This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Android Testing Cheat Sheet"
(→M3 - Insufficient Transport Layer) |
(→M4 - Unintended Data Leakage) |
||
Line 76: | Line 76: | ||
== M4 - Unintended Data Leakage == | == M4 - Unintended Data Leakage == | ||
+ | |||
+ | Simmilar to M2 this section requires application to be used however while the application is in use we need to monitor following places. | ||
+ | |||
+ | * adb logcat output | ||
+ | * cache and webcache folder locations | ||
+ | |||
== M5 - Poor Authorization and Authentication == | == M5 - Poor Authorization and Authentication == | ||
== M6 - Broken Cryptography == | == M6 - Broken Cryptography == |
Revision as of 05:44, 17 March 2016
Last revision (mm/dd/yy): 03/17/2016 IntroductionDRAFT MODE - This Cheat Sheet is a Work in Progress This cheat sheet provides a checklist of tasks to be performed to do a penetration test of an Android application. It follows the OWASP Mobile Top 10 Risks list. Testing MethodologyAt the device level, there are 2 ways in which the application shall be tested.
At the application level, there are 2 ways in which it shall be tested
Application MappingMap the application for possible security vectors
OWASP Step-by-step Approach(For each of the standards below, there shall be multiple steps for the tester to follow]) M1 - Weaker Server side controlsM2 - Insecure Data storageThis Section should be ideally tested after using the application for some time. This way application has time to store some data on the disk. Commonplaces to look at
M3 - Insufficient Transport LayerMultiple layer of checks to be performed here 1. On Server side
* SSLv2, SSLv3 is disabled * TLS 1.2, 1.1 and 1.0 is supported (1.2 is essential to ensure highest possible secure connection) * RC4 and CBC Based Ciphers are disabled * DH Params are >2048 Bits * SSL Certificate is signed with atleast sha2 / sha256 * ECDHE Ciphers / Ciphers supporting Perfect forward secrecy are preferred * SSL Certificate is from Trusted RootCA * SSL Certificate is not expired
1. Ensure application is working correctly by navigating around. 2. Put a proxy in between the application and remote server. If application fails to load. Application might be doing cert validation. Refer logcat if any message is printed. 3. Place Proxy RootCA in trusted root CA list in device. (Burp)[2] (OWASP-ZAP)[3] 4. Try using application again. If application still doesn't connect, application might be doing cert pinning. 5. Install (Xposed Framework)[4] and (Just Trust Me)[5], enable JustTrustMe and then reboot device. 6. Try again if everything works we have a application which employee's cert pinning. M4 - Unintended Data LeakageSimmilar to M2 this section requires application to be used however while the application is in use we need to monitor following places.
M5 - Poor Authorization and AuthenticationM6 - Broken CryptographyM7 - Client Side InjectionM8 - Security Decisions via untrusted inputsM9 - Improper Session HandlingM10 - Lack of Binary ProtectionAuthors and Primary EditorsJim Manico Jonathan Carter Prashant Phatak Milan Singh Thakur Other Cheatsheets |