Firmware Extracting & Reversing
Extracting
Reversing
Dumping
Downgrading
Bypass verification
Malicious update
Reset to insecure state
Device App Vulnerabilities
Overflows
Vulnerable services (web, ssh, tftp, etc.)
Privilege escalation
Local Data Storage
Device spoofing
Identity tampering
Pairing attacks
Session hijacking
Brute force
Device impersonation
Weak identifier
Insecure crypto
Backdoor accounts
Default credentials
Exposed Debugging Interfaces
UART
JTAG
SPI
USB
I2C
Side Channel Attacks
Power consuming attack
Time based attack
Denial of Service
Battery abuse
Disable the device
Brick the device
Network Traffic
Sniffing
MITM attacks
Message integrity
Replay attacks
Insecure usage of protocols (e.g. MQTT, XMPP)
Identity / Event / Data spoofing
Privilege escalation
This table is concentrated list of types of attacks and tests performed by AppSec Labs during security checks. This list includes all known attacks for the production of the document correctly.
Information Gathering
Reverse Engineering the Application Code
Testing for Common Libraries and Fingerprinting
Enumeration of Application Known Controllers
Information Disclosure by Logcat
Application Local Storage Flaws
Hidden Secrets in the Code
Storing Sensitive Data on Shared Storage (exposed to all applications without any restrictions)
Cryptographic Based Storage Strength
Content Providers Access Permissions
Content Providers SQL Injection
Privacy and Metadata Leaks
IPC Security
User Propriety Data in Logcat
Technical Valuable Data in Logcat
Exposed Components and Cross Application Authorization
Permissions & Digital Signature Data Sharing Issues
Clipboard Separation
Public Intents and Unauthenticated Data Sources
Public Intents and Authorization Flaws
Code Puzzling and Abusing Application State
Race Conditions, Deadlocks and Concurrency Threats
In Device Denial of Service attacks
Privacy Breaches
Exposing Device Specific Identifiers in Attacker Visible Elements
Exposure of Private User Data to Attacker Visible Components
Tracking Application Installations in Insecure Means
UI Security
Tap Jacking
Client Side based Authorization Decisions
Business Logic Testing
Bypassing business logic
Execution of Untrusted Code
WebView Security
Exposing External Java Interfaces in WebViews DOM
JavaScript Execution Risks at WebViews
Code Signing
Loading Dynamic DEX onto Dalvik
Abusing Dynamic Code Execution Decisions
Stack Based Buffer Overflows
Heap Based Buffer Overflows
Object Lifetime Vulnerabilities (Use-after-free, double free’s)
Format Strings Vulnerabilities
NDK Exposed Code Secrets
Integer Overflows
Integer Underflows
Transport Layer Security
Insecure Transport Layer Protocols
TLS Authenticity Flaws
TLS Weak Encryption
Bypassing TLS Certificate Pinning
TLS Known Issues – CRIME, BREACH, BEAST, Lucky13, RC4, etc…
Disable certificate validation
Authentication Flaws
Using Insecure Authentication Vectors (IMEI, MAC, etc..)
Cross Application Authentication
Local Authentication Bypass Threats
Client Side Based Authentication Flaws
Client Side Authorization Breaches
Android Sandbox Security
Shared User Resources
Excessive Permissions
Disclosure of Privileged Data to Public Resources
This table is concentrated list of types of attacks and tests performed by AppSec Labs during security checks. This list includes all known attacks for the production of the document correctly.
Information Gathering
Testing for Common Libraries and Fingerprinting
Enumeration of Application Known Controllers
Information Disclosure by Apple System Log (ASL)
Application Local Storage Flaws
Hidden Secrets in the Code
Storing Sensitive Data on Shared Storage
Storing Sensitive Data in application Cache files
Cryptographic Based Storage Strength
Content Providers Access Permissions
Content Providers SQL Injection
Privacy and Metadata Leaks
IPC Security
User Propriety Data in ASL
Technical Valuable Data in ASL
Exposed Components and Cross Application Authorization
Permissions & Digital Signature Data Sharing Issues
Clipboard Separation
Code Puzzling and Abusing Application State
Race Conditions, Deadlocks and Concurrency Threats
In Device Denial of Service attacks
Privacy Breaches
Exposing Device Specific Identifiers in Attacker Visible Elements
Exposure of Private User Data to Attacker Visible Components
Tracking Application Installations in Insecure Means
UI Security
Tap Jacking
Client Side based Authorization Decisions
Business Logic Testing
Bypassing business logic
Bypassing controllers hierarchy
Execution of Untrusted Code
WebView Security
Exposing External Java Interfaces in WebViews DOM
JavaScript Execution Risks at WebViews
Code Signing
Abusing Dynamic Code Execution Decisions
Stack Based Buffer Overflows
Heap Based Buffer Overflows
Object Lifetime Vulnerabilities (Use-after-free, double free’s)
Format Strings Vulnerabilities
Integer Overflows
Integer Underflows
Transport Layer Security
Insecure Transport Layer Protocols
TLS Authenticity Flaws
TLS Weak Encryption
Bypassing TLS Certificate Pinning
TLS Known Issues – CRIME, BREACH, BEAST, Lucky13, RC4, etc…
Disable certificate validation
Authentication Flaws
Using Insecure Authentication Vectors (IMEI, MAC, etc..)
Cross Application Authentication
Local Authentication Bypass Threats
Client Side Based Authentication Flaws
Client Side Authorization Breaches
Application Sandbox Security
Shared User Resources
Excessive Permissions
Disclosure of Privileged Data to Public Resources
Application Keychain Security
Keychain Resources
Misuse of keychain storage
Developer Group Keychain usage
This table is a concentrated list of types of attacks and tests performed by AppSec Labs during security checks. This list includes all known attacks for the production of the document correctly.
Information Gathering
Search engine discovery / reconnaissance
Web application fingerprint
Review Webpage Comments and Metadata for Information Leakage
Application entry points Identification
Execution paths mapping
Web application framework fingerprinting
Web application fingerprinting
Application architecture mapping
Information Disclosure by error codes
SSL Weakness – SSL/TLS Testing (SSL Version, Algorithms, Key length, Digital Cert. Validity)
Configuration and Deploy Management Testing
Application Configuration management weakness
File extensions handling – sensitive information
Old, Backup and Unreferenced Files – Sensitive Information
Unauthorized Admin Interfaces access
HTTP Methods enabled, XST permitted, HTTP Verb
Http strict transport security
RIA cross domain policy
Role definitions enumeration
Vulnerable user registration process
Vulnerable account provisioning process
Permissions of Guest/Low Permission Accounts
Account suspension/resumption process
Authentication Testing
Credentials Transported over Unencrypted Channel
User enumeration
Account lockout
Authentication bypass
“Remember password” functionality
Browser caching
Weak password policy
Weak password security mechanisms
Weak password change or reset flow
Race conditions
Weak multiple factors authentication
Weak CAPTCHA implementation
Weaker authentication in alternative channel
Authorization Testing
Directory traversal/file inclusion
Authorization schema bypass
Privilege escalation
Insecure direct object references
Session Management Testing
Session management bypass
Cookies are set without ‘HTTP Only’, ‘Secure’, and no time validity
Session fixation
Exposed session variables
Cross site request forgery (CSRF)
Logout management
Session timeout
Session puzzling
Data Validation Testing
Reflected cross site scripting
Stored cross site scripting
HTTP verb tampering
HTTP Parameter pollution / manipulation
SQL injection
LDAP injection
ORM injection
XML injection
SSI injection
Xpath Injection
IMAP/SMTP injection
Code injection
Local/remote file inclusion
Command injection
Buffer overflow
Heap overflow
Stack overflow
Format string manipulation
Incubated vulnerabilities
HTTP splitting/smuggling
Error Handling
Analysis of Error Codes
Analysis of Stack Traces
Cryptography
Weak SSL/TLS ciphers, insufficient transport layer protection
Padding oracle
Sensitive information sent via unencrypted channels
Business Logic Testing
Business logic data validation
Ability to Forge Requests
Integrity checks
Process timing
Replay attack
Circumvention of Work Flows
Abuse of Functionality
File upload vulnerabilities
Client Side Testing
DOM based Cross Site Scripting
Javascript Execution
Html/css injection
Client side url redirect
Client side resource manipulation
Cross origin resource sharing
Cross site flashing
Clickjacking / UI rendering
Web sockets
Web messaging
Local storage / session storage sensitive information
AJAX Testing
AJAX weakness
Denial of Service Testing
SQL Wildcard vulnerability
Locking customer accounts
Buffer overflows
User specified object allocation
User Input as a Loop Counter
Writing User Provided Data to Disk
Failure to Release Resources
Storing too Much Data in Session
Web Services Testing
WS information gathering
WSDL weakness
Weak xml structure
XML content-level
WS HTTP GET parameters/REST
WS Naughty SOAP attachments
WS replay testing