Type something in the input field to search the table:
| Mobile OWASP Category | Checks | Tools used |
|---|---|---|
| M1: Improper Platform Usage | ✔ App components(Service / Content Provider / Broadcase reciever / Activity)exposed to other apps. | ADB, Drozer, APK Analyser |
| M1: Improper Platform Usage | ✔ No anti - debugging mechanism implemented | Manifest viewer, AXML printer, Dexplorer |
| M1: Improper Platform Usage | ✔ setAllowFileAccess()method is set to true(File access using webview is enabled) | Dex2jar, Jdgui, APK tool, Jadx |
| M1: Improper Platform Usage | ✔ JavaScript Execution Risks at WebViews | Dex2jar, Jdgui, APK tool, Jadx |
| M1: Improper Platform Usage | ✔ XSS(webview with Javascript enabled) | Dex2jar, Jdgui, APK tool, Jadx |
| M1: Improper Platform Usage | ✔ Application can be installed on older Android platform | Manifest viewer, AXML printer, Dexplorer |
| M1: Improper Platform Usage | ✔ Application is using components / libraries / APIs / Plugins / Code / Framework with known vulnerablity. | Burpsuite, Jdgui |
| M1: Improper Platform Usage | ✔ Information leakage via Clipboard | ADB |
| M1: Improper Platform Usage | ✔ Excessive Permissions | Manifest viewer, AXML printer, Dexplorer |
| M1: Improper Platform Usage | ✔ allowBackup is set to true | Manifest viewer, AXML printer, Dexplorer |
| M2: Insecure Data Storage | ✔ Sensitive information in source code | Dex2jar, Jdgui, APK tool, Jadx |
| M2: Insecure Data Storage | ✔ Content Providers Access Permissions | Drozer |
| M2: Insecure Data Storage | ✔ Content Providers SQL Injection | Drozer |
| M2: Insecure Data Storage | ✔ Sensitive information in cleartext stored in localstorage: SQLite, shared preference, internal storage, external storage,data directory or data is exposed via content provider | Root explorer,Drozer |
| M2: Insecure Data Storage | ✔ Sensitive information in cleartext in volatile memory | Android studio |
| M3: Insecure Communication | ✔ Bypassing Certificate Pinning | SSL Unpinning, Just trust me, trust killer, API hooking(Andbug, JDB) |
| M3: Insecure Communication | ✔ SSL/TLS Known Issues – CRIME, BREACH, BEAST, Lucky13, RC4, etc… | Test SSL server, SSL labs |
| M3: Insecure Communication | ✔ Disable certificate validation | Apktool |
| M3: Insecure Communication | ✔ HTTPS is not implemented | Burpsuite, Fiddler, Zap proxy |
| M3: Insecure Communication | ✔ SSL Pinning not implemented | Burpsuite, Fiddler, Zap proxy |
| M3: Insecure Communication | ✔ Sensitive details transmitted in URL | Burpsuite, Fiddler, Zap proxy |
| M3: Insecure Communication | ✔ Deprecated SSL/TLS Version is Supported | Test SSL server, SSL labs |
| M3: Insecure Communication | ✔ Weak SSL ciphers supported | Test SSL server, SSL labs |
| M4: Insecure Authentication | ✔ Application accepts blank password | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Application accepts Partial password | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Check for offline authentication | |
| M4: Insecure Authentication | ✔ No authentication on background app resume | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Local Authentication Bypass | |
| M4: Insecure Authentication | ✔ Weak MPIN policy | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ No Anti-automation mechanism implemented (Token/lockout/CAPTCHA) | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ 2 Factor authentication is not implemented on critical functionality | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Password replay attack | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Back n back attack | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ No lockout policy implemented on failed number of logins | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ No lockout set on old password in change password functionality | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ No password policy set | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ MPIN not verified at server end | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ No lockout on Mpin | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Hint question bruteforced on forgot password | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Hint question/answer transmitted in cleartext | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Old password accepted even after forget password | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Credentails transmitted in cleartext | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Sensitive info like card details/Mpin/PAN numbers sent in cleartext. | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Insecure password reset mechanism | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Bypassing login via XML injection | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Are the session cookie attributes set | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Insecure Forgot password impelemented | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Insecure Reset password impelemented | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Second factor authentication / OTP can be bypassed | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Second factor authentication / OTP can be bruteforced | Burpsuite, Fiddler, Zap proxy |
| M4: Insecure Authentication | ✔ Logout functionality not implemented | |
| M5: Insufficient Cryptography | ✔ Hardcoded encryption key | Dex2jar, Jdgui, APK tool, Jadx |
| M5: Insufficient Cryptography | ✔ Cryptographic Based Storage Strength | Dex2jar, Jdgui, APK tool, Jadx |
| M5: Insufficient Cryptography | ✔ Weak key generation logic | Dex2jar, Jdgui, APK tool, Jadx |
| M6: Insecure Authorization | ✔ Missing binding between the device ID and Auth Token | Burpsuite, Fiddler, Zap proxy, IMEI changer, Hijack suite, Mac Id changer |
| M6: Insecure Authorization | ✔ An adversary can hijack user sessions by session fixation. | Burpsuite, Fiddler, Zap proxy |
| M6: Insecure Authorization | ✔ Parameter manipulation | Burpsuite, Fiddler, Zap proxy |
| M6: Insecure Authorization | ✔ Privilege escalation via parameter manipulation | Burpsuite, Fiddler, Zap proxy |
| M6: Insecure Authorization | ✔ Privilege escalation via URL manipulation | Burpsuite, Fiddler, Zap proxy |
| M6: Insecure Authorization | ✔ Maker-Checker functionality bypass via parameter manipulation | Burpsuite, Fiddler, Zap proxy |
| M6: Insecure Authorization | ✔ Sensitive information sent to third party websites | Burpsuite, Fiddler, Zap proxy |
| M7: Client Code Quality | ✔ Client side SQL Injection | Burpsuite, Fiddler, Zap proxy |
| M7: Client Code Quality | ✔ Client side Input validation not implemented | Burpsuite, Fiddler, Zap proxy |
| M7: Client Code Quality | ✔ Autocomplete should be OFF for sensitive information | Browser |
| M7: Client Code Quality | ✔ Is the mobile application accessible over web browser | Browser |
| M7: Client Code Quality | ✔ Application runs on rooted phones | Hide My Root, Root Cloak, |
| M7: Client Code Quality | ✔ printStackTrace is used | Dex2jar, Jdgui, APK tool, Jadx |
| M7: Client Code Quality | ✔ Developer comments revealed in source code | Dex2jar, Jdgui, APK tool, Jadx |
| M7: Client Code Quality | ✔ Bypassing login via SQL injection | Burpsuite, Fiddler, Zap proxy |
| M7: Client Code Quality | ✔ Bypassing login via LDAP/XPATH injection | Burpsuite, Fiddler, Zap proxy |
| M7: Client Code Quality | ✔ File Manipulation / Malicious file upload | Burpsuite, Fiddler, Zap proxy |
| M8: Code Tampering | ✔ Does application has tamper detection mechanism | APK tool, Jarsigner, Key tool. |
| M8: Code Tampering | ✔ Is tamper detection Bypassable? | APK tool, Jarsigner, Key tool,Burpsuite, Fiddler, Zap proxy |
| M8: Code Tampering | ✔ Is tamper detection check client side? | Dex2jar, Jdgui, APK tool, Jadx |
| M9: Reverse Engineering | ✔ No source code obfuscation implemented / Partial source code obfuscation implemented | Dex2jar, Jdgui, APK tool, Jadx |
| M9: Reverse Engineering | ✔ Sensitive info/Business logic exposed/ | Dex2jar, Jdgui, APK tool, Jadx |
| M10: Extraneous Functionality | ✔ Check for hidden backdoor/Gap left by the developer | Dex2jar, Jdgui, APK tool, Jadx |
| M10: Extraneous Functionality | ✔ Check for hidden APIs developer forgot to remove or left purposly. | APK tool, Jarsigner, Key tool,Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Last login time and recent transactions not shown after login | |
| Misc. | ✔ Multiple logins enabled | |
| Misc. | ✔ UAT contains live production data | APK tool, Jarsigner, Key tool,Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Missing useful HTTP headers | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ HTTP dangerous methods enabled | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Does the application forcefully log the user out for attacks | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Registration/Onboarding checks | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Response modification attack | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Device level check bypass | Hijack Suite, Root explorer, Imei Changer, Mac ID changer. |
| Misc. | ✔ CSRF | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ UI Spoofing / Tapjacking | |
| Misc. | ✔ Business Logic flaws / Does the application accept negative value | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Sensitive web service URL exposed in request/response | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Session management | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Session hijacking | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Session id doesnot change after login and post logout | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ No session timeout / longer session timeout duration | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Unvalidated redirects | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Remote file inclusion flaw | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Local file Inclusion flaw | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Keyboard caching is not disabled | |
| Misc. | ✔ Internal ip address/ path disclosed in responses | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Sensitive data in recent apps | |
| Misc. | ✔ An adversary can harvest email addresses for spamming | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ An adversary can view restricted files by directory listing | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Server banner in HTTP headers | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Enumerate valid usernames on login page | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Default web page is accessible | Burpsuite, Fiddler, Zap proxy |
| Misc. | ✔ Application level logging is not disbaled | Log Cat. |
| Misc. | ✔ Error page reveals sensitive information | Burpsuite, Fiddler, Zap proxy |
Note that we start the search in tbody, to prevent filtering the table headers.