Mobile Checklist

Setup and Environment Preparation:

• Set up a controlled environment: Use emulators (like Android Studio's emulator for Android or Corellium for iOS) or real devices.

• Install necessary tools for mobile analysis (e.g., adb for Android, Cydia for jailbroken iOS).

Initial Assessment:

• Identify the type of application (Android APK or iOS IPA).

• Install the application on your device or emulator.

Static Analysis:

• For Android:

  • Decompile the APK using tools like apktool or jadx.

  • Review the manifest file for permissions, activities, services, and receivers.

  • Examine the decompiled source for sensitive information (API keys, URLs, etc.).

• For iOS:

  • Extract the IPA contents and analyze plist files.

  • Use tools like class-dump to understand the class structures.

Dynamic Analysis:

• Monitor and analyze the app's runtime behavior.

• Use tools like Frida or Objection for hooking into running processes and manipulating function calls and data.

• Monitor network traffic with Wireshark or Burp Suite.

Data Storage Analysis:

• Check how the application stores data locally.

• For Android, examine SQLite databases, shared preferences, or files in the app's directory.

• For iOS, inspect SQLite databases, plist files, and the Keychain.

Reverse Engineering and Code Analysis:

• Analyze the code for vulnerabilities such as hard-coded secrets, insecure communication, or improper validation checks.

• Reverse engineer any custom algorithms or obfuscated code.

Network Analysis:

• Intercept and analyze network traffic to understand API calls.

• Look for insecure API endpoints, data leakage, or hard-coded API keys.

Cryptanalysis (if applicable):

• Identify and analyze the usage of cryptographic functions.

• Test for weak or broken cryptography.

Authentication and Session Management Testing:

• Test for broken authentication mechanisms.

• Analyze session management for vulnerabilities.

Client-side Analysis:

• Inspect client-side validation routines.

• Test for client-side injection vulnerabilities (e.g., JavaScript or SQL injection).

Permissions and Exposures:

• Review the app’s permissions for any unnecessary access.

• Check for exposed content providers (Android) or URL schemes (iOS).

Reporting and Documentation:

• Document your findings, including how vulnerabilities can be exploited and potential mitigation strategies.

• Prepare a detailed report if required.

Cleanup:

• After analysis, ensure to remove the application and any associated data from your testing environment.