Hi
This is the list i have by now of things to be tested in mobile devices. Let me know if you find it helpful
Verify that the code is obfuscated
Check that there are lock out mechanisms in place
Try to call a webservice/API without having generated an authentication token
Check that inputs that contain sensitive information don’t remember the information previously entered
Check that once you have logged off in an application, when clicking back you can't navigate to the application again (Android only)
Check that when you are inside the application and click on back, no sensitive information remains in the forms
Try to setup as password something insecure(password, 1111111…).
Check if you cant access to somebody else data bypassing the front end validations (direct webservice/api call)
Check if you cant execute an operation bypassing authorisation (direct webservice/api call)
Check that after logoff, all data is cleared ( SSO tokens, cookies, etc…)
Check that after session timeout you are automatically logged off
Try to inject any script/sql/html... in the inputs of an application
Try to inject any script/sql/html... directly in the back end call (webservice/api)