Mobile App Security Testing Checklist

What types of testing do I need?

Take the attacker’s point-of-view on real iOS and Android devices.

Source Code Static Binary Dynamic Binary Behavioral Binary

Debug
Scan the source code for
syntax errors and improper
use of code pre-compilation
Analyze
Analyze the binary post-
compilation to discover
vulnerabilities including
third-party libraries
Observe Attack
Observe the binary at Attack the binary & network
runtime to discover environment to discover
vulnerabilities within the app vulnerabilities within the app

0
many false positives Coverage  no false positives Best

What testing coverage do I need?

Ensure you have complete coverage on device and over the air.

Data in Motion Data at Rest Code Quality

99 Man in the Middle: Certificate 99 App files 99 Development flags
Validation 99 Log Files 99 Automatic Reference Counting
99 Man in the Middle: Certificate 99 Keychain 99 Stack Smashing
Pinning 99 SD Card 99 Bad Authentication
99 Man in the Middle: HTTP 99 World Writable Files 99 Bad Authorization
Connections 99 World Readable Files 99 Root access
99 SSL Downgrade 99 RAM 99 Path Traversal
99 Unprotected TLS traffic 99 Unencrypted credential storage 99 SQL Injection
99 Cookie integrity 99 SQLite Databases 99 Vulnerable 3rd party libraries
99 Certificate Validity 99 Secure Enclave Processor 99 Heartbleed
99 App Transport Security 99 Bad cryptography
99 Obfuscation

What testing requirements do I need?

Ensure technology and approach meet your business needs.

Testing Reporting Compliance Integrations

99 Real on-device Testing 99 Detailed Findings 99 NIAP 99 Restful API
(no emulators) 99 Industry Standard CVSS 99 FFIEC 99 JIRA
99 Auto-Configuration Scoring 99 PCI-DSS 99 GitHub
99 Repeatable Configuration 99 Remediation Instructions 99 FISMA 99 CI/CD Infrastructure
99 Authenticated / Non- 99 OWASP Top 10 99 GDPR 99 Security Infrastructure
Authenticated Testing

Additional Resources: Secure Mobile Development Best Practices | Mobile App Security Program Management Handbook

©2017 NowSecure. All Rights Reserved · Web: www.nowsecure.com · Phone: (312) 878-1100 · Twitter: @NowSecureMobile