS V4 - Network Communication Requirements
OWASP Certificate and Public Key Pinning Cheat Sheet

Intercept and analyze all network traffic for sensitive datahigh

Monitor API calls for credentials, tokens, and PII transmitted over the network.

Test authentication and session management mechanismshigh

Verify token expiration, session handling, biometric authentication, and logout functionality.

References

OWASP MASVS V6 - Authentication Requirements

Perform runtime manipulation using Frida hookingcritical

Hook security-critical functions to bypass authentication, root detection, and integrity checks.

Commands

frida-ps -U

frida -U -f com.target.app -l hook.js --no-pause

References

Frida documentation

Test deep links and custom URL schemes for injectionmedium

Craft malicious deep links to test for unauthorized actions or data access.

Commands

adb shell am start -W -a android.intent.action.VIEW -d "myapp://path?param=test" com.target.app

Check for sensitive data in application logs and clipboardmedium

Review logcat/Console output and clipboard access for leaked credentials or tokens.

Commands

adb logcat | grep -iE "password|token|secret|cookie"

Bypass root/jailbreak detection mechanismsmedium

Use Frida scripts to circumvent root and jailbreak detection and test app behavior.

Commands

objection --gadget com.target.app explore --startup-command "android root disable"

Extract and decrypt locally stored sensitive datahigh

Access SQLite databases, Keychain/Keystore entries, and encrypted files on the device.

Commands

adb shell run-as com.target.app find /data/data/com.target.app -type f

objection --gadget com.target.app explore --startup-command "ios keychain dump"

Test for intent/activity hijacking (Android) or URL scheme abuse (iOS)high

Exploit exported components and unvalidated URL schemes for unauthorized access.

Commands

drozer console connect

adb shell am start -n com.target.app/.SensitiveActivity

Test backend API security from the mobile contextcritical

Replay, modify, and forge API requests to test authorization and input validation server-side.

Attempt to patch and repackage the application binarymedium

Modify the app to remove security controls and test for integrity verification.

Commands

apktool d target.apk -o target_decoded

apktool b target_decoded -o patched.apk && apksigner sign --ks key.jks patched.apk

Map findings to OWASP MASVS verification requirements

Reference specific MASVS controls (e.g., STORAGE-1, NETWORK-2) for each finding.

Provide platform-specific remediation for iOS and Android

Include code-level fixes for each platform, referencing secure coding guidelines.

Include Frida scripts and reproduction steps for dynamic findings

Provide hooks and step-by-step instructions for developers to reproduce issues.

Document data flow diagrams for sensitive information

Illustrate how sensitive data moves between the app, device storage, and backend services.

Remove test data, proxy certificates, and testing tools from devices

Clean up all modifications made to test devices during the assessment.

Related Vulnerabilities

Insecure Design

high

Cryptographic Failures

high

Identification and Authentication Failures

high

Security Misconfiguration

medium

Industries Using This Checklist

Financial Services & Banking

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Company

About
Contact
luke@vulnsy.com

Mobile App Security Checklist

Pre-Engagement

Static Analysis

Dynamic Analysis

Exploitation & Testing

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy