SlideShare a Scribd company logo

MASVS presentation at MiSSxTalks Special Aug 25

Prathan Phongthiproek
Prathan Phongthiproek

The document discusses the Mobile Application Security Verification Standard (MASVS) project from OWASP. It provides an overview of the MASVS levels and describes the eight verification requirements areas: 1) Architecture, Design and Threat Modeling; 2) Data Storage and Privacy; 3) Cryptography; 4) Authentication and Session Management; 5) Network Communication; 6) Platform Interaction; 7) Code Quality and Build Setting; and 8) Resilience. Each verification requirement area includes example requirements and references related information. The goal of MASVS is to provide a standard way to verify the security of mobile apps and help developers build more secure apps.

Mobile
1 of 58
Download to read offline
Prathan Phongthiproek Mobile Security Team, OWASP Jump-Start the MASVS presentation at MiSSxTalks Special Aug 25, 2018 Content is available under Creative Commons Attribution-ShareAlike unless otherwise noted.
What is Mobile app ?
Attack Surface on Web/Mobile Application
Attack Surface on Mobile Application
Mobile AppSec Verification (MASVS) Top 10 Mobile Risks Mobile Security Testing Guide (MSTG) M1 M5 M2 M3 M4 M6 M7 M8 M9 M10 OWASP Mobile Security Project
Top 10 Mobile Risks Mobile Security Testing Guide (MSTG) Mobile AppSec Verification (MASVS) M1. Improper Platform Usage Platform APIs Data Storage V6: Environmental Interaction Requirements M2. Insecure Data Storage Data Storage V2: Data Storage and Privacy Requirements M3. Insecure Communication Network APIs V5: Network Communication Requirements M4. Insecure Authentication Local Authentication V4: Authentication and Session Management Requirements M5. Insufficient Cryptography Cryptographic APIs V3: Cryptography Requirements M6. Insecure Authorization - V4: Authentication and Session Management Requirements M7. Client Code Quality Code Quality and Build Settings Platform APIs V7: Code Quality and Build Setting Requirements M8. Code Tampering Tampering and Reverse Engineering V8: Resiliency Against Reverse Engineering Requirements M9. Reverse Engineering Tampering and Reverse Engineering Anti-Reversing Defenses V8: Resiliency Against Reverse Engineering Requirements M10. Extraneous Functionality Code Quality and Build Settings V1: Architecture, Design and Threat Modeling Requirements Top 10 x MSTG x MASVS
OWASP MASVS https://github.com/OWASP/owasp-masvs
The MASVS Levels R L2 L1 Standard Security • Follows security best practices • Appropriate for all mobile apps Defense-in-Depth • Well-defined security model and added controls • Appropriate for apps that handle sensitive data Resiliency Against Reverse Engineering and Tampering • Adds client side protection (e.g. Tampering, Reverse engineering) • Optional protective layer for Intellectual property and data
Health-Care Industry : Mobile apps that store personally identifiable information that can be used for identity theft or a variety of fraud schemes. Financial Industry : Apps that enable access to highly sensitive information like credit card Game Industry : Games with an essential need to prevent modding and cheating, such as competitive online games. Financial Industry: Online banking apps that allow the user to move funds, where techniques code injection and instrumentation on compromised devices pose a risk. All mobile apps. MASVS-L1 lists security best practices that can be followed with a reasonable impact on development cost and user experience. The MASVS Verification Type L2 L1 L1+R L2+R
The Verification Requirements V1: Architecture, Design and Threat Modeling V2: Data Storage and Privacy V3: Cryptography V4: Authentication and Session Management V5: Network Communication V6: Platform Interaction V7: Code Quality and Build Setting V8: Resilience
1 Architecture, Design and Threat Modeling
V1: Requirements
Related Information o OWASP Mobile Top 10: M10 - Extraneous Functionality o OWASP Security Architecture Cheat Sheet o OWASP Threat Modeling o OWASP Secure SDLC Cheat Sheet o Microsoft SDL o NIST SP 800-57
2 Data Storage and Privacy
V2: Requirements
Example 2.1: System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys
Example 2.7: No sensitive data, such as passwords or pins, is exposed through the user interface
Example 2.8: No sensitive data is included in backups generated by the mobile operating system
Example 2.9: The app removes sensitive data from views when backgrounded
Related Information o OWASP Mobile Top 10: M2 - Insecure Data Storage o OWASP Mobile Security Testing Guide for Android and iOS - Testing Data Storage
3 Cryptography
V3: Requirements
Example 3.1: The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption
Example 3.1: The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption
Example 3.1: The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption
Related Information o OWASP Mobile Top 10: M5 - Insufficient Cryptography o OWASP Mobile Security Testing Guide for Android and iOS - Testing Cryptography o OWASP Cryptographic Storage Cheat Sheet o OWASP Password Storage Cheat Sheet o For example: • Key exchange: Diffie–Hellman key exchange with minimum 2048 bits • Message Integrity: HMAC-SHA2 • Message Hash: SHA2 256 bits • Asymmetric encryption: RSA 2048 bits • Symmetric-key algorithm: AES 256 bits • Password Hashing: Argon2, PBKDF2, Scrypt, Bcrypt.
4 Authentication and Session Management
V4: Requirements
Example 4.1: If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint
Example 4.1: If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint DEMO
Example 4.4: The remote endpoint terminates the existing session when the user logs out
Example 4.7: Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore. DEMO
Example 4.10: Sensitive transactions require step-up authentication
Related Information o OWASP Mobile Top 10: M4 - Insecure Authentication o OWASP Mobile Top 10: M6 - Insecure Authorization o OWASP Mobile Security Testing Guide for Android and iOS - Testing Authentication and Session Management o OWASP Authentication Cheat Sheet o OWASP Session Management Cheat Sheet o OWASP Transaction Authorization Cheat Sheet o OWASP Access Control Cheat Sheet
5 Network Communication
V5: Requirements
Example 5.3: The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted SSL/TLS
Example 5.4: The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA SSL/TLS
Related Information o OWASP Mobile Top 10: M3 - Insecure Communication o OWASP Mobile Security Testing Guide for Android and iOS - Testing Network Communication o OWASP Transport Layer Protection Cheat Sheet o OWASP Certificate Pinning Cheat Sheet
6 Platform Interaction
V6: Requirements
Example 6.4: The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected
Example 6.4: The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected
Example 6.4: The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected DEMO
Example 6.5: JavaScript is disabled in WebViews unless explicitly required
Example 6.5: JavaScript is disabled in WebViews unless explicitly required
Related Information o OWASP Mobile Top 10: M1 - Improper Platform Usage o OWASP Mobile Security Testing Guide for Android and iOS - Testing Platform Interaction
7 Code Quality and Build Setting
V7: Requirements
Example 7.2: The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable)
Example 7.4: Debugging code has been removed, and the app does not log verbose errors or debugging messages DEMO
Related Information o OWASP Mobile Top 10: M7 - Client Code Quality o OWASP Mobile Security Testing Guide for Android and iOS - Testing Code Quality and Build Settings
8 Resilience
V8: Requirements
V8: Requirements (Cont’d)
Related Information o OWASP Mobile Top 10: M8 - Code Tampering o OWASP Mobile Top 10: M9 - Reverse Engineering o OWASP Mobile Security Testing Guide for Android and iOS - Testing Resiliency Against Reverse Engineering o OWASP Reverse Engineering Threats o OWASP Reverse Engineering and Code Modification Prevention
• OWASP Securing the SDLC (Jim Manico) • OWASP Geneva-Chapter Meeting (Jeremy Matos) • OWASP Mobile Top 10 Deep-Dive (Prathan Phongthiproek) • https://github.com/OWASP/owasp-masvs References

Recommended

AWS Pentesting
AWS PentestingAWS Pentesting
AWS PentestingMichaelRodriguesdosS1
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 

Recommended

AWS Pentesting
AWS PentestingAWS Pentesting
AWS PentestingMichaelRodriguesdosS1
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Ransomware
RansomwareRansomware
RansomwareNick Miller
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Kali linux.ppt
Kali linux.pptKali linux.ppt
Kali linux.pptAhmedalhassar1
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1Vamsee Krishna Kiran
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptxVSAM Technologies India Private Limited
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...Jisc
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecurityLegal Services National Technology Assistance Project (LSNTAP)
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Les 5 risques les plus critiques des applications Web selon l'OWASP
Les 5 risques les plus critiques des applications Web selon l'OWASPLes 5 risques les plus critiques des applications Web selon l'OWASP
Les 5 risques les plus critiques des applications Web selon l'OWASPyaboukir
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testingvericlouds11
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17Luis A. Solís
 

More Related Content

What's hot

Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...Jisc
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine LearningJapneet Singh
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Les 5 risques les plus critiques des applications Web selon l'OWASP
Les 5 risques les plus critiques des applications Web selon l'OWASPLes 5 risques les plus critiques des applications Web selon l'OWASP
Les 5 risques les plus critiques des applications Web selon l'OWASPyaboukir
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJoe McCarthy
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Malware forensic
Malware forensicMalware forensic
Malware forensicSumeraHangi
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testingvericlouds11
 

What's hot (20)

Kali linux.ppt
Kali linux.pptKali linux.ppt
Kali linux.ppt
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Les 5 risques les plus critiques des applications Web selon l'OWASP
Les 5 risques les plus critiques des applications Web selon l'OWASPLes 5 risques les plus critiques des applications Web selon l'OWASP
Les 5 risques les plus critiques des applications Web selon l'OWASP
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Malware forensic
Malware forensicMalware forensic
Malware forensic
 
Cloud penetration testing
Cloud penetration testingCloud penetration testing
Cloud penetration testing
 

Similar to MASVS presentation at MiSSxTalks Special Aug 25

Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia PotapenkoFwdays
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Cisco do Brasil
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your APISmartBear
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Diasapidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Diasapidays
 
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native EraBuilding APIs in a Cloud Native Era
Building APIs in a Cloud Native EraNuwan Dias
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplaceThomas Richards
 
eMAS Multifactor Authentication
eMAS Multifactor AuthenticationeMAS Multifactor Authentication
eMAS Multifactor AuthenticationKalyana Sundaram
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop42Crunch
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020Ulf Mattsson
 

Similar to MASVS presentation at MiSSxTalks Special Aug 25 (20)

Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)Estratégia de segurança da Cisco (um diferencial para seus negócios)
Estratégia de segurança da Cisco (um diferencial para seus negócios)
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Diasapidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
 
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native EraBuilding APIs in a Cloud Native Era
Building APIs in a Cloud Native Era
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Android in the healthcare workplace
Android in the healthcare workplaceAndroid in the healthcare workplace
Android in the healthcare workplace
 
eMAS Multifactor Authentication
eMAS Multifactor AuthenticationeMAS Multifactor Authentication
eMAS Multifactor Authentication
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020
 

More from Prathan Phongthiproek

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityPrathan Phongthiproek
 

More from Prathan Phongthiproek (20)

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
Tisa-Social Network and Mobile Security
Tisa-Social Network and Mobile SecurityTisa-Social Network and Mobile Security
Tisa-Social Network and Mobile Security
 
Tisa social and mobile security
Tisa social and mobile securityTisa social and mobile security
Tisa social and mobile security
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 
The Operation CloudBurst Attack
The Operation CloudBurst AttackThe Operation CloudBurst Attack
The Operation CloudBurst Attack
 

MASVS presentation at MiSSxTalks Special Aug 25

  • 1. Prathan Phongthiproek Mobile Security Team, OWASP Jump-Start the MASVS presentation at MiSSxTalks Special Aug 25, 2018 Content is available under Creative Commons Attribution-ShareAlike unless otherwise noted.
  • 3. Attack Surface on Web/Mobile Application
  • 4. Attack Surface on Mobile Application
  • 5.
  • 6. Mobile AppSec Verification (MASVS) Top 10 Mobile Risks Mobile Security Testing Guide (MSTG) M1 M5 M2 M3 M4 M6 M7 M8 M9 M10 OWASP Mobile Security Project
  • 7. Top 10 Mobile Risks Mobile Security Testing Guide (MSTG) Mobile AppSec Verification (MASVS) M1. Improper Platform Usage Platform APIs Data Storage V6: Environmental Interaction Requirements M2. Insecure Data Storage Data Storage V2: Data Storage and Privacy Requirements M3. Insecure Communication Network APIs V5: Network Communication Requirements M4. Insecure Authentication Local Authentication V4: Authentication and Session Management Requirements M5. Insufficient Cryptography Cryptographic APIs V3: Cryptography Requirements M6. Insecure Authorization - V4: Authentication and Session Management Requirements M7. Client Code Quality Code Quality and Build Settings Platform APIs V7: Code Quality and Build Setting Requirements M8. Code Tampering Tampering and Reverse Engineering V8: Resiliency Against Reverse Engineering Requirements M9. Reverse Engineering Tampering and Reverse Engineering Anti-Reversing Defenses V8: Resiliency Against Reverse Engineering Requirements M10. Extraneous Functionality Code Quality and Build Settings V1: Architecture, Design and Threat Modeling Requirements Top 10 x MSTG x MASVS
  • 9. The MASVS Levels R L2 L1 Standard Security • Follows security best practices • Appropriate for all mobile apps Defense-in-Depth • Well-defined security model and added controls • Appropriate for apps that handle sensitive data Resiliency Against Reverse Engineering and Tampering • Adds client side protection (e.g. Tampering, Reverse engineering) • Optional protective layer for Intellectual property and data
  • 10. Health-Care Industry : Mobile apps that store personally identifiable information that can be used for identity theft or a variety of fraud schemes. Financial Industry : Apps that enable access to highly sensitive information like credit card Game Industry : Games with an essential need to prevent modding and cheating, such as competitive online games. Financial Industry: Online banking apps that allow the user to move funds, where techniques code injection and instrumentation on compromised devices pose a risk. All mobile apps. MASVS-L1 lists security best practices that can be followed with a reasonable impact on development cost and user experience. The MASVS Verification Type L2 L1 L1+R L2+R
  • 11. The Verification Requirements V1: Architecture, Design and Threat Modeling V2: Data Storage and Privacy V3: Cryptography V4: Authentication and Session Management V5: Network Communication V6: Platform Interaction V7: Code Quality and Build Setting V8: Resilience
  • 14. Related Information o OWASP Mobile Top 10: M10 - Extraneous Functionality o OWASP Security Architecture Cheat Sheet o OWASP Threat Modeling o OWASP Secure SDLC Cheat Sheet o Microsoft SDL o NIST SP 800-57
  • 17. Example 2.1: System credential storage facilities are used appropriately to store sensitive data, such as PII, user credentials or cryptographic keys
  • 18. Example 2.7: No sensitive data, such as passwords or pins, is exposed through the user interface
  • 19. Example 2.8: No sensitive data is included in backups generated by the mobile operating system
  • 20. Example 2.9: The app removes sensitive data from views when backgrounded
  • 21. Related Information o OWASP Mobile Top 10: M2 - Insecure Data Storage o OWASP Mobile Security Testing Guide for Android and iOS - Testing Data Storage
  • 24. Example 3.1: The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption
  • 25. Example 3.1: The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption
  • 26. Example 3.1: The app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption
  • 27. Related Information o OWASP Mobile Top 10: M5 - Insufficient Cryptography o OWASP Mobile Security Testing Guide for Android and iOS - Testing Cryptography o OWASP Cryptographic Storage Cheat Sheet o OWASP Password Storage Cheat Sheet o For example: • Key exchange: Diffie–Hellman key exchange with minimum 2048 bits • Message Integrity: HMAC-SHA2 • Message Hash: SHA2 256 bits • Asymmetric encryption: RSA 2048 bits • Symmetric-key algorithm: AES 256 bits • Password Hashing: Argon2, PBKDF2, Scrypt, Bcrypt.
  • 30. Example 4.1: If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint
  • 31. Example 4.1: If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint DEMO
  • 32. Example 4.4: The remote endpoint terminates the existing session when the user logs out
  • 33. Example 4.7: Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore. DEMO
  • 34. Example 4.10: Sensitive transactions require step-up authentication
  • 35. Related Information o OWASP Mobile Top 10: M4 - Insecure Authentication o OWASP Mobile Top 10: M6 - Insecure Authorization o OWASP Mobile Security Testing Guide for Android and iOS - Testing Authentication and Session Management o OWASP Authentication Cheat Sheet o OWASP Session Management Cheat Sheet o OWASP Transaction Authorization Cheat Sheet o OWASP Access Control Cheat Sheet
  • 38. Example 5.3: The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted SSL/TLS
  • 39. Example 5.4: The app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA SSL/TLS
  • 40. Related Information o OWASP Mobile Top 10: M3 - Insecure Communication o OWASP Mobile Security Testing Guide for Android and iOS - Testing Network Communication o OWASP Transport Layer Protection Cheat Sheet o OWASP Certificate Pinning Cheat Sheet
  • 43. Example 6.4: The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected
  • 44. Example 6.4: The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected
  • 45. Example 6.4: The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected DEMO
  • 46. Example 6.5: JavaScript is disabled in WebViews unless explicitly required
  • 47. Example 6.5: JavaScript is disabled in WebViews unless explicitly required
  • 48. Related Information o OWASP Mobile Top 10: M1 - Improper Platform Usage o OWASP Mobile Security Testing Guide for Android and iOS - Testing Platform Interaction
  • 49. 7 Code Quality and Build Setting
  • 51. Example 7.2: The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable)
  • 52. Example 7.4: Debugging code has been removed, and the app does not log verbose errors or debugging messages DEMO
  • 53. Related Information o OWASP Mobile Top 10: M7 - Client Code Quality o OWASP Mobile Security Testing Guide for Android and iOS - Testing Code Quality and Build Settings
  • 57. Related Information o OWASP Mobile Top 10: M8 - Code Tampering o OWASP Mobile Top 10: M9 - Reverse Engineering o OWASP Mobile Security Testing Guide for Android and iOS - Testing Resiliency Against Reverse Engineering o OWASP Reverse Engineering Threats o OWASP Reverse Engineering and Code Modification Prevention
  • 58. • OWASP Securing the SDLC (Jim Manico) • OWASP Geneva-Chapter Meeting (Jeremy Matos) • OWASP Mobile Top 10 Deep-Dive (Prathan Phongthiproek) • https://github.com/OWASP/owasp-masvs References