Static Checks

Security Checks Action

Review of each application activities
Application Services
Used Broadcaster's
Permissions
Application Manifest
Shared Libraries
Webview implementation
OS commands
SSL checks

Dynamic Checks
Security Checks Action
Local Storage for Sensitive Data
Random Number Generation
Local Storage for Input Validation
Logs for Sensitive Data
Backups for Sensitive Data
Device-Access-Security Policy
Endpoint Identify Verification
Custom Certificate Stores and Certificate Pinning
Network Security Configuration Settings
Injection Flaws
Sensitive Functionality Exposure Through IPC
JavaScript Execution in WebViews
WebView Protocol Handlers
Whether the App is Debuggable
Exception Handling
Root Detection
Anti-Debugging Detection
Emulator Detection
Device Binding
State (Vulnerable/Secure)

State (Vulnerable/Secure)
ID

Architecture, design and threat modelling

1
2

4
5
6

9
10

Data Storage and Privacy

11
12
13
14
15
16
17
18
19
20

21

22

Cryptography

23
24
25

26
27
28
 Authentication and Session Management

29

30
31
32
33

34
35
36

37

38

Network Communication

39

40

41

42

43

Platform Interaction
44
45

46

47
48
49
50
51
52
53

Code Quality and Build Settings

54
55
56
57
58
59
60
61
62
App Isolation
63
64

Impede Dynamic Analysis and Tampering

65

66

67
68
69
70

71

72

73

CPOC/SPOC specific test cases

1
2
3

4
5

6
7
8
9
10
11

12

13
14
15
16

17

18

19

20

21

22

23
24
25
26
27
28
29
30
31
32
33

34
35
36
37
38

39

40

41
 Detailed Verification Requirement

Architecture, design and threat modelling

Verify all application components are identified and are known to be needed.
Verify all third party components used by the mobile app, such as libraries and frameworks, are identified, and
checked for known vulnerabilities.
Verify that security controls are never enforced only on the client side, but on the respective remote
endpoints.
Verify that a high-level architecture for the mobile app and all connected remote services has been defined
and security has been addressed in that architecture.
Verify that data considered sensitive in the context of the mobile app is clearly identified.
Verify all app components are defined in terms of the business functions and/or security functions they
provide.
Verify that a threat model for the mobile app and the associated remote services, which identifies potential
threats and countermeasures, has been produced.
Verify all third party components have been assessed (associated risks) before being used or implemented.
Additionally verify that a process is in place to ensure that each time a security update for a third party
component is published, the change is inspected and the risk evaluated.
Verify that all security controls have a centralized implementation.
Verify that all components that are not part of the application but that the application relies on to operate, are
clearly identified and the security implications of using those components are known.
Data Storage and Privacy
Verify that system credential storage facilities are used appropriately to store sensitive data, such as user
credentials or cryptographic keys.
Verify that no sensitive data is written to application logs.
Verify that no sensitive data is shared with third parties unless it is a necessary part of the architecture.
Verify that the keyboard cache is disabled on text inputs that process sensitive data.
Verify that the clipboard is deactivated on text fields that may contain sensitive data.
Verify that no sensitive data is exposed via IPC mechanisms.
Verify that no sensitive data, such as passwords and credit card numbers, is exposed through the user
interface or leaks to screenshots.
Verify that no sensitive data is included in backups.
Verify that the app removes sensitive data from views when backgrounded.
Verify that the app does not hold sensitive data in memory longer than necessary, and memory is cleared
explicitly after use.
Verify that the app enforces a minimum device-access-security policy, such as requiring the user to set a
device passcode.
Verify that the app educates the user about the types of personally identifiable information processed, as well
as security best practices the user should follow in using the app.
Cryptography
Verify that the app does not rely on symmetric cryptography with hardcoded keys as a sole method of
encryption.
Verify that the app uses proven implementations of cryptographic primitives.
Verify that the app uses cryptographic primitives that are appropriate for the particular use-case, configured
with parameters that adhere to industry best practices.
Verify that the app does not use cryptographic protocols or algorithms that are widely considered depreciated
for security purposes.
Verify that the app doesn't re-use the same cryptographic key for multiple purposes.
Verify that all random values are generated using a sufficiently secure random number generator.
 Authentication and Session Management
Verify that if the app provides users with access to a remote service, an acceptable form of authentication
such as username/password authentication is performed at the remote endpoint.
Verify that the remote endpoint uses randomly generated access tokens to authenticate client requests
without sending the user's credentials.
Verify that the remote endpoint terminates the existing session when the user logs out.
Verify that a password policy exists and is enforced at the remote endpoint.
Verify that the remote endpoint implements an exponential back-off, or temporarily locks the user account,
when incorrect authentication credentials are submitted an excessive number of times.
Verify that biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or
"false"). Instead, it is based on unlocking the keychain/keystore.
Verify that sessions are terminated at the remote endpoint after a predefined period of inactivity.
Verify that a second factor of authentication exists at the remote endpoint and the 2FA requirement is
consistently enforced.

Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions.

Verify that the app informs the user of all login activities with his or her account. Users are able view a list of
devices used to access the account, and to block specific devices.
Network Communication
Verify that data is encrypted on the network using TLS. The secure channel is used consistently throughout the
app.
Verify that the TLS settings are in line with current best practices, as far as they are supported by the mobile
operating system.
Verify that the app verifies the X.509 certificate of the remote endpoint when the secure channel is
established. Only certificates signed by a valid CA are accepted.
Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and
subsequently does not establish connections with endpoints that offer a different certificate or key, even if
signed by a trusted CA.
Verify that the app doesn't rely on a single insecure communication channel (email or SMS) for critical
operations, such as enrollments and account recovery.
Platform Interaction
Verify that the app only requires the minimum set of permissions necessary.
Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes
data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.
Verify that the app does not export sensitive functionality via custom URL schemes, unless these mechanisms
are properly protected.
Verify that the app does not export sensitive functionality through IPC facilities, unless these mechanisms are
properly protected.
Verify that JavaScript is disabled in WebViews unless explicitly required.
Verify that WebViews are configured to allow only the minimum set of protocol handlers required (ideally,
only https). Potentially dangerous handlers, such as file, tel and app-id, are disabled.
Verify that the app does not load user-supplied local resources into WebViews.
Verify that if Java objects are exposed in a WebView, verify that the WebView only renders JavaScript
contained within the app package.
Verify that object serialization, if any, is implemented using safe serialization APIs.
Verify that the app detects whether it is being executed on a rooted or jailbroken device. Depending on the
business requirement, users are warned, or the app is terminated if the device is rooted or jailbroken.
Code Quality and Build Settings
Verify that the app is signed and provisioned with valid certificate.
Verify that the app has been built in release mode, with settings appropriate for a release build (e.g. non-
debuggable).
Verify that debugging symbols have been removed from native binaries.
Verify that debugging code has been removed, and the app does not log verbose errors or debugging
messages.
Verify that the app catches and handles possible exceptions.
Verify that error handling logic in security controls denies access by default.
Verify that in unmanaged code, memory is allocated, freed and used securely.
Verify that security features offered by the compiler, such as stack protection, PIE support and automatic
reference counting, are activated.
Verify that Java bytecode has been minified.
App Isolation
Verify that the app provides a custom keyboard whenever sensitive data is entered.
Verify that custom UI components are used to display sensitive data. The UI components should not rely on
immutable data structures.
Impede Dynamic Analysis and Tampering
Verify that the app implements two or more functionally independent methods of root detection and
responds to the presence of a rooted device either by alerting the user or terminating the app.
Verify that the app implements multiple functionally independent debugging defenses that, in context of the
overall protection scheme, force adversaries to invest significant manual effort to enable debugging. All
available debugging protocols must be covered (e.g. JDWP and native).
Verify that the app detects, and responds to, tampering with executable files and critical data.
Verify that the app detects the presence of widely used reverse engineering tools, such as code injection tools,
hooking frameworks and debugging servers.
Verify that the app detects, and response to, being run in an emulator using any method.
Verify that the app detects, and responds to, modifications of process memory, including relocation table
patches and injected code.
Verify that the app implements multiple different responses to tampering, debugging and emulation, including
stealthy responses that don't simply terminate the app.
Verify all executable files and libraries belonging to the app are either encrypted on the file level and/or
important code and data segments inside the executables are encrypted or packed. Trivial static analysis
should not reveal important code or data.
Verify that obfuscating transformations and functional defenses are interdependent and well-integrated
throughout the app.

CPOC/SPOC specific test cases

Verify that the application detects device state (Rooted) and send it to attestation and monitoring server along
with system identifiers to block this device from accessing the application
Verify that the application has SSL pinned traffic
Verify that the application detects Remote Monitoring/Debugging tools present on the device and actively
block it from accessing the transaction if any Remote Monitoring apps are detected.
Verify that the app detects the presence of widely used reverse engineering tools, such as code injection tools,
hooking frameworks and debugging servers.
Verify all third party components used by the mobile app, such as libraries and frameworks, are identified, and
checked for known vulnerabilities.
Verify that system credential storage facilities are used appropriately to store sensitive data, such as user
credentials or cryptographic keys.
Verify that no sensitive data is written to application logs.
Verify that no sensitive data, such as passwords and credit card numbers, is exposed through the user
interface or leaks to screenshots.
Verify that no sensitive data is included in backups.
Verify that the app removes sensitive data from views when backgrounded.
Verify that the app does not hold sensitive data in memory longer than necessary, and memory is cleared
explicitly after use.
Verify that the app enforces a minimum device-access-security policy, such as requiring the user to set a
device passcode.
Verify that the app does not rely on symmetric cryptography with hardcoded keys as a sole method of
encryption.
Verify that the app doesn't re-use the same cryptographic key for multiple purposes.
Verify that all random values are generated using a sufficiently secure random number generator.
Verify that the remote endpoint uses randomly generated access tokens to authenticate client requests
without sending the user's credentials.
Verify that the remote endpoint implements an exponential back-off, or temporarily locks the user account,
when incorrect authentication credentials are submitted an excessive number of times.
Verify that biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or
"false"). Instead, it is based on unlocking the keychain/keystore.
Verify that the app informs the user of all login activities with his or her account. Users are able view a list of
devices used to access the account, and to block specific devices.
Verify that data is encrypted on the network using TLS. The secure channel is used consistently throughout the
app.
Verify that the app verifies the X.509 certificate of the remote endpoint when the secure channel is
established. Only certificates signed by a valid CA are accepted.
Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and
subsequently does not establish connections with endpoints that offer a different certificate or key, even if
signed by a trusted CA.
Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes
data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.
Verify that object serialization, if any, is implemented using safe serialization APIs.
Verify that the app detects whether it is being executed on a rooted or jailbroken device. Depending on the
business requirement, users are warned, or the app is terminated if the device is rooted or jailbroken.
Verify that debugging symbols have been removed from native binaries.
Verify that debugging code has been removed, and the app does not log verbose errors or debugging
messages.
Verify that error handling logic in security controls denies access by default.
Verify that in unmanaged code, memory is allocated, freed and used securely.
Verify that security features offered by the compiler, such as stack protection, PIE support and automatic
reference counting, are activated.
Verify that Java bytecode has been minified.
Verify that the app provides a custom keyboard whenever sensitive data is entered.
Verify that the app implements two or more functionally independent methods of root detection and
responds to the presence of a rooted device either by alerting the user or terminating the app.
Verify that the app implements multiple functionally independent debugging defenses that, in context of the
overall protection scheme, force adversaries to invest significant manual effort to enable debugging. All
available debugging protocols must be covered (e.g. JDWP and native).
Verify that the app detects, and responds to, tampering with executable files and critical data.
Verify that the app detects the presence of widely used reverse engineering tools, such as code injection tools,
hooking frameworks and debugging servers.
Verify that the app detects, and response to, being run in an emulator using any method.
Verify that the app detects, and responds to, modifications of process memory, including relocation table
patches and injected code.
Verify that the app implements multiple different responses to tampering, debugging and emulation, including
stealthy responses that don't simply terminate the app.
Verify all executable files and libraries belonging to the app are either encrypted on the file level and/or
important code and data segments inside the executables are encrypted or packed. Trivial static analysis
should not reveal important code or data.
Verify that obfuscating transformations and functional defenses are interdependent and well-integrated
throughout the app.
 Status Remarks

modelling
Not Completed
Not Completed

Not Completed

Not Completed
Not Completed
Not Completed

Not Completed

Not Completed

Not Completed
Not Completed

cy

Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed

Not Completed

Not Completed

Not Completed
Not Completed
Not Completed

Not Completed
Not Completed
Not Completed
nagement

Not Completed

Not Completed
Not Completed
Not Completed
Not Completed

Not Completed
Not Completed
Not Completed

Not Completed

Not Completed

on

Not Completed

Not Completed

Not Completed

Not Completed

Not Completed

Not Completed
Not Completed

Not Completed

Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed

ttings
Not Completed
 Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed

Not Completed
Not Completed

Tampering

Not Completed

Not Completed

Not Completed
Not Completed
Not Completed
Not Completed

Not Completed

Not Completed

Not Completed

Not Vulnerable
Not Completed
N/A
Vulnerable

ases
Not Completed
Not Completed
Not Completed

Not Completed
Not Completed

Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed

Not Completed

Not Completed
Not Completed
Not Completed
Not Completed

Not Completed

Not Completed

Not Completed

Not Completed

Not Completed

Not Completed

Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed
Not Completed

Not Completed
Not Completed
Not Completed
Not Completed
Not Completed

Not Completed

Not Completed

Not Completed