[PDF] [PDF] Fixing Mobile AppSec The OWASP Mobile Security Testing Project

[PDF] Android application security testing checklist - Squarespace

Android application security testing checklist Codified we have created a mobile app security list for Android to assist you in the security testing process

[PDF] Mobile Application Security Testing - Deloitte

one-size-fits-all approach to mobile app security testing Performed in-depth mobile app security assessment for mobile apps (Android and iOS) that Formulated a comprehensive mobile app security checklist comprising 50+ security tests 

[PDF] Analysis of testing approaches to Android mobile application

plication vulnerabilities, including mobile applications for Android OS The fol- Keywords: mobile application, security assessment, security testing, Open Web Mobile App Security Checklist: A checklist for tracking compliance against the

[PDF] Fixing Mobile AppSec The OWASP Mobile Security Testing Project

•One of the project leaders for the OWASP Mobile Security Testing Guide (MSTG) and Mobile OWASP Mobile Application Security Verification Standard (MASVS ) • Started as a as an alternative https://github com/OWASP/owasp-mstg/tree/ master/Checklists •Focusing on iOS and Android native applications •Goal is to 

[PDF] Testing your App - Test and Verification Solution

Delivering tailored solutions for software testing and hardware Open Web Application Security Project • Top Ten Checklists • Android app testing check- list

[PDF] Introduction to Mobile Security Testing - German OWASP Day

OWASP Mobile Application Security Verification Standard Read it on GitBook Example: Android decompiled source code DESIGN a test plan, use MASVS

[PDF] Android application security testing checklist

Android application security testing checklist Writing secure mobile app code is difficult Competing expectations of innovative user interfaces, new operating 

[PDF] MOBILE APPLICATION SECURITY WITH OPEN-SOURCE TOOLS

Continued importance of Application Security Instances of web-application security issues which lead to breaches Android Security Test Cases This guideline also contains Security Development checklist and Third-party software  

[PDF] OWASP Mobile Security Testing Guide

Project specifically focusing on the security testing of Android and iOS devices Checklist and the Mobile Application Security Verification Standard (MASVS)

[PDF] Mobile Application Security Testing Initiative - Cloud Security Alliance

Mobile application development is more complicated than traditional software development and the stability in developing iOS or Android programs are uncertain 

[PDF] android application security testing guide part 1

[PDF] android application security testing guide part 2

[PDF] android application security testing guide part 3

[PDF] android application security testing guide series

[PDF] android best pdf maker app

[PDF] android book app maker pdf

[PDF] android cheat sheet

[PDF] android client server

[PDF] android client server communication example

[PDF] android concurrency pdf

[PDF] android cookbook 2019

[PDF] android create id in xml

[PDF] android database best practices pdf

[PDF] android design patterns and best practices

[PDF] android design patterns and best practices pdf

VANTAGEPOINT

Fixing Mobile

The OWASP Mobile Security Testing

Project

/usr/bin/whoami

Hi everyone my name is Sven.

Principal Security Consultant at Vantage Point Security

Based in Singapore, originally from Germany

Unix nerd since 1999

Professional Penetration tester since 2010

Security Architect for Web and Mobile Apps during SDLC One of the project leaders for the OWASP Mobile Security Testing Guide (MSTG)

Why Mobile Application Security?

Application

Attack Surface

It all started with Network &

Protecting the perimeter

Ensuring endpoints are

Network Security still plays

an important part

But, different skills are

Common Situation

Key Pain Points

development teams the development life cycle technologies

Impact

OWASP Mobile Security Project - Our ͞Products"

Mobile Security

Testing Guide

Printed Book!

Mobile AppSec

PDF Download

Mobile AppSec

Excel I

security https://github.com/OWASP/ OWASP Mobile Application Security Verification Standard (MASVS)

Started as a fork of the ASVS

Formalizes best practices

Mobile

OWASP Mobile Application Security Verification Standard (MASVS) Sample Question: Do we recommend using E2E encryption? OWASP Mobile Application Security Verification Standard (MASVS) Sample Question: Do we recommend using E2E encryption? Pros

Additional security layer

Protects data in case TLS tunnel

Protects data from exposure to

Introduces additional complexity

Implementation prone to errors

Adds security by obscurity

Makes testing difficult

False sense of security

Doesn't add much security beyond what

TLS already provides

OWASP Mobile Application Security Verification Standard (MASVS)

Our Philosophy

43

19 Defense

13 8 OWASP Mobile Application Security Verification Standard (MASVS) OWASP Mobile Application Security Verification Standard (MASVS)

MASVS all

OWASP Mobile Application Security Verification Standard (MASVS) MASVS OWASP Mobile Application Security Verification Standard (MASVS) MASVS (Optional) Tamper OWASP Mobile Application Security Verification Standard (MASVS)

Level 1 vs. Level 2

Might be overkill

for some apps! OWASP Mobile Application Security Verification Standard (MASVS)

Ok, so why are security

requirements so important?

To avoid this:

Pentesters

turning a report in... OWASP Mobile Application Security Verification Standard (MASVS) Ok, so why are security requirements so important? They enable you to build security into the app from the beginning They should be identified and defined already in the early stages of the SDLC Security requirements should be mapped to the user stories / journeys to address OWASP Mobile Application Security Verification Standard (MASVS) Goal:

Ok, so why are security

requirements so important? OWASP Mobile Application Security Verification Standard (MASVS)

How To Use the MASVS (as Developer)

What MASVS level (L1, L2, R) and requirements are appropriate for the app? Use the MASVS as starting point and extend it with custom requirements as needed All involved parties need to agree on the decisions made This is the basis for all design decisions and security activities Track the security requirements during development and implement them:

Ideally in your issue tracking (e.g. Jira)

Excel Checklist is available as an alternative

OWASP Mobile Application Security Verification Standard (MASVS)

How To Use the MASVS (as Security Tester)

Share the status of your security requirements with the Penetration Tester This will allow him to focus on specifically these security controls Makes testing more efficient, as things like SSL Pinning might be out of scope according to your decision and then it won't be raised as ǀulnerability Makes testing consistent and tester and developers are on the same page OWASP Mobile Security Testing Guide Standard (MSTG) What is the Mobile Application Security Testing Guide? Manual for testing security maturity of mobile Apps

Maps directly to the MASVS requirements

Focusing on iOS and Android native applications

Goal is to ensure completeness of mobile app security testing through a consistent For security checks of the endpoint the OWASP Web Application Testing Guide should be used OWASP Mobile Security Testing Guide Standard (MSTG)

Structure

Gitbook:

General Testing Guide

Android Testing Guide

iOS Testing Guide

Platform Overview

Security Testing Basics

Test Cases

Reverse Engineering

OWASP Mobile Security Testing Guide Standard (MSTG)

Example of some Key Topics

Clarify how data can be stored on iOS and Android

Check the usage of cryptographic functions

Testing Platform Interaction

App permissions

Verify usage of Interprocess communication (IPC)

Check the implementation of WebViews

Biometric Authentication (Touch ID)

OWASP Mobile Security Testing Guide Standard (MSTG)

MSTG -

Security Testers have no good

protection schemes

MSTG -

Developers and Pentesters are confused

lack of obfuscation" as a critical security issue.

MinifyEnabled = true?

Maybe encrypt strings?

Apply complex control flow obfuscation?

Maybe use some whitebox crypto?

We want to develop a proper assessment methodology.

MSTG -

Skills needed for assessing ant

1.

Every software protection scheme can be defeated.

Never to be used as replacement for security controls

Viable uses: IP

Traditional the domain of malware reversers

MSTG -

Building a reverse engineering requirements for free

Static and dynamic analysis

MSTG -

Tampering, patching and runtime instrumentation

MSTG -

MSTG -

Testing Anti

Root Detection

Anti

Detecting Reverse Engineering Tools

Emulator Detection / Anti

File and Memory Integrity Checks

Device Binding

Obfuscation

MSTG -

Some Original Research

Android ART: Anti

Frida Detection

Frida server detection by local portscan

Memory scan to detect Frida agent/gadget artefacts

Some variations of ptrace

See chapter ͞Testing Anti-Reǀersing Defenses" Also, see blog posts from Bernhard Mueller: http://goo.gl/hsU6bS

MSTG -

Practical Challenges!

Check out the "

MSTG -

Ongoing Work

Obfuscation Metrics

https://github.com/b

Assessment Methodology

https://github.com/OWASP/owasp

Reverse

Help is always needed!

MSTG

65 Contributors according to GitHub

https://github.com/OWASP/owasp Big Thanks to everybody that was already supporting the project! MSTG We are still looking for people to support the project. So how to get started contributing RTFM:

Slack:

Issues:

Resources

MASVS on GitHub

MSTG as GitBook

https://b

VANTAGEPOINT

Thank you. Any questions?

sven@vantagepoint.sg / sven.schleier@owasp.orgquotesdbs_dbs21.pdfusesText_27