Android Pentest
MASVS-STORAGE
MASTG-TEST-0001
To verify how an app manage and store sensitive data locally.
Connect to the phone via SSH or adb shell and grep for sesitive data within the /data/path/appname directory.
MASTG-TEST-0009
To check if the app allows to do a backup.
Use Mob SF to check if the backup is on.
Also check manifest.xml the value: android:allowBackup="true"
MASTG-TEST-0011
To check memory leaks.
frida-ps -U {obtain app name or package name}
fridump -U {appname}
fridump -u {package name}
string * | grep -B 5 -A 5 -i "{text to search}"
MASTG-TEST-0003
To check logs leaks.
Use the following extension: https://codeshare.frida.re/@platix/print-android-logs-in-console/
frida --codeshare platix/print-android-logs-in-console -f {app}
MASVS-CRYPTO
MASTG-TEST-0014
To check weak cipher algorithms.
Check this with Mobsf and RMS tools.
MASTG-TEST-0016
To check weak random number generation functions.
Check with Mobsf and Jadx (looking for all the times that the random function is called).
MASTG-TEST-0015
To check the lack of secure cipher implementation.
Use thie following frida package to check if the cipher and keys are easly extractable: https://codeshare.frida.re/@fadeevab/intercept-android-apk-crypto-operations/
Use the following tool with options 9 and 10 to monitorize the crypto part: https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security#8-api-monitor---android-only
MASVS-AUTH
MASVS-AUTH-1
To check for IDORs.
Modify requests with Burp Suite and try evading security controls.
MASVS-AUTH-3
To check incorrect implementation of 2FA/MFA.
Modify requests with Burp Suite and try evading security controls (session tokens, expiration tokens, …).
MASVS-NETWORK
MASTG-TEST-0020
To check for TLS vulnerabilities and weak cipher algorithms whithin secure comunications.
Use testssl.sh
MASTG-TEST-0021
To check the lack of certificate implementation.
Use burp and check the app requests.
MASTG-TEST-0022
To bypass certificate pinning.
Use RMS and the different options within the default scripts.
Use the following frida package: https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
frida --codeshare akabe1/frida-multiple-unpinning -f {app}
MASVS-PLATFORM
MASTG-TEST-0024
To check permissions missconfigurations.
Use Mobsf and check if the app permissions are consisten with the app functionality.
MASTG-TEST-0010
To check for information leak from capture sent to background.
Post-authenticated sent the app to the background and call the background to check if there is sensitive data or if its blured.
MASVS-CODE
MASVS-CODE-1
To discover leaks and API in source code.
Use Mobsf to check leaks (most of them will be false positives).
Use Jadx for manually search.
MASTG-TEST-0042
To check vulnerable thrid-party libraries.
Mobsf will check this.
MASVS-RESILIENCE
MASTG-TEST-0045
To check antiroot/antijb measures.
Open app with rooted mobile and use checkroot app along with the app sent to background to evidence this.
MASTG-TEST-0049
To check for anti-virtualization measures.
Use Android Studio and open the app to check.
MASTG-TEST-0047
To check the lack of application integrity checks.
Use Android Studio or APK Studio and sing the apk with a certificate.
MASTG-TEST-0050
To check anti-instrumentation measures.
Open the app with Frida, if this does not crash, then is vulnerable.
MASTG-TEST-0051
To check the lack of source code ofuscation.
Use Jadx and check that the code is correctly ofuscated.
MASTG-TEST-0039
To check if the app is debuggable.
Use the following frida package: https://codeshare.frida.re/@Raphkitue/android-debug-mode-bypass/
frida --codeshare Raphkitue/android-debug-mode-bypass -f {app}
Use also the RMS debuge mode bypass default script.
MASTG-TEST-0048
To check Reverse Engineering Tools Detection.
Open the app with Frida, if this does not crash, then is vulnerable.
Last updated