This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Android Testing Cheat Sheet
Last revision (mm/dd/yy): 03/25/2016 IntroductionDRAFT MODE - This Cheat Sheet is a Work in Progress This cheat sheet provides a checklist of tasks to be performed to do a penetration test of an Android application. It follows the OWASP Mobile Top 10 Risks list. Testing MethodologyAt the device level, there are 2 ways in which the application shall be tested.
At the application level, there are 2 ways in which it shall be tested
Application MappingMap the application for possible security vectors
OWASP Step-by-step Approach(For each of the standards below, there shall be multiple steps for the tester to follow]) M1 - Weaker Server side controlsM2 - Insecure Data storageThis Section should be ideally tested after using the application for some time. This way application has time to store some data on the disk. Commonplaces to look at
M3 - Insufficient Transport LayerMultiple layer of checks to be performed here 1. On Server side
2. On Device Side
M4 - Unintended Data LeakageSimmilar to M2 this section requires application to be used however while the application is in use we need to monitor following places.
M5 - Poor Authorization and AuthenticationOne of the simplest check's to be performed after application is used for some time and it has time to put the data inside system.
M6 - Broken CryptographyThere are multiple things to look at
M7 - Client Side InjectionAndroid applications need to store data locally in sqlite files or XML structures and hence need to performs either SQL/XML Queries or file I/O. This gives rise to 2 major issues.
If the application is a HTML5 hybrid application then Cross Site Scripting (XSS) should also be considered. XSS will expose the entire application to the attacker as HTML5 applications will have the ability to call native functionality and hence control over the entire application. M8 - Security Decisions via untrusted inputsM9 - Improper Session HandlingImproper Session Handling typically results in the same outcomes as poor authentication. Once you are authenticated and given a session, that session allows one access to the mobile application. There are multiple things to look at
M10 - Lack of Binary ProtectionAndroid Binaries are basically dex classes, which if not protected can result in an easy decompilation of source code. This could lead to code / logic leakage. Following controls need to be checked for and validated:
References [OWASP M10-2014](https://www.owasp.org/index.php/Mobile_Top_10_2014-M10) Authors and Primary EditorsJim Manico Jonathan Carter Prashant Phatak Milan Singh Thakur Anant Shrivastava Other Cheatsheets |