App security testing checklist
for Android
-
In order to excecute the following checks, it is needed to download the following testing guide: https://confluence.securegroup.zone/download/attachments/211946950/MSTG-EN.pdf?version=1&modificationDate=1622559365802&api=v2
-
Architecture and design
-
All app components are identified and needed.
See description -
Security controls are enforced not only on the client side, but on the respective remote endpoints.
See description -
All connected remote services are defined and secured.
See description -
Data considered as sensitive in the context of the mobile app is identified.
See description -
All app components are has defined business and/or security functions. (reference point: Environmental Information)
-
All security controls have a centralized implementation.
See description -
A mechanism for enforcing updates of the mobile app exists.
See description -
The app should be complient with privacy laws and regulations.
-
Data storage
-
System credential storage facilities need to be used to store sensitive data, such as user credentials or cryptographic keys.
See description -
No sensitive data is stored outside of the app container or system credential storage.
See description -
If sensitive data is still required to be stored locally, it should be encrypted using a key derived from hardware-backed storage which requires authentication.
-
No sensitive data is written to application logs.
See description -
No sensitive data is shared with third parties unless it is a necessary part of the architecture.
See description -
The keyboard cache is disabled on text inputs that process sensitive data.
See description -
No sensitive data, such as passwords or pins, is exposed through the user interface.
See description -
No sensitive data is included in backups generated by the mobile operating system.
See description -
The app removes sensitive data from views when moved to the background.
See description -
The app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after use.
See description -
The app enforces a minimum device-access-security, such as requiring the user to set a device passcode.
See description -
The app’s local storage should be wiped after an excessive number of failed authentication attempts.
-
Authentication and Session Management
-
If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint.
See description -
If stateful session management is used, the remote endpoint uses randomly generated session identifiers to authenticate client requests without sending the user's credentials.
See description -
If stateless token-based authentication is used, the server provides a token that has been signed using a secure algorithm.
See description -
The remote endpoint terminates the existing session when the user logs out.
See description -
A password policy exists and is enforced by the remote endpoint.
See description -
There is a mechanism to protect against the submission of credentials an excessive number of times.
See description -
Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire.
See description -
Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore.
See description -
Sensitive transactions require step-up authentication.
See description -
Network Communication
-
Data is encrypted on the network. The secure channel is used consistently throughout the app.
See description -
The app verifies the certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.
See description -
The app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.
See description -
Platform Interactions
-
The app only requests the minimum set of permissions necessary.
See description -
All inputs from external sources are validated. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.
See description -
The app does not export sensitive functionality via custom URL schemes or IPC mechanisms.
See description -
JavaScript is disabled in WebViews unless explicitly required.
See description -
Code Quality and Build Settings
-
The app is signed with a valid certificate and the private key is properly protected.
See description -
The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).
See description -
Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have been removed. The app does not log verbose errors or debugging messages.
See description -
All third-party components used by the mobile app, such as libraries and frameworks, are identified and checked for known vulnerabilities.
See description -
The app catches and handles possible exceptions.
See description