Text version in checklist format:
Custom URL Schemes
> Check if application handles deeplinks or universal links (app:// or https://app.com). Analyze and fuzz it.
> If link performs an action check for CSRF.
> Hidden functionality. Check if deeplinks allows to bypass auth.
> Is scheme hijacking possible?
Web Views
> Is JS disabled in WebView? Check for XSS.
> file:// access is used? Check for path traversal.
> Client-Side Web bugs.
> Check if other URL schemes enabled? ( tel: | sms
> Check if URI in WebView cannot be manipulated by user.
> Do native methods exposed over the webview?
Client Side Protections & Hardening
> Is JailBreak detection present?
> Is hooking detection in place? Allows you to hook some intersting fucntions.
> Is update required if newer version of app available?
> Does app use min. set of permissions?
> Is tampering possible? Allows you to patch functions.
> Is it possible to attach LLDB?
> Obfuscation. Are sensitive methods obfuscated? Is Control Flow Graph obfuscation implemented?
> Are debug code or symbols stripped?
> Are exceptions handled correctly?
> Are binary protections used? ARC, Stack Canary, PIE
> Does App use native libs? Check for memory corruption bugs. Possible DoS or RCE.
Third Party Libraries
> Check dependencies for known vulnerabilities
> Read the documentation to understand possible misconfigurations
> Does app allow usage of 3rd-parties keyboard for sensitive data?
> Is sensitive data masked and anonymized if sent to 3rd-parties?
Authentication
> Does app establish a session?
> Is validation done on client side?
> Check if keychain is wiped after log out or app uninstall
> Is Touch ID/Face ID working correctly?
> Does app require auth on high-risk operations? Does app require auth on high-risk operations?
> Does app have PIN? Check notifications don't disclose sensitive data.
Insecure Data Storage
> Check if UIPasteboard is used
> Check for sensitive data in backups
> Is sensitive data masked in text fields?
> Are screenshots allowed on sensitive screens?
> Is sensitive data removed from snapshot when app is minimized ?
> Is keyboard cache disabled for sensitive data?
> Does app clear memory after submitting sensitive data?
> Check if app stores sensitive data unencrypted: CoreData, .plist files, Device/App logs, NSUserDefaults, Volatile Memory, SQLite, Cache, Firebase, Realm
Broken Cryptography
> Check for hardcoded encryption keys and IVs
> How are encryption keys managed?
> Does app use weak ciphers or weak random?
> Does app reuse encryption keys?
Network API
> Does app use SSL/TLS correctly?
> Does app have SSL pinning?
> Is it possible to bypass using public scripts?
> Is App Transport Security configured correctly?
XMind sources:
github.com
github.com
Custom URL Schemes
> Check if application handles deeplinks or universal links (app:// or https://app.com). Analyze and fuzz it.
> If link performs an action check for CSRF.
> Hidden functionality. Check if deeplinks allows to bypass auth.
> Is scheme hijacking possible?
Web Views
> Is JS disabled in WebView? Check for XSS.
> file:// access is used? Check for path traversal.
> Client-Side Web bugs.
> Check if other URL schemes enabled? ( tel: | sms
> Check if URI in WebView cannot be manipulated by user.
> Do native methods exposed over the webview?
Client Side Protections & Hardening
> Is JailBreak detection present?
> Is hooking detection in place? Allows you to hook some intersting fucntions.
> Is update required if newer version of app available?
> Does app use min. set of permissions?
> Is tampering possible? Allows you to patch functions.
> Is it possible to attach LLDB?
> Obfuscation. Are sensitive methods obfuscated? Is Control Flow Graph obfuscation implemented?
> Are debug code or symbols stripped?
> Are exceptions handled correctly?
> Are binary protections used? ARC, Stack Canary, PIE
> Does App use native libs? Check for memory corruption bugs. Possible DoS or RCE.
Third Party Libraries
> Check dependencies for known vulnerabilities
> Read the documentation to understand possible misconfigurations
> Does app allow usage of 3rd-parties keyboard for sensitive data?
> Is sensitive data masked and anonymized if sent to 3rd-parties?
Authentication
> Does app establish a session?
> Is validation done on client side?
> Check if keychain is wiped after log out or app uninstall
> Is Touch ID/Face ID working correctly?
> Does app require auth on high-risk operations? Does app require auth on high-risk operations?
> Does app have PIN? Check notifications don't disclose sensitive data.
Insecure Data Storage
> Check if UIPasteboard is used
> Check for sensitive data in backups
> Is sensitive data masked in text fields?
> Are screenshots allowed on sensitive screens?
> Is sensitive data removed from snapshot when app is minimized ?
> Is keyboard cache disabled for sensitive data?
> Does app clear memory after submitting sensitive data?
> Check if app stores sensitive data unencrypted: CoreData, .plist files, Device/App logs, NSUserDefaults, Volatile Memory, SQLite, Cache, Firebase, Realm
Broken Cryptography
> Check for hardcoded encryption keys and IVs
> How are encryption keys managed?
> Does app use weak ciphers or weak random?
> Does app reuse encryption keys?
Network API
> Does app use SSL/TLS correctly?
> Does app have SSL pinning?
> Is it possible to bypass using public scripts?
> Is App Transport Security configured correctly?
XMind sources:
SecurityTips/MindMaps/iOS_for_BugBounty.xmind at master · hackerscrolls/SecurityTips
Contribute to hackerscrolls/SecurityTips development by creating an account on GitHub.
github.com
SecurityTips/MindMaps/iOS_Security.xmind at master · hackerscrolls/SecurityTips
Contribute to hackerscrolls/SecurityTips development by creating an account on GitHub.
github.com
