Pawel Rzepa, profile picture
Uploaded byPawel Rzepa
PPTX, PDF428 views

Owasp for testing_mobile_apps_opd

The document discusses standards and resources for testing mobile application security, including the OWASP Mobile Application Security Verification Standard (MASVS), Mobile Security Testing Guide (MSTG), and Hacking Playground. The MASVS provides high-level security requirements, the MSTG provides detailed testing methodology mapped to MASVS requirements, and the Hacking Playground allows practicing security testing on intentionally vulnerable apps. The speaker encourages contribution to these open source projects.

Embed presentation

Downloaded 21 times
OWASP for testing mobile applications Pawel Rzepa (pawel.rzepa@owasp.org) OWASP Poland Day 2nd October 2017
Agenda OWASP MASVS OWASP MSTG Hacking Playground Do we need new standards? How exactly mobile security should be tested? Where to practice? and some extras…
Who am I? Security Consultant in Top contributor in Follow me @Rzepsky
Common myth… All standards applicable to web apps can be also applicable to mobile apps
Yyy… well… no • Different distribution model • Different threat model (e.g. evil maid attack) • Sandboxing (e.g. no CSRF in mobile app by design) • Etc… • Conclusion? We need different approach for mobile apps!
Mobile Application Security Verification Standard to the rescue!
Mobile Application Security Verification Standard • Fork project of OWASP ASVS • High level security requirements for mobile applications standard, divided into 8 sections: – V1: Architecture, Design and Threat Modeling Requirements, – V2: Data Storage and Privacy Requirements, – V3: Cryptography Requirements, – V4: Authentication and Session Management Requirements, – V5: Network Communication Requirements, – V6: Environmental Interaction Requirements, – V7: Code Quality and Build Setting Requirements, – V8: Resiliency Against Reverse Engineering Requirements
Example: Network Communication Requirements
MASVS: Maturity levels • MASVS-L1: Standard Security (all apps) • MASVS-L2: Defense-in-Depth (handle sensitive data) • MASVS-R: Resiliency Against Reverse Engineering and Tampering (protects intellectual property and hinders tampering)
MASVS: Verification types • MASVS-L1 (e.g. social media app) • MASVS-L1+R (e.g. mobile games) • MASVS-L2 (e.g. healthcare app) • MASVS-L2+R (e.g. banking apps)
MASVS for Business Analyst VS The app should be secure The app should be compliant with MASVS L2 X
MASVS for Developers VS
MASVS for testers
OWASP MASVS: Project details • Project repository: https://itsssl.com/Of6gr • Latest version in PDF: https://itsssl.com/9uljU
How exactly mobile security should be tested? • We need one comprehensive guide how to test security of mobile apps • Books and courses are cool, but still are not comprehensive and may be outdated
OWASP MSTG to the rescue!!!
OWASP MSTG • Detailed manual for testing the security of mobile apps • Includes a list of test cases, each of which maps to a requirement in the MASVS • Focused on Android & iOS
OWASP MSTG: Structure
OWASP MSTG: How to use it? 1 2 3
OWASP MSTG: Project details • Official repo: https://itsssl.com/zgGCh • Readable GitBook format (always up to date): https://itsssl.com/PrLtg • Want to contribute? Join the Slack group: https://itsssl.com/6iIGR
We need a practice! • You have to see a vulnerability to be able to find it in real applications • Intentionally vulnerable applications usually contains just a few vulnerabilities from OWASP top 10 • You should practice security testing methodology BEFORE using it in commercial work
OMTG Hacking Playground to the rescue!
OMTG Hacking Playground • Implements each vulnerability described in MSTG for educational purpose • A developer can identify vulnerable code and fix it using MSTG recommendations • Pentesters can identify bad practices, dangerous methods and classes they should look for
Hacking Playground: How does it look like?
Hacking Playground: How does it look like?
Hacking Playground: current state • So far only Android App • Implements 20 test cases • Just clone the repo and open it in Android Studio • All required dependencies can be installed from Android Studio
Hacking Playground: project details • Official repo: https://itsssl.com/1oV8u • Description of implemented test cases: https://itsssl.com/p7542
Extras • List of great mobile vulnerable apps and CTFs: https://itsssl.com/BSBD0 • Mobile vulnerability scanner: • QARK: https://itsssl.com/2JcoV • MobSF: https://itsssl.com/RxYmG • Tools: • For testing Android apps: https://itsssl.com/Ff8Eb • For testing iOS apps: https://itsssl.com/TcFiL
Summary • You can find high level security requirements in OWASP Mobile Application Security Verification Standard • You can find a detailed guide of security testing methodology in OWASP Mobile Security Testing Guide • You can practice security testing skills on intentionally vulnerable OMTG Hacking Playground • You are more than welcome to contribute in any of above mentioned project
Contact me: pawel.rzepa@owasp.org

More Related Content

PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
PPTX
Owasp mobile top 10
byPawel Rzepa
 
PDF
Mobile Hacking
byNovizul Evendi
 
Owasp advanced mobile-application-code-review-techniques-v0.2
bydrewz lin
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
bySina Manavi
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
byAnant Shrivastava
 
Owasp mobile top 10
byPawel Rzepa
 
Mobile Hacking
byNovizul Evendi
 

What's hot

PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
Hacking Mobile Apps
bySophos Benelux
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
Standards and methodology for application security assessment
byMykhailo Antonishyn
 
PDF
Simplified Security Code Review Process
bySherif Koussa
 
PDF
Introduction to Security Testing
byvodQA
 
PPTX
Python-Assisted Red-Teaming Operation
bySatria Ady Pradana
 
PDF
Web application security & Testing
byDeepu S Nath
 
PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
Creating Your Own Threat Intel Through Hunting & Visualization
byRaffael Marty
 
PPTX
Secure Software Engineering
byRohitha Liyanagama
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
PPTX
[Wroclaw #2] iOS Security - 101
byOWASP
 
PPTX
Owasp2013 johannesullrich
bydrewz lin
 
PPTX
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Hacking Mobile Apps
bySophos Benelux
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Standards and methodology for application security assessment
byMykhailo Antonishyn
 
Simplified Security Code Review Process
bySherif Koussa
 
Introduction to Security Testing
byvodQA
 
Python-Assisted Red-Teaming Operation
bySatria Ady Pradana
 
Web application security & Testing
byDeepu S Nath
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
Creating Your Own Threat Intel Through Hunting & Visualization
byRaffael Marty
 
Secure Software Engineering
byRohitha Liyanagama
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
[Wroclaw #2] iOS Security - 101
byOWASP
 
Owasp2013 johannesullrich
bydrewz lin
 
[OWASP Poland Day] Application security - daily questions & answers
byOWASP
 
Web security and OWASP
byIsuru Samaraweera
 

Similar to Owasp for testing_mobile_apps_opd

PPTX
Mobile Security at OWASP - MASVS and MSTG
byRomuald SZKUDLAREK
 
PPTX
Android pentesting
byMykhailo Antonishyn
 
PDF
OWASP Day - OWASP Day - Lets secure!
byPrathan Phongthiproek
 
PDF
Jump-Start The MASVS
byPrathan Phongthiproek
 
PDF
Owasp masvs spain 17
byLuis A. Solís
 
PDF
Mobile App Security Testing: Tools, Techniques & Insights
bydigitaljignect
 
PDF
Android reverse engineering: understanding third-party applications. OWASP EU...
byInternet Security Auditors
 
PDF
Getting started with hacking android & i os apps tools, techniques and re...
byn|u - The Open Security Community
 
PDF
Android security testing
byVodqaBLR
 
PDF
Mobile Threats and Trends Changing Mobile App Security
byDevOps.com
 
PPTX
Owasp top-10-mobile-risks-v-1-3 publish
byAli Kazmi
 
PDF
Null singapore - Mobile Security Essentials
bySven Schleier
 
PPTX
Evaluating Web App, Mobile App, and API Security - Matt Cohen
byInman News
 
PPTX
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
byDavide Cioccia
 
PDF
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
byNowSecure
 
PDF
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
byNowSecure
 
PDF
Unicom Conference - Mobile Application Security
bySubho Halder
 
PPT
Android in the healthcare workplace
byThomas Richards
 
PDF
Mobile Security Risks & Mitigations
byNeelu Tripathy
 
PDF
Mobile Securty - An Oxymoron?
bymorisson
 
Mobile Security at OWASP - MASVS and MSTG
byRomuald SZKUDLAREK
 
Android pentesting
byMykhailo Antonishyn
 
OWASP Day - OWASP Day - Lets secure!
byPrathan Phongthiproek
 
Jump-Start The MASVS
byPrathan Phongthiproek
 
Owasp masvs spain 17
byLuis A. Solís
 
Mobile App Security Testing: Tools, Techniques & Insights
bydigitaljignect
 
Android reverse engineering: understanding third-party applications. OWASP EU...
byInternet Security Auditors
 
Getting started with hacking android & i os apps tools, techniques and re...
byn|u - The Open Security Community
 
Android security testing
byVodqaBLR
 
Mobile Threats and Trends Changing Mobile App Security
byDevOps.com
 
Owasp top-10-mobile-risks-v-1-3 publish
byAli Kazmi
 
Null singapore - Mobile Security Essentials
bySven Schleier
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
byInman News
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
byDavide Cioccia
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
byNowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
byNowSecure
 
Unicom Conference - Mobile Application Security
bySubho Halder
 
Android in the healthcare workplace
byThomas Richards
 
Mobile Security Risks & Mitigations
byNeelu Tripathy
 
Mobile Securty - An Oxymoron?
bymorisson
 

Owasp for testing_mobile_apps_opd

  • 1.
    OWASP for testing mobileapplications Pawel Rzepa (pawel.rzepa@owasp.org) OWASP Poland Day 2nd October 2017
  • 2.
    Agenda OWASP MASVS OWASP MSTG HackingPlayground Do we need new standards? How exactly mobile security should be tested? Where to practice? and some extras…
  • 3.
    Who am I? SecurityConsultant in Top contributor in Follow me @Rzepsky
  • 4.
    Common myth… All standards applicableto web apps can be also applicable to mobile apps
  • 5.
    Yyy… well… no •Different distribution model • Different threat model (e.g. evil maid attack) • Sandboxing (e.g. no CSRF in mobile app by design) • Etc… • Conclusion? We need different approach for mobile apps!
  • 6.
    Mobile Application SecurityVerification Standard to the rescue!
  • 7.
    Mobile Application SecurityVerification Standard • Fork project of OWASP ASVS • High level security requirements for mobile applications standard, divided into 8 sections: – V1: Architecture, Design and Threat Modeling Requirements, – V2: Data Storage and Privacy Requirements, – V3: Cryptography Requirements, – V4: Authentication and Session Management Requirements, – V5: Network Communication Requirements, – V6: Environmental Interaction Requirements, – V7: Code Quality and Build Setting Requirements, – V8: Resiliency Against Reverse Engineering Requirements
  • 8.
  • 9.
    MASVS: Maturity levels •MASVS-L1: Standard Security (all apps) • MASVS-L2: Defense-in-Depth (handle sensitive data) • MASVS-R: Resiliency Against Reverse Engineering and Tampering (protects intellectual property and hinders tampering)
  • 10.
    MASVS: Verification types •MASVS-L1 (e.g. social media app) • MASVS-L1+R (e.g. mobile games) • MASVS-L2 (e.g. healthcare app) • MASVS-L2+R (e.g. banking apps)
  • 11.
    MASVS for BusinessAnalyst VS The app should be secure The app should be compliant with MASVS L2 X
  • 12.
  • 13.
  • 14.
    OWASP MASVS: Projectdetails • Project repository: https://itsssl.com/Of6gr • Latest version in PDF: https://itsssl.com/9uljU
  • 15.
    How exactly mobilesecurity should be tested? • We need one comprehensive guide how to test security of mobile apps • Books and courses are cool, but still are not comprehensive and may be outdated
  • 16.
    OWASP MSTG tothe rescue!!!
  • 17.
    OWASP MSTG • Detailedmanual for testing the security of mobile apps • Includes a list of test cases, each of which maps to a requirement in the MASVS • Focused on Android & iOS
  • 18.
  • 19.
    OWASP MSTG: Howto use it? 1 2 3
  • 20.
    OWASP MSTG: Projectdetails • Official repo: https://itsssl.com/zgGCh • Readable GitBook format (always up to date): https://itsssl.com/PrLtg • Want to contribute? Join the Slack group: https://itsssl.com/6iIGR
  • 22.
    We need apractice! • You have to see a vulnerability to be able to find it in real applications • Intentionally vulnerable applications usually contains just a few vulnerabilities from OWASP top 10 • You should practice security testing methodology BEFORE using it in commercial work
  • 23.
  • 24.
    OMTG Hacking Playground •Implements each vulnerability described in MSTG for educational purpose • A developer can identify vulnerable code and fix it using MSTG recommendations • Pentesters can identify bad practices, dangerous methods and classes they should look for
  • 25.
    Hacking Playground: Howdoes it look like?
  • 26.
    Hacking Playground: Howdoes it look like?
  • 27.
    Hacking Playground: currentstate • So far only Android App • Implements 20 test cases • Just clone the repo and open it in Android Studio • All required dependencies can be installed from Android Studio
  • 28.
    Hacking Playground: projectdetails • Official repo: https://itsssl.com/1oV8u • Description of implemented test cases: https://itsssl.com/p7542
  • 29.
    Extras • List ofgreat mobile vulnerable apps and CTFs: https://itsssl.com/BSBD0 • Mobile vulnerability scanner: • QARK: https://itsssl.com/2JcoV • MobSF: https://itsssl.com/RxYmG • Tools: • For testing Android apps: https://itsssl.com/Ff8Eb • For testing iOS apps: https://itsssl.com/TcFiL
  • 30.
    Summary • You canfind high level security requirements in OWASP Mobile Application Security Verification Standard • You can find a detailed guide of security testing methodology in OWASP Mobile Security Testing Guide • You can practice security testing skills on intentionally vulnerable OMTG Hacking Playground • You are more than welcome to contribute in any of above mentioned project
  • 31.