Security and Privacy Checklist
I'm no sec wizard but we can all get a bit better at our app sec. This list is mostly mobile oriented but it's a start. Hope it helps jumpstart your appsec!
Application Security & Privacy Basics
Login & Authentication Flow
- Ensure login traffic sent over HTTPS
General Application Traffic
- Ensure sensitive/identifying information continues to be sent over HTTPS post-login sequence
- Ensure sensitive data sent in the body of request, not headers
- Ensure URI queries and their parameters do not contain personal, identifying information not passed in the URI
- Ensure sensitive information is passed in the body of the request
Application Artifacts
- Ensure Android apps utilize Dexguard in lieu of Progaurd or no guard
- Ensure simple
strings
tool does not reveal sensitive information - Executable Obfuscation
- File system cache
- File system file permissions
- File system Supporting files content
Application UI Concerns
- Ensure any personal information UI elements mask sensitive data on entry
- Ensure sensitive items not captured in UI on backgrounding
- Ensure consent alerts utilize Purpose Strings
- Ensure user can access Privacy Policy
- Ensure user can utilize app having denied consent for system services
Breach Remediation
- Ensure application & web contain Security/Bug/Support contact information
- Ensure application contains self Version checking
- Ensure application contains analytics to report damage numbers
- Ensure application server & client implement Rollback & Mitigation schema
Client-side Concerns
Client OS
Client Application
- Ensure certificate pinning enabled in application
- Ensure necessary personal information is locally wiped post-session expiration
- Ensure sensitive information isn't hardcoded into the client
- Ensure deprecated hashing algorithms are not in general for sensitive data, ex: preferring SHA256 to MD5
- Ensure any certificate validations are not intermittently overridden
- Ensure custom URL schemes validate passed data
- Ensure pasteboard usage does not disclose sensitive data
- Ensure malloc not invoke with user-controlled data
More review items:
- Logging
- Credential storage
- Third party
- Debug versus Release
- Input validation
- Cache
- Logging out
- Secure APIs
- UIWebView
Server-side Concerns
Server OS
- Ensure server up to date with esp w/security updates
- Ensure x509 certificates are in place and valid for certificate pinning
Server Application
- Ensure user sessions expire
- Ensure session identifiers are unique to session
- Ensure session identifiers are destroyed upon logout
- Ensure encryption for user's passwords utilize current and not-known-to-be deprecated algorithms ex: DES versus AES256
- Ensure server-side password encryption schema should utilize salt methods
- Ensure sensitive information isn't hardcoded into the server
- Ensure server has custom error handlers in lieu of defaults that may contain sensitive conditions data
Risk Review Items
- Exposed Secrets
- Potential Lift and Shift Vulnerability
- Possible Command Injection
- Possible SQL Injection
- Possible Fragment Injection
- The Application May Load Code Dynamically
- Unsafe HTTPS Communication Due To Insecure Hostname Verifier
- Insecure Certificate Validation
- Webview Injection Via Loaded Content
- Webview Using addJavaScriptInterface()
- Application Makes Phone Calls Without Authorization
- Outdated Version of Host Server
- Client Application Vulnerable to the Apple gotofail Vulnerability
- Application Doesn’t Hide Data When Entering a Background State
- Potentially Sensitive Information Leaked to the iOS Keychain
- JavaScript Execution
- Application Handles Custom URL Schemes
- Client Uses Low-Level Network Frameworks
- Potential Buffer Overflow Vulnerabilities
- Creation of Named Pasteboard
- Getting and Setting Pasteboard Items and Attributes
- NSFile Usage
- malloc() Function Could Lead to Overflow Vulnerabilities