Mobile Pentest Checklist

OWASP Mobile Top 10 – OMT_2024_v2

M1 – Improper Credential Usage

M2 – Inadequate Supply Chain Security

M3 – Insecure Authentication / Authorization

M4 – Insufficient Input / Output Validation

M5 – Insecure Communication

M6 – Inadequate Privacy Controls

M7 – Insufficient Binary Protections

M8 – Security Misconfiguration

M9 – Insecure Data Storage

M10 – Insufficient Cryptography

Android - Static Analysis 0%

APK decompilation (jadx/apktool)

Hardcoded API keys / Secrets

Hardcoded credentials

Weak cryptography (MD5 / SHA1 / Base64 misuse)

Insecure Random() usage (predictable OTP)

Debuggable flag enabled

android:allowBackup=true

Cleartext traffic enabled

Exported Activities/Services/Receivers

Weak signing certificate / Janus vulnerability

Code obfuscation missing (ProGuard/R8)

Unsafe WebView configuration

Android - Dynamic Analysis 0%

SSL Pinning validation & bypass

Root detection bypass

Emulator detection bypass

ADB activity launch bypass

Intent spoofing / sniffing

Broadcast receiver exploitation

Content provider SQLi / Path traversal

WebView XSS / LFI

Sensitive data in Logcat

Sensitive data in memory (fridump)

Biometric authentication bypass

Android - Storage & Crypto 0%

SharedPreferences sensitive storage

SQLite database encryption check

Temporary files leakage

External storage data exposure

Insecure Firebase configuration

KeyStore misuse

Clipboard leakage of sensitive data

Android - Platform & Advanced 0%

Repackaging / integrity validation missing

Background screenshot leakage

Overlay attack protection missing

Accessibility abuse

Third-party SDK vulnerabilities

Insecure deep links

API security validation (BOLA / IDOR)

Certificate transparency not enforced

iOS - Static Analysis 0%

IPA extraction & class-dump

Hardcoded secrets in binary

Weak cryptography usage

App Transport Security (ATS) misconfiguration

Debug symbols exposed

Insecure plist configuration

Missing jailbreak detection

iOS - Dynamic Analysis 0%

Runtime hooking detection bypass

Jailbreak detection bypass

Certificate pinning validation & bypass

Sensitive data in memory

Keychain extraction

NSUserDefaults sensitive storage

Pasteboard leakage

iOS - Network Security 0%

MITM testing (TLS enforcement)

ATS downgrade attack

Certificate pinning bypass

Weak TLS cipher suites

iOS - Platform & Advanced 0%

Screenshot protection missing

Repackaging / Integrity validation missing

Insecure URL schemes

Biometric bypass testing

Insecure background execution

API security validation (BOLA / IDOR)

Insecure file protection flags

Vulnerability Rating & Scoring

Bugcrowd VRT
View Bugcrowd Vulnerability Rating Taxonomy →

CVSS v3 Calculator
Calculate CVSS Score →

Use VRT for bug bounty severity mapping and CVSS for enterprise reporting.

Enterprise SDLC & Security Architecture

Secure SDLC & Architecture ▼

🛠 Secure SDLC

Threat Modeling (STRIDE) – Identify spoofing, tampering, repudation, info disclosure risks early.

Secure Coding Guidelines – Developers follow language-specific secure standards.

Code Review Enforcement – Mandatory peer review before merge.

SAST Integration – Static analysis in CI to catch vulnerabilities pre-deployment.

DAST Integration – Runtime scanning of staging environments.

Secrets Scanning – Detect exposed API keys & credentials in repos.

Dependency Scanning (SCA) – Monitor third-party library CVEs continuously.

CI/CD Security Gates – Block builds if critical issues are found.

🌐 Web / API / Mobile Practices

Input Validation Policy – Centralized validation & sanitization rules.

Centralized Authentication – Unified identity provider (OIDC / SSO).

Token Expiration Enforcement – Short-lived JWT & refresh strategy.

Certificate Pinning (Mobile) – Prevent MITM attacks.

CSP Enforcement – Reduce XSS impact surface.

Rate Limiting Strategy – Prevent brute force & abuse.

Secure Error Handling – No stack traces in production.

🛡 WAF & Edge Protection

Cloudflare / AWS WAF – Managed layer 7 filtering.

Managed & Custom Rule Sets – Block OWASP & business logic attacks.

Bot Mitigation – Prevent automation abuse.

DDoS Protection – Traffic scrubbing & edge distribution.

Geo Blocking – Restrict high-risk regions.

Virtual Patching – Temporary mitigation before code fix.

🌍 Network & Infrastructure

VPN Access Control – Restrict internal services exposure.

Zero Trust Architecture – Verify every access request.

Firewall Segmentation – Isolate production from internal networks.

IDS/IPS Monitoring – Detect intrusion attempts.

SIEM Logging – Centralized log correlation & alerting.

🏢 Active Directory Security

Least Privilege Model – Role-based access only.

GPO Hardening – Enforce secure domain policies.

Privileged Access Management – Just-in-time admin access.

Domain Controller Hardening – Protect AD core services.

Kerberos Protection – Prevent ticket abuse & relay attacks.

Audit Logging – Track authentication & privilege use.

☁ Cloud Security

IAM Least Privilege – Fine-grained cloud roles.

Security Group Audits – Restrict open ports.

S3 Bucket Policy Review – Prevent public exposure.

CloudTrail Logging – Track API activity.

Secrets Manager Usage – Store credentials securely.

🚀 DevSecOps

Branch Protection – Prevent direct production pushes.

PR Security Review – Mandatory approval before merge.

Container Scanning – Detect image vulnerabilities.

Kubernetes Security – RBAC & pod security policies.

IaC Scanning – Terraform / CloudFormation misconfig detection.