Security and Privacy Checklist

12/15/20142 Min Read — In Security, Testing

I'm no sec wizard but we can all get a bit better at our app sec. This list is mostly mobile oriented but it's a start. Hope it helps jumpstart your appsec!

Application Security & Privacy Basics

Login & Authentication Flow

  • Ensure login traffic sent over HTTPS

General Application Traffic

  • Ensure sensitive/identifying information continues to be sent over HTTPS post-login sequence
  • Ensure sensitive data sent in the body of request, not headers
  • Ensure URI queries and their parameters do not contain personal, identifying information not passed in the URI
  • Ensure sensitive information is passed in the body of the request

Application Artifacts

  • Ensure Android apps utilize Dexguard in lieu of Progaurd or no guard
  • Ensure simple strings tool does not reveal sensitive information
  • Executable Obfuscation
  • File system cache
  • File system file permissions
  • File system Supporting files content

Application UI Concerns

  • Ensure any personal information UI elements mask sensitive data on entry
  • Ensure sensitive items not captured in UI on backgrounding
  • Ensure consent alerts utilize Purpose Strings
  • Ensure user can access Privacy Policy
  • Ensure user can utilize app having denied consent for system services

Breach Remediation

  • Ensure application & web contain Security/Bug/Support contact information
  • Ensure application contains self Version checking
  • Ensure application contains analytics to report damage numbers
  • Ensure application server & client implement Rollback & Mitigation schema

Client-side Concerns

Client OS

Client Application

  • Ensure certificate pinning enabled in application
  • Ensure necessary personal information is locally wiped post-session expiration
  • Ensure sensitive information isn't hardcoded into the client
  • Ensure deprecated hashing algorithms are not in general for sensitive data, ex: preferring SHA256 to MD5
  • Ensure any certificate validations are not intermittently overridden
  • Ensure custom URL schemes validate passed data
  • Ensure pasteboard usage does not disclose sensitive data
  • Ensure malloc not invoke with user-controlled data

More review items:

  • Logging
  • Credential storage
  • Third party
  • Debug versus Release
  • Input validation
  • Cache
  • Logging out
  • Secure APIs
  • UIWebView

Server-side Concerns

Server OS

  • Ensure server up to date with esp w/security updates
  • Ensure x509 certificates are in place and valid for certificate pinning

Server Application

  • Ensure user sessions expire
  • Ensure session identifiers are unique to session
  • Ensure session identifiers are destroyed upon logout
  • Ensure encryption for user's passwords utilize current and not-known-to-be deprecated algorithms ex: DES versus AES256
  • Ensure server-side password encryption schema should utilize salt methods
  • Ensure sensitive information isn't hardcoded into the server
  • Ensure server has custom error handlers in lieu of defaults that may contain sensitive conditions data

Risk Review Items

  • Exposed Secrets
  • Potential Lift and Shift Vulnerability
  • Possible Command Injection
  • Possible SQL Injection
  • Possible Fragment Injection
  • The Application May Load Code Dynamically
  • Unsafe HTTPS Communication Due To Insecure Hostname Verifier
  • Insecure Certificate Validation
  • Webview Injection Via Loaded Content
  • Webview Using addJavaScriptInterface()
  • Application Makes Phone Calls Without Authorization
  • Outdated Version of Host Server
  • Client Application Vulnerable to the Apple gotofail Vulnerability
  • Application Doesn’t Hide Data When Entering a Background State
  • Potentially Sensitive Information Leaked to the iOS Keychain
  • JavaScript Execution
  • Application Handles Custom URL Schemes
  • Client Uses Low-Level Network Frameworks
  • Potential Buffer Overflow Vulnerabilities
  • Creation of Named Pasteboard
  • Getting and Setting Pasteboard Items and Attributes
  • NSFile Usage
  • malloc() Function Could Lead to Overflow Vulnerabilities