Skip to content

Android TestCases

Android Test Cases

  • Root/Runtime Detection
    • SuperSU
      • RootCloak
    • Magisk
      • Hide Magisk Manager
      • Magisk Hide
      • Magisk Core Only
      • Systemless
    • Frida
    • Xposed
  • APK
    • Can Application be Modified and Resigned
      • use checksum or digital signature
    • View Application Manifest File
      • Look for debug flag
      • Look for backup flag
      • Look for IPC info
      • Look at permissions
    • Look for hard coded information in APK
    • Obfuscation is enabled.
      • Also Third party libraries
    • ptrace application is disabled
    • binaries is stripped
  • Network
    • Connections using SSL
    • Check networkSecurityConfig for exceptions
    • Does the application use Certificate Pinning
      • How easy is it to bypass
    • Can you modify the Message
      • Does the Request signed?
    • What is the Session Token
    • SSL Cipher Check on servers
  • Data Storage
    • Check Runtime for short lived files using fsmon
      • Look at Cache Information
    • Look for sensitive data in unencrypted files
    • Look for data stored outside the application directory like the /sdcard/
    • Check File Permissions and ownership
      • This is valid on less than Android 7.0 (API level 24)
    • Look sensitive data in SQLite files
      • Cookie Database
        • Cookies should be contain HTTPonly and Secure flags
    • What is stored in the Shared Preferences Folder
    • Are files stored in the attachments folder
    • HTTP Cache data
    • Crash Logs should not contain sensitive data
  • Crypto
    • Look at Block Size
    • Look at Key Size
    • Look at Cipher
    • Look at API versions
    • Check in insecure Random
      -SecureRandom
      -KeyGenerator
      -KeyPairGenerator
      -KeyAgreement
      -Signature
    • Key is not stored as a String
  • Log Information contains Sensitive Data
  • Authentication Bypass
    • DeviceID should not be used as the only authentication
    • How is the pin verified
      • Is it stored on the device
      • How are the secrets encrypted or validated
      • Does the pin work if the device is offline
      • Can it be bypassed
      • Does the app reset the pin count when backgrounded or killed
      • How hard to bruteforce
    • If a Device Fingerprint is added does the flow change.
      • How are the secrets encrypted or validated
    • Lock
      • Application is locked out when backgrounded
      • Application is locked out when switching applications or after a maximum of 15 mins timeout
      • Application is locked when device is locked
    • Using Device Tokens
      • Are these devices tokens revocable by the server?
    • Android AccountManager
      • What is stored in the /data/system/users/0/accounts.db
      • Can Third Party applications request this information?
  • What is in the Keystore
    • How is the keystore information stored and encrypted
    • Should not user Bouncy Castle Keystore (BKS)
    • Is key invalidated on new fingerprint enrollment?
    • Is keystore accessible without screen unlock? (unlockedDeviceRequied)
  • IPC
    • Excessive Android Permissions
    • Intents
      • Sensitive Information should not be transmitted this way
      • Use Explicit Intents for internal data
      • Exported intents should check caller's identity
      • Exported intents should not use Serializable Objects (getSerializable/putSerializable)
      • PendingIntents should be specified with a component name
    • Activities
      • Is activity exported
        • Does it check the Origin of the Activity
        • Does it have insecure Normal, or Dangerous permissions
      • Does it provide input validation on the parameters.
      • Has the FLAG_SECURE flag?
    • Broadcast Checks
      • Is sensitive data passed in Broadcasts
      • Does it provide input validation on the parameters.
      • Is Broadcast Exported?
        • Is the Origin checked?
    • Services
      • Is service Exported
        • Does it have insecure Normal, or Dangerous permissions
        • Does it provide input validation on the parameters.
    • Content Providers
      • Is Content Provider Exported
        • Does it have insecure Normal, or Dangerous permissions
        • Are parameters vulnerable to SQLi
  • Screenshot
    • Contains sensitive data when backgrounded
  • Keyboard
    • Prevent the Keyboard caching sensitive data.
    • The application should not allow Third-Party Keyboards
  • TapJacking
    • Is setFilterTouchesWhenObscured(boolean) or android:filterTouchesWhenObscured layout attribute to true.
    • Or onFilterTouchEventForSecurity(MotionEvent) overwritten
    • Or checking ‘FLAG_WINDOW_IS_OBSCURED’
  • Web Views
    • setJavaScriptEnabled
    • setPluginsEnabled, setPluginState
    • setAllowFileAccess
    • setGeolocationEnabled
    • Are URLs checked before loaded? (shouldOverrideUrlLoading/shouldInterceptRequest)
    • addJavascriptInterface
    • XSS attacks
    • android:usesCleartextTraffic not set
    • https://inappbrowser.com/
  • SQL
    • Look for Injection Vulnerabilities
  • NDK
    • Check Third party libraries for version and security vulnerabilities
    • Can Userinput be provided to a dangerous function?
    • Can Userinput be provided to fixed buffer?