App security testing checklist

  • In order to excecute the following checks, it is needed to download the following testing guide: https://confluence.securegroup.zone/download/attachments/211946950/MSTG-EN.pdf?version=1&modificationDate=1622559365802&api=v2

  • Architecture and design

  • All app components are identified and needed.

    See description
  • Security controls are enforced not only on the client side, but on the respective remote endpoints.

    See description
  • All connected remote services are defined and secured.

    See description
  • Data considered as sensitive in the context of the mobile app is identified.

    See description
  • All app components are has defined business and/or security functions. (reference point: Environmental Information)

  • All security controls have a centralized implementation.

    See description
  • A mechanism for enforcing updates of the mobile app exists.

    See description
  • The app should be complient with privacy laws and regulations.

  • Data storage

  • System credential storage facilities need to be used to store sensitive data, such as user credentials or cryptographic keys.

    See description
  • No sensitive data is stored outside of the app container or system credential storage.

    See description
  • If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware-backed storage which requires authentication.

  • No sensitive data is written to application logs.

    See description
  • No sensitive data is shared with third parties unless it is a necessary part of the architecture.

    See description
  • The keyboard cache is disabled on text inputs that process sensitive data.

    See description
  • No sensitive data, such as passwords or pins, is exposed through the user interface.

    See description
  • No sensitive data is included in backups generated by the mobile operating system.

    See description
  • The app removes sensitive data from views when moved to the background.

    See description
  • The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.

    See description
  • The app enforces a minimum device-access-security, such as requiring the user to set a device passcode.

    See description
  • The app’s local storage should be wiped after an excessive number of failed authentication attempts.

  • Authentication and Session Management

  • If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.

    See description
  • If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user\'s credentials.

    See description
  • If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.

    See description
  • The remote endpoint terminates the existing session when the user logs out.

    See description
  • A password policy exists and is enforced by the remote endpoint.

    See description
  • There is a mechanism to protect against the submission of credentials an excessive number of times.

    See description
  • Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.

    See description
  • Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore.

    See description
  • Sensitive transactions require step-up authentication.

    See description
  • Network Communication

  • Data is encrypted on the network. The secure channel is used consistently throughout the app.

    See description
  • The app verifies the certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.

    See description
  • The app doesn\'t rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.

    See description
  • Platform Interactions

  • The app only requests the minimum set of permissions necessary.

    See description
  • All inputs from external sources are validated. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.

    See description
  • The app does not export sensitive functionality via custom URL schemes or IPC mechanisms.

    See description
  • JavaScript is disabled in WebViews unless explicitly required.

    See description
  • Code Quality and Build Settings

  • The app is signed with a valid certificate and the private key is properly protected.

    See description
  • The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).

    See description
  • Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have been removed. The app does not log verbose errors or debugging messages.

    See description
  • All third-party components used by the mobile app, such as libraries and frameworks, are identified and checked for known vulnerabilities.

    See description
  • The app catches and handles possible exceptions.

    See description
This checklist was created by

copy saved

copies saved