OWASP Mobile Security Testing Guide
implementing secure SDLC for web application iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of
Fixing Mobile AppSec The OWASP Mobile Security Testing Project
•One of the project leaders for the OWASP Mobile Security Testing Guide (MSTG) •Focusing on iOS and Android native applications.
Testing Guide
The Open Web Application Security Project (OWASP) is a worldwide free and open com- munity focused on improving the security of application software.
RandoriSec
10 déc. 2019 MOBILE SECURITY TESTING: LE GUIDE. ? 3 grandes parties : une section générale une section. Android
eLearnSecurity Mobile Application Penetration Testing (eMAPT
The design of the Android Application has guidelines from Google which becomes easier for developers to produce more intuitive user applications.
OWASP Mobile Security Testing Guide 1.1.3-excel
15 juin 2018 New APIs and best practices are introduced in iOS and Android with every major (and minor) release and also vulnerabilities are found every day.
owasp appsec 101 2
OWASP Mobile Security Testing Guide (MSTG). • Manual for testing security maturity of iOS and Android (mostly) native apps. • Maps on MASVS requirements.
Let me introduce you the OWASP Mobile App Security Testing
19 oct. 2018 OWASP Mobile Security Testing Guide https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide. Android Developer Security Tips.
SO1UlRCERER : Developer-Driven Security Testing Framework for
3 nov. 2021 those vulnerabilities based on secure development guidelines. We evaluated SO{U}RCERER with a case study on analyzing and testing 36 Android ...
Untitled
OWASP Mobile Security Testing Guide (MSTG). • Manual for testing security maturity of iOS and Android (mostly) native apps. • Maps on MASVS requirements.
VANTAGEPOINT
Fixing Mobile
The OWASP Mobile Security Testing
Project
/usr/bin/whoamiHi everyone my name is Sven.
Principal Security Consultant at Vantage Point SecurityBased in Singapore, originally from Germany
Unix nerd since 1999
Professional Penetration tester since 2010
Security Architect for Web and Mobile Apps during SDLC One of the project leaders for the OWASP Mobile Security Testing Guide (MSTG)Why Mobile Application Security?
Application
Attack Surface
It all started with Network &
Protecting the perimeter
Ensuring endpoints are
Network Security still plays
an important partBut, different skills are
Common Situation
Key Pain Points
development teams the development life cycle technologiesImpact
OWASP Mobile Security Project - Our ͞Products"
Mobile Security
Testing Guide
Printed Book!
Mobile AppSec
PDF Download
Mobile AppSec
Excel I
security https://github.com/OWASP/ OWASP Mobile Application Security Verification Standard (MASVS)Started as a fork of the ASVS
Formalizes best practices
Mobile
OWASP Mobile Application Security Verification Standard (MASVS) Sample Question: Do we recommend using E2E encryption? OWASP Mobile Application Security Verification Standard (MASVS) Sample Question: Do we recommend using E2E encryption? ProsAdditional security layer
Protects data in case TLS tunnel
Protects data from exposure to
Introduces additional complexity
Implementation prone to errors
Adds security by obscurity
Makes testing difficult
False sense of security
Doesn't add much security beyond what
TLS already provides
OWASP Mobile Application Security Verification Standard (MASVS)Our Philosophy
4319 Defense
13 8 OWASP Mobile Application Security Verification Standard (MASVS) OWASP Mobile Application Security Verification Standard (MASVS)MASVS all
OWASP Mobile Application Security Verification Standard (MASVS) MASVS OWASP Mobile Application Security Verification Standard (MASVS) MASVS (Optional) Tamper OWASP Mobile Application Security Verification Standard (MASVS)Level 1 vs. Level 2
Might be overkill
for some apps! OWASP Mobile Application Security Verification Standard (MASVS)Ok, so why are security
requirements so important?To avoid this:
Pentesters
turning a report in... OWASP Mobile Application Security Verification Standard (MASVS) Ok, so why are security requirements so important? They enable you to build security into the app from the beginning They should be identified and defined already in the early stages of the SDLC Security requirements should be mapped to the user stories / journeys to address OWASP Mobile Application Security Verification Standard (MASVS) Goal:Ok, so why are security
requirements so important? OWASP Mobile Application Security Verification Standard (MASVS)How To Use the MASVS (as Developer)
What MASVS level (L1, L2, R) and requirements are appropriate for the app? Use the MASVS as starting point and extend it with custom requirements as needed All involved parties need to agree on the decisions made This is the basis for all design decisions and security activities Track the security requirements during development and implement them:Ideally in your issue tracking (e.g. Jira)
Excel Checklist is available as an alternative
OWASP Mobile Application Security Verification Standard (MASVS)How To Use the MASVS (as Security Tester)
Share the status of your security requirements with the Penetration Tester This will allow him to focus on specifically these security controls Makes testing more efficient, as things like SSL Pinning might be out of scope according to your decision and then it won't be raised as ǀulnerability Makes testing consistent and tester and developers are on the same page OWASP Mobile Security Testing Guide Standard (MSTG) What is the Mobile Application Security Testing Guide? Manual for testing security maturity of mobile AppsMaps directly to the MASVS requirements
Focusing on iOS and Android native applications
Goal is to ensure completeness of mobile app security testing through a consistent For security checks of the endpoint the OWASP Web Application Testing Guide should be used OWASP Mobile Security Testing Guide Standard (MSTG)Structure
Gitbook:
General Testing Guide
Android Testing Guide
iOS Testing GuidePlatform Overview
Security Testing Basics
Test Cases
Reverse Engineering
OWASP Mobile Security Testing Guide Standard (MSTG)Example of some Key Topics
Clarify how data can be stored on iOS and Android
Check the usage of cryptographic functions
Testing Platform Interaction
App permissions
Verify usage of Interprocess communication (IPC)
Check the implementation of WebViews
Biometric Authentication (Touch ID)
OWASP Mobile Security Testing Guide Standard (MSTG)MSTG -
Security Testers have no good
protection schemesMSTG -
Developers and Pentesters are confused
lack of obfuscation" as a critical security issue.MinifyEnabled = true?
Maybe encrypt strings?
Apply complex control flow obfuscation?
Maybe use some whitebox crypto?
We want to develop a proper assessment methodology.MSTG -
Skills needed for assessing ant
1.Every software protection scheme can be defeated.
Never to be used as replacement for security controlsViable uses: IP
Traditional the domain of malware reversers
MSTG -
Building a reverse engineering requirements for freeStatic and dynamic analysis
MSTG -
Tampering, patching and runtime instrumentation
MSTG -
MSTG -
Testing Anti
Root Detection
AntiDetecting Reverse Engineering Tools
Emulator Detection / Anti
File and Memory Integrity Checks
Device Binding
Obfuscation
MSTG -
Some Original Research
Android ART: Anti
Frida Detection
Frida server detection by local portscan
Memory scan to detect Frida agent/gadget artefactsSome variations of ptrace
See chapter ͞Testing Anti-Reǀersing Defenses" Also, see blog posts from Bernhard Mueller: http://goo.gl/hsU6bSMSTG -
Practical Challenges!
Check out the "
MSTG -
Ongoing Work
Obfuscation Metrics
https://github.com/bAssessment Methodology
https://github.com/OWASP/owaspReverse
Help is always needed!
MSTG65 Contributors according to GitHub
https://github.com/OWASP/owasp Big Thanks to everybody that was already supporting the project! MSTG We are still looking for people to support the project. So how to get started contributing RTFM:Slack:
Issues:
Resources
MASVS on GitHub
MSTG as GitBook
https://bVANTAGEPOINT
Thank you. Any questions?
sven@vantagepoint.sg / sven.schleier@owasp.orgquotesdbs_dbs14.pdfusesText_20[PDF] android sqlite database and content provider pdf
[PDF] android studio 3.0 development essentials android 8 edition pdf free download
[PDF] android studio 3.0 development essentials android 8th edition pdf
[PDF] android studio 3.0 development essentials android 8 edition free download
[PDF] android studio 3.0 development essentials android 8 edition pdf
[PDF] android studio 3.0 development essentials android 8 edition pdf download
[PDF] android studio 3.0 development essentials android 8 edition pdf free download
[PDF] android studio 3.0 development essentials android 8th edition pdf
[PDF] android studio 3.0 development essentials pdf free download
[PDF] android studio 3.0 development essentials source code download
[PDF] android studio 3.0 development essentials — android 8 edition
[PDF] android studio 3.2 development essentials
[PDF] android studio 3.2 development essentials android 9 edition
[PDF] android studio 3.2 development essentials android 9 edition pdf