Mobile Application Testing Checklist

📱 Android Testing

Static Analysis

• Decompile APK (jadx, apktool)
• Review AndroidManifest.xml
• Check for hardcoded secrets
• Analyze exported components
• Review permissions
• Check for debugging enabled
• Identify third-party libraries
• Search for sensitive strings

# Decompile APK
apktool d app.apk -o output/
jadx app.apk -d jadx-output/

Check for secrets
grep -rni "api_key\|password\|secret" jadx-output/

Dynamic Analysis

• Setup proxy (Burp/mitmproxy)
• Bypass certificate pinning
• Monitor network traffic
• Analyze runtime behavior
• Test with Frida scripts
• Check for root detection
• Intercept API calls

# Frida SSL pinning bypass
frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause

Objection
objection -g com.target.app explore
android sslpinning disable

Data Storage

• Check SharedPreferences
• Analyze SQLite databases
• Review internal storage
• Check external storage
• Examine cache files
• Check for logging

# ADB commands
adb shell
run-as com.target.app
cat shared_prefs/*.xml
sqlite3 databases/*.db

Exported Components

• Test exported activities
• Check content providers
• Test broadcast receivers
• Analyze services
• Deep link testing

---

🍎 iOS Testing

Static Analysis

• Extract IPA file
• Analyze with MobSF
• Review Info.plist
• Check entitlements
• Search for secrets
• Analyze binary (class-dump, Hopper)

# Extract IPA
unzip app.ipa -d extracted/

Class dump
class-dump App > classes.txt

Search secrets
strings App | grep -i "api\|key\|secret\|password"

Dynamic Analysis

• Setup Burp proxy
• Bypass SSL pinning
• Runtime manipulation (Frida)
• Test jailbreak detection
• Method hooking
• Keychain analysis

# Objection iOS
objection -g com.target.app explore
ios sslpinning disable
ios keychain dump

Data Storage

• Check Keychain items
• Analyze plist files
• Review SQLite databases
• Check NSUserDefaults
• Examine cache/cookies
• Binary cookies analysis

---

🔐 Authentication Testing

Login Security

• Test brute force protection
• Check account lockout
• Test password policy
• Verify MFA implementation
• Test biometric bypass
• Check for credential storage

Session Management

• Token storage analysis
• Session timeout testing
• Token refresh mechanism
• Logout functionality
• Session fixation
• Concurrent sessions

OAuth/SSO

• State parameter validation
• Redirect URI validation
• Token leakage testing
• PKCE implementation
• Deep link hijacking

---

🌐 API Security

Network Analysis

• Capture all API traffic
• Identify sensitive endpoints
• Test for IDOR
• Check authorization
• Test rate limiting
• Verify encryption

Common Vulnerabilities

• Broken authentication
• Mass assignment
• Injection attacks
• Sensitive data exposure
• Missing security headers
• Improper error handling

---

🔒 Cryptography

Implementation Review

• Check encryption algorithms
• Verify key storage
• Test for weak crypto
• Check certificate validation
• Review random generation
• Test for hardcoded IVs

Common Issues

---

🛡️ Security Controls

Root/Jailbreak Detection

• Test detection mechanisms
• Bypass techniques
• Evaluate effectiveness
• Check response behavior

Code Obfuscation

• Evaluate obfuscation level
• Test for debug info
• Check symbol stripping
• Anti-tampering measures

Runtime Protection

• Debugger detection
• Emulator detection
• Hook detection
• Memory protection

---

🛠️ Tools Reference

Android Tools

iOS Tools

Frida Scripts

// SSL Pinning Bypass
Java.perform(function() {
    var TrustManager = Java.use('javax.net.ssl.X509TrustManager');
    var SSLContext = Java.use('javax.net.ssl.SSLContext');
    
    var TrustManagerImpl = Java.registerClass({
        name: 'TrustManagerImpl',
        implements: [TrustManager],
        methods: {
            checkClientTrusted: function(chain, authType) {},
            checkServerTrusted: function(chain, authType) {},
            getAcceptedIssuers: function() { return []; }
        }
    });
});

---

📊 Severity Classification

---

Last updated: 2024