What could be done from testing point of view for testing a mobile app?
I am trying to analyze on "what could be done from testing point of view" for testing a mobile app for (ios & Android) on "Application Security level". Here are the points that I wish to consider in my testing. Security Testing Malicious Functionality (Activity monitoring and data retrieval) Unauthorized dialing, SMS, and payments Unauthorized network connectivity (exfiltration or command & control) UI Impersonation System modification (rootkit, APN proxy config) Vulnerabilities Sensitive data leakage (inadvertent or side channel) Unsafe sensitive data storage Unsafe sensitive data transmission Hard-coded password/keys Any help or pointers are highly appreciated.
Personally I always get a bit concerned about "what should I test" questions around security testing, because if you need to ask, you really shouldn't be doing security testing. That said you need to start with a threat model do determine the potential attack vectors and then proceed from there. Your application really needs to follow some form of Security Development Lifecycle to ensure that the application is designed and built with security in mind. This starts as a discussion with your architect, and stakeholders.