owasp mobile app checklist v1.0
TRANSCRIPT
-
7/25/2019 OWASP Mobile App Checklist v1.0
1/3
CLIENT SIDE CHECKS
Sr. Vulnerability Name ApplicablePlatform
Compliant?Yes/No/NA
1 Application is Vulnerable to Reverse Engineering Attack All
2 Account Lockout not Implemented All
3 Application is Vulnerable to XSS All
4 Authentication bypassed All
5 Hard coded sensitive information in Application Code All
6 Malicious File Upload All
7 Session Fixation All
8 Application does not Verify MSISDN WAP
9 Privilege Escalation All
10 SQL Injection All
11 Attacker can bypass Second Level Authentication All
12 Application is vulnerable to LDAP Injection All
13 Application is vulnerable to OS Command Injection All
14 iOS snapshot/backgrounding Vulnerability iOS
15 Debug is set to TRUE Android
16 Application makes use of Weak Cryptography All
17 Cleartext information under SSL Tunnel All
18 Client Side Validation can be bypassed All
19 Invalid SSL Certificate All
20 Sensitive Information is sent as Clear Text over network All
21 CAPTCHA is not implemented on Public Pages/Login Pages All
22 Improper or NO implementation of Change Password Page All
23 Application does not have Logout Functionality All
-
7/25/2019 OWASP Mobile App Checklist v1.0
2/3
24 Sensitive information in Application Log Files All
25 Sensitive information sent as a querystring parameter All
26 URL Modification All
27 Sensitive information in Memory Dump All
28 Weak Password Policy All
29 Autocomplete is not set to OFF All
30 Application is accessible on Rooted or Jail Broken Device All31 Back-and-Refresh attack All
32 Directory Browsing All
33 Usage of Persistent Cookies All
34 Open URL Redirects are possible All
35 Improper exception Handling: In code All
36 Insecure Application Permissions All
37 Application build contains Obsolete Files All
38 Certificate Chain is not Validated All
39 Last Login information is not displayed All
40 Private IP Disclosure All
41 UI Impersonation through RMS file modification JAVA
42 UI Impersonation through JAR file modification Android
43 Operation on a resource after expiration or release All
44 No Certificate Pinning All
45 Cached Cookies or information not cleaned after application removal/Clos All
46 ASLR Not Used iOS
47 Clipboard is not disabled All
48 Cache smashing protection is not enabled iOS
49 Android Backup Vulnerability Android
SERVER SIDE CHECKS
Sr. Vulnerability Name ApplicablePlatform
Compliant?Yes/No/NA
50 Cleartext password in Response All
51 Direct Reference to internal resource without authentication All
-
7/25/2019 OWASP Mobile App Checklist v1.0
3/3
52 Application has NO or improper Session Management All
53 Cross Domain Scripting Vulnerability All
54 Cross Origin Resource Sharing All
55 Improper Input Validation - Server Side All
56 Detailed Error page shows internal sensitive information All
57 Application allows HTTP Methods besides GET and POST All
58 Cross Site Request Forgery (CSRF)/SSRF All59 Cacheable HTTPS Responses All
60 Path Attribute not set on a Cookie All
61 HttpOnly Attribute not set for a cookie All
62 Secure Attribute not set for a cookie All
63 Application is Vulnerable to Clickjacking/Tapjacking attack All
64 Server/OS fingerprinting is possible All