Builds
- Release/Production build: test if security controls are working correctly and cannot be bypassed easily
-
Debug build: security controls are disactivated to test the application (white box testing)
- If not possible, can perform black box testing on production build.
Sensitive Data
- What is considered sensitive data in this application?
Environmental Information
- App goals influencing user interaction and attack vectors.
- Varying industry risk profiles.
- Stakeholder and investor roles.
- Internal processes and workflows that may lead to vulnerabilities.
Architectural Information
- Mobile app data access, session management, and response to jailbroken/rooted devices.
- Operating systems and versions used, including relevant OS vulnerabilities and MDM controls.
- Network security protocols, encryption strength, and endpoint verification through certificate pinning.
- Potential compromises from remote services used by the app.
Mapping the Application
- Have we performed any threat modelling or rapid risk assessments?