Support #12933
[SCP ID :##6249##] : Mobile Pentest Remediation
Status: | Development / Work In Progress | Start date: | April 22, 2022 | ||
---|---|---|---|---|---|
Priority: | Normal | Due date: | May 18, 2022 | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 99% | ||
Category: | Pentest | Spent time: | - | ||
Target version: | - |
Description
Hi,
Kindly attend below request:-
Mobile Pentest Remediation
Subtasks
History
#1 Updated by Najmi Pasarudin over 2 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
H1 Unencrypted Communications (Target SIT 25/4/2022)
Channel: None
Issue: Mobile apk is using unsecured connection
Finding: LGMS testing APK using app URL instead of web URL http://10.10.95.121:8080 or https://www.bsnebiz.com.my
Solution: Penril need to prepare APK using https or LGMS test using Production APK
Due to security issue, UAT https URL cannot be made public
Test step: Redo the testing using web URL Production APK
Channel: Restful, APK Android, APK IOS
Issue: Mobile allows modified account number when making transaction
Finding: Restful does not check the whether the account number belongs to user id
Solution: Remove parameter for linked account. Update code to generate linked account using encrypted user id at middle-service.
Test step:
- Access mobile application
- Access Transaction history
- Check account list. Make sure it is the allowed account set by Corporate Admin.
- Repeat testing at Details page for Own Account, Loan, Corporate Card, Third Party, Interbank, DuitNow, RENTAS, Bill Payment and Jompay.
Channel: Restful
Issue: Restful allows Payment and eStatement without password login
Finding: Restful relies on mobile password login popup. LGMS can bypass the popup.
Solution: Add database mobile login status and check at every transaction
Test step:
- Access mobile application
- Enter login password
- Access Payment and Transfer
- Make Own account transfer
- Expected result, transfer status is successful/pending approval
- Repeat testing for Loan, Corporate Card, Third Party, Interbank, DuitNow, RENTAS, Bill Payment and Jompay.
L2 No Server-Side Session Termination
Channel: Restful, APK Android, APK IOS
Issue: Session is not terminated at mobile logout or timeout
Finding:
Solution:
Test step:
L3 Sensitive Information Leaked in Logs (Unintended Data Leakage)
Channel: Restful, APK Android, APK IOS
Issue: Log shows sensitive information such as bearer token, username, address, email, phone no, transaction details, bank account details, encrypted/hashed password
Finding:
Solution:
Test step:
L4 Missing Certificate/ Public Key Pinning
Finding:
Solution:
Test step:
L5 Application Backgrounding (Unintended Data Leakage)
Channel: APK IOS
Issue: IOS can screenshot BSN application
Finding: Previously has been fixed, need to check on IOS version
Solution:
Test step:
L6 Local Biometric Authentication Bypass
Channel: Restful
Issue: Related to L1
Finding:
Solution:
Test step:
L7 Packet Replay (Fund Transfer)
Channel: Restful
Issue: Similar transaction can be replicated by LGMS tool
Finding:
Solution: Add database JID to each transaction similar to RENTAS
Test step:
L8 Parameter Tampering (Generate PDF)
Channel: Restful, APK Android, APK IOS
Issue: Receipt PDF restful parameter can be modified
Finding:
Solution: Generate PDF parameter at middle-service instead of using restful parameter. Was fixed by Wen Hong but not deployed on Production yet.
Test step:
L9 DuitNow Recipient Name Enumeration
Channel: Restful
Issue: Restful allow Duitnow ID lookup without limit
Finding:
Solution: Add database Duitnow ID lookup limit
Test step:
L10 Circumvention of Workflow (OTP Bypass)
Channel: Restful, APK Android, APK IOS
Issue: OTP restful parameter can be modified to false to bypass OTP requirement
Finding:
Solution:
Test step:
L11 Android Application Supports Cleartext Traffic
Channel: APK Android
Issue:
Finding:
Solution:
Test step:
L12 Overly Permissive Permission
Channel: APK Android, APK IOS
Issue:
Finding:
Solution:
Test step:
L13 App Transport Security (ATS) Exception Found
Channel: APK IOS
Issue:
Finding:
Solution:
Test step:
I1 Application Allows Use of Third-Party Keyboards
Issue:
Finding:
Solution:
Test step:
I2 Application Screenshot (Unintended Data Leakage)
Issue:
Finding:
Solution:
Test step:
#2 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Category set to Pentest