### Android - [ ] Check APK Signature - rizin can open `META-INF/CERT.RSA` and print the pkcs7 data from `pFp` - [ ] Check Certificates and validity, bad hashes, etc.. - [ ] Detect trackers - [x] App is debuggable [example](https://stackoverflow.com/questions/2952140/android-how-to-mark-my-app-as-debuggable) - [ ] Exported [example](https://stackoverflow.com/questions/27458207/what-is-the-use-of-androidexported-true-in-broadcastreceiver) [issue](https://stackoverflow.com/questions/44063387/android-app-security-test-failed-saying-component-is-not-protected-an-int) - Partial - [ ] Test all android security best practies [link](https://developer.android.com/topic/security/best-practices) ### iOS - [x] Weak rand function - [ ] Sandbox Behavior (like successfully use `fork()` because calls to `fork()` are disallowed on a stock iOS device). - [x] [TrustKit](https://github.com/datatheorem/TrustKit) pinning.
Android
META-INF/CERT.RSAand print the pkcs7 data frompFpiOS
fork()because calls tofork()are disallowed on a stock iOS device).