This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Android Testing Cheat Sheet"
(→M5 - Poor Authorization and Authentication) |
(→M6 - Broken Cryptography) |
||
Line 91: | Line 91: | ||
== M6 - Broken Cryptography == | == M6 - Broken Cryptography == | ||
+ | |||
+ | There are multiple things to look at | ||
+ | |||
+ | * Usage of known weak crypto algo's like Rot13, MD4, MD5, RC2, RC4, SHA1 | ||
+ | * Do it Yourself / let me design my own algo for encryption | ||
+ | * Secret key hard coded in the application code itself. | ||
+ | |||
== M7 - Client Side Injection == | == M7 - Client Side Injection == | ||
== M8 - Security Decisions via untrusted inputs == | == M8 - Security Decisions via untrusted inputs == |
Revision as of 17:30, 18 March 2016
Last revision (mm/dd/yy): 03/18/2016 IntroductionDRAFT MODE - This Cheat Sheet is a Work in Progress This cheat sheet provides a checklist of tasks to be performed to do a penetration test of an Android application. It follows the OWASP Mobile Top 10 Risks list. Testing MethodologyAt the device level, there are 2 ways in which the application shall be tested.
At the application level, there are 2 ways in which it shall be tested
Application MappingMap the application for possible security vectors
OWASP Step-by-step Approach(For each of the standards below, there shall be multiple steps for the tester to follow]) M1 - Weaker Server side controlsM2 - Insecure Data storageThis Section should be ideally tested after using the application for some time. This way application has time to store some data on the disk. Commonplaces to look at
M3 - Insufficient Transport LayerMultiple layer of checks to be performed here 1. On Server side
* SSLv2, SSLv3 is disabled * TLS 1.2, 1.1 and 1.0 is supported (1.2 is essential to ensure highest possible secure connection) * RC4 and CBC Based Ciphers are disabled * DH Params are >2048 Bits * SSL Certificate is signed with atleast sha2 / sha256 * ECDHE Ciphers / Ciphers supporting Perfect forward secrecy are preferred * SSL Certificate is from Trusted RootCA * SSL Certificate is not expired
1. Ensure application is working correctly by navigating around. 2. Put a proxy in between the application and remote server. If application fails to load. Application might be doing cert validation. Refer logcat if any message is printed. 3. Place Proxy RootCA in trusted root CA list in device. (Burp)[2] (OWASP-ZAP)[3] 4. Try using application again. If application still doesn't connect, application might be doing cert pinning. 5. Install (Xposed Framework)[4] and (Just Trust Me)[5], enable JustTrustMe and then reboot device. 6. Try again if everything works we have a application which employee's cert pinning. M4 - Unintended Data LeakageSimmilar to M2 this section requires application to be used however while the application is in use we need to monitor following places.
M5 - Poor Authorization and AuthenticationOne of the simplest check's to be performed after application is used for some time and it has time to put the data inside system.
M6 - Broken CryptographyThere are multiple things to look at
M7 - Client Side InjectionM8 - Security Decisions via untrusted inputsM9 - Improper Session HandlingM10 - Lack of Binary ProtectionAuthors and Primary EditorsJim Manico Jonathan Carter Prashant Phatak Milan Singh Thakur Anant Shrivastava Other Cheatsheets |