https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Bernhard+MuellerOWASP - User contributions [en]2026-05-16T23:39:30ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=236583OWASP Mobile Security Testing Guide2018-01-04T03:29:24Z<p>Bernhard Mueller: /* I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf version 0.9.4].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000">[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Presentations ==<br />
* OWASP Day Indonesia 2017 - Fixing Mobile AppSec, 09.09.017<br />
* Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications <br />
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] <br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 9 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:sven.schleier@owasp.org Sven Schleier] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== September 14th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf Version 0.9.4] of the MASVS is now [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf available for download] . This release contains several bug fixes and modifications to security requirements.<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/sushi2k Sven] and he'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=236582OWASP Mobile Security Testing Guide2018-01-04T03:28:48Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf version 0.9.4].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000">[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Presentations ==<br />
* OWASP Day Indonesia 2017 - Fixing Mobile AppSec, 09.09.017<br />
* Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications <br />
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] <br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 9 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:sven.schleier@owasp.org Sven Schleier] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== September 14th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf Version 0.9.4] of the MASVS is now [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf available for download] . This release contains several bug fixes and modifications to security requirements.<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=236581OWASP Mobile Security Testing Guide2018-01-04T03:24:00Z<p>Bernhard Mueller: /* Classifications */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf version 0.9.4].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000">[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Presentations ==<br />
* OWASP Day Indonesia 2017 - Fixing Mobile AppSec, 09.09.017<br />
* Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications <br />
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] <br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 9 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== September 14th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf Version 0.9.4] of the MASVS is now [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf available for download] . This release contains several bug fixes and modifications to security requirements.<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=236250OWASP Mobile Security Testing Guide2017-12-13T05:29:03Z<p>Bernhard Mueller: /* Mobile App Security Education */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf version 0.9.4].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Presentations ==<br />
* OWASP Day Indonesia 2017 - Fixing Mobile AppSec, 09.09.017<br />
* Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications <br />
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] <br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 9 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== September 14th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf Version 0.9.4] of the MASVS is now [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf available for download] . This release contains several bug fixes and modifications to security requirements.<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=233297OWASP Mobile Security Testing Guide2017-09-14T04:47:12Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf version 0.9.4].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Presentations ==<br />
* OWASP Day Indonesia 2017 - Fixing Mobile AppSec, 09.09.017<br />
* Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications <br />
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] <br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== September 14th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf Version 0.9.4] of the MASVS is now [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf available for download] . This release contains several bug fixes and modifications to security requirements.<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=233296OWASP Mobile Security Testing Guide2017-09-14T04:39:31Z<p>Bernhard Mueller: /* Main Deliverables */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/6/61/MASVS_v0.9.4.pdf version 0.9.4].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Presentations ==<br />
* OWASP Day Indonesia 2017 - Fixing Mobile AppSec, 09.09.017<br />
* Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications <br />
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] <br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=233295OWASP Mobile Security Testing Guide2017-09-14T04:37:53Z<p>Bernhard Mueller: /* Main Deliverables */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.4.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.4.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.4.pdf version 0.9.4].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Presentations ==<br />
* OWASP Day Indonesia 2017 - Fixing Mobile AppSec, 09.09.017<br />
* Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications <br />
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] <br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=File:MASVS_v0.9.4.pdf&diff=233294File:MASVS v0.9.4.pdf2017-09-14T04:36:51Z<p>Bernhard Mueller: </p>
<hr />
<div></div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=WASPY_Awards_2017&diff=231753WASPY Awards 20172017-07-19T08:08:28Z<p>Bernhard Mueller: Add own profile link</p>
<hr />
<div>[[File:WASPY 2017 Banner.jpg]]<br />
<br />
==Purpose of the Awards==<br />
<br />
Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not. <br />
<br />
'''The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized.''' <br />
<br />
==Timeline==<br />
Call for Nominees Opens June 7, 2017 <br />
<br />
Call for Nominees Closes June 30, 2017 - CLOSED <br />
<br />
Announcement of Nominees per Category July 5, 2017 - DONE <br />
<br />
Deadline for Nominee Profile Picture and Bio to be created and added to the Nominees section July 10, 2017 <br />
<br />
Voting for Board & Staff Members Opens July 17, 2017 <br />
<br />
Voting for Board & Staff Members Closes July 24, 2017 <br />
<br />
Winners are Notified July 25, 2017 <br />
<br />
Announcement of Winners to the Community July 25, 2017 <br />
<br />
Award Ceremony at AppSecUSA 2017 in Orlando, FL September 21-22, 2017 <br />
<br />
==Categories==<br />
The WASPYs celebrate the actors in our community who grow OWASP and drive innovation to the safety and security of the world’s software. This year we are excited to offer three categories.<br />
<br><br />
<br />
'''Best Community Supporter''' - The WASPY for COMMUNITY honors members who create dynamic INTERACTION and LEARNING opportunities for the OWASP Community. Nominees to the Community WASPY Award create collaborative and inclusive environments and grow the OWASP Community. WASPYs focus on the unsung heros of the OWASP community. Chapter Leaders and Community Members should especially consider leaders and volunteers who bring something extra to the environment, help the chapter reach out to new attendees, or carry out the tedious and repetitive tasks that make growing an OWASP Chapter possible.<br />
<br><br />
<br />
'''Best Mission Outreach''' - The WASPY for Mission Outreach honors community members who help the community GROW. Growth can happen inside the larger OWASP community or outside it in the broader AppSec and development communities. Leaders and Members should especially consider volunteers who pushed the boundaries of the audience and reach of OWASP to provide new exposure for OWASP’s projects and chapters. New leaders and volunteers who help bring more people to your chapter, project, or actively represent OWASP at non-OWASP events, gatherings, and activities to build an active OWASP community are ideal candidates for the Mission Outreach WASPY award.<br />
<br><br />
<br />
'''Best Innovator''' - The WASPY for Innovation is given to a community member who has contributed to the TECHNICAL advancement of OWASP in the past year. This advancement is usually through an [[:Category:OWASP Project|OWASP Project]] and can be in the form of code, an application, or anything that materially makes the AppSec community better in a unique way. WASPYs focus on the unsung heros of the OWASP community who quietly go about making the world a bit better for their work. Project Leaders and Community Members should especially consider nominating new projects, projects that have recently graduated, and project contributors for this WASPY.<br />
<br />
==Rules==<br />
'''Remember the purpose of these awards is to recognize the UNSUNG HEROS out there, that are barely recognized for their contributions to the OWASP Foundation.''' <br />
<br />
1. [https://www.owasp.org/index.php/About_OWASP#2015_Global_Board_Members Board members] may not be nominated <br />
<br />
2. [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors_of_the_OWASP_Foundation Employees & Contractors] may not be nominated <br />
<br />
3. All nominees will remain anonymous until July 3, 2017<br />
<br />
4. Anyone can nominate an "unsung hero" who has contributed in some way to OWASP who they feel best fits each category <br />
<br />
5. You may only nominate one person per category <br />
<br />
=='''And the Nominees Are...'''==<br />
{| cellpadding="2" border="1"<br />
! width="150" align="center" scope="col" |Name<br />
! width="800" align="center" scope="col" |Category & Citation<br />
|-<br />
| align="center" |Aatral Arasu<br />
|'''''Best Community Supporter''''' <br />
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"<br />
|-<br />
|Sean Auriti<br />
|'''''Best Community Supporter'''''<br />
"Sean has not only worked as a volunteer in the local chapter building community, his code projects are useful to the mission and his outreach efforts have included funding requests for OWASP Foundation to grow its mission. Sean is a great example of a community member."<br />
|-<br />
|Nicole Becher<br />
|<nowiki/>'''''Best Community Supporter'''''<br />
<br />
"Nicole has been an amazing chapter leader. She brings knowledge and experience teaching cybersecurity to the Mentor Initiative, WIA Committee, and projects."<br />
|-<br />
|Ken Belva<br />
|<nowiki/>'''''Best Community Supporter'''''<br />
<br />
"Ken is a long time chapter leader of the NYC chapter and a former chapter leader of the Brooklyn Chapter. Ken is always willing to step in and volunteer to help with OWASP initiatives and is a frequent participant in OWASP events as both a volunteer and speaker. Ken has spoken at AppSec USA on XSS techniques (<nowiki>https://www.youtube.com/watch?v=G539NwvpL3I</nowiki>) and is the project lead for the Basic Expression and Lexicon Variation Algorithms project (<nowiki>https://www.owasp.org/index.php/OWASP_Basic_Expression_%26_Lexicon_Variation_Algorithms_(BELVA)_Project)</nowiki>."<br />
|-<br />
|Tony Clarke<br />
|<nowiki/>'''''Best Community Supporter'''''<br />
"Tony has selflessly brought the OWASP dublin chapter to great nights. He has nurtured the chapter to be inclusive and open whilst growing the average attendee count to hundreds. He has spread the word across both security industry and developer industry and has also managed to get various organisations to work together such as ISACA, IISF, ISSA and ISC2. He is a great leader and despite detractors has built the chapter and awareness of software security issues in a strong vendor neutral manner to a great place. Tony is a great example of OWASP and industry leadership."<br />
|-<br />
|Dinis Cruz<br />
|<nowiki/>'''''Best Community Supporter'''''<br />
"Diniz is a fantastic innovator and motivator. As the mastermind and organizer behind the OWASP Summit he has managed to re-energize the OWASP community - many interesting projects would not have happened (or at least, not been that successful) without his passionate work. Besides organizing the event, he also consistently supported project leaders with his experience and ideas."<br />
<br />
'''2nd Citation:''' Dinis put ridiculous effort (<nowiki>https://github.com/OWASP/owasp-summit-2017/commits?author=DinisCruz</nowiki>) into the OWASP Summit 2017 and didn't tire promoting this event!<br />
|-<br />
|[[User:Dune73|Christian Folini]]<br />
|'''''Best Community Supporter'''''<br />
<br />
"Christian Folini is very active in the Core Rule Set project community. He responds to a ton of questions submitted by newcomers when they are stuck and he answers expert level questions with stunning detail. He joined Chaim and Walter when they revived the project in 2016 and I heard he had the idea for the famous CRS3 release poster <nowiki>https://modsecurity.org/crs/poster</nowiki> that was shared all over the net. I think it's people like him that give OWASP a human face."<br />
|-<br />
|[[User:Fuentes.joaquin|Joaquin Fuentes]]<br />
|'''''Best Community Supporter'''''<br />
"In 2015, Joaquin took it upon himself to revive the OWASP Phoenix Chapter. He created a meet-up group to gain broader visibility. Since 2015, the meeting attendance has grown from an average of 15 attendees to over 60! Joaquin dedicates a lot of time and effort into scheduling an impressive variety of presentation topics including safe hacking, vulnerability scanner deep dives, hands on web exploitation CTF, video game hacking and more. I learn something new and cool at every event.<br />
<br />
More importantly, Joaquin works hard to foster a friendly, inclusive environment. During our hands-on web exploitation session, Joaquin recruited co-works to assist participants with the Security Shephard challenges so no one felt overwhelmed or impossibly stuck. He always takes the time meet and welcome new members. For example, my 17-year-old son attends meetings with me. He looks up to Joaquin as a mentor for a future information security career because Joaquin encourages his learning and offers career guidance.<br />
<br />
I highly recommend Joaquin for a WASPY award!! He is a kind, soft spoken person with a passion for sharing information security and helping others!"<br />
<br />
'''2nd Citation:''' "He resurrected the Phoenix chapter and has kept it going with great content."<br />
<br />
'''3rd Citation:''' "For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."<br />
<br />
'''4th Citation:''' "Put simply, due to the efforts of Joaquin Fuentes, the Phoenix chapter has risen from the ashes (some pun intended). Before Joaquin took over the chapter there were consistently between 5-10 persons in attendance, Joaquin himself being one of them, and the chapter only met about every 3 months or so. Since Joaquin took over the chapter, we have had fantastic presenters each month, paid for dinners, along with a collaborative, comfortable, and engaging environment to meet in. Even more impressive the attendance has grown to 60+ consistently. Joaquin isn't even done yet! He is more great ideas and plans for the chapter that will undoubtedly contribute to the continued growth and over all quality of this once fallen chapter. When he speaks of where this chapter has come from and his plans for the future, it is undeniable to all that he does so with the passion that a leader must possess to accomplish that which Joaquin has."<br />
<br />
'''5th Citation:''' "I am sure someone else will write in with Joaquin's email, but I felt the need to second his name on the list. The events he puts together are top notch, have excellent speakers, always have things to eat, and are generally excellent. I almost never miss them. He is actually so gracious about the entire chapter that I am sure he does not get the credit he deserves... the whole show is put on by just him, I think. Yay Joaquin!"<br />
<br />
'''6th Citation:''' "A few years ago, the Phoenix (AZ) OWASP group was basically defunct. As the leader of the Phoenix OWASP group, not only has Joaquin helped to resurrect the group, but we've had great presentations on reverse engineering, secure coding, a hands-on CTF contest with Security Shepherd, etc. Joaquin is a very visible member of the security community being an employee at Early Warning, which not only hosts the OWASP meetings, but also is a sponsor and makes a strong showing at CactusCon every year, the biggest security conference in Arizona.<br />
<br />
Our local OWASP group is not strong, going from being non-existent a few years ago to now getting a regular attendance of 40-80 people. I've gotten to know Joaquin through OWASP meetings and other security events in the area I have crossed paths with him, and he is a fine representative and evangelist for the OWASP organization."<br />
<br />
'''7th Citation:''' "Joaquin is the Phoenix OWASP Chapter leader and regularly plans amazing talks with great speakers for the Phoenix Community. Frequently, the Phoenix OWASP talks will have over 50 attendees which Joaquin manages without a problem! Joaquin also pushes for candidates he is interviewing to be familiar with OWASP before their interview."<br />
<br />
'''8th Citation:''' "Joaquin is the leader for the Phoenix OWASP, and it is clear that through his leadership the Phoenix OWASP thrives. Joaquin organizes all the meetings, and is constantly working with folks to create an excellent sense of community in the Phoenix area."<br />
<br />
'''9th Citation:''' "Joaquin has taken the Phoenix OWASP chapter that had not been managed for years and brought it back to life. We consistently see 50+ members coming to our Meetups to talk about AppSec related topics. Joaquin is well connected to the InfoSec groups and has had great success in pulling in new speakers, we have already had a few speakers who are prepping their BlackHat and DefCon talks by giving their presentations to our local chapter. Finally Joaquin does a great job by reaching out to the local colleges and supporting CTF activities to garner interest in pen-testing and the OWASP community. He is a true community supporter and fully deserves a WASPY for his efforts..."<br />
<br />
'''10th Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"<br />
<br />
'''11th Citation:''' "As a leader of Phoenix OWASP chapter, Joaquin strives to organize talks and trainings to make people in the valley learn InfoSec and AppSec from experienced individuals. He has always gone a step ahead to conduct OWASP meetings that are informative and hands on. Right from giving Arizona State University (ASU) students an overview of basic InfoSec and career opportunities to organizing a hands on hacking workshop for people in the community, Joaquin has always demonstrated passion and determination to take Phoenix to a better place in the field of Cyber Security."<br />
<br />
'''12th Citation:''' "I've attended and participated in three OWASP meetings lead by Joaquin. They are always well organized, offer a great learning experience and considerably contribute to the community. His continuous interest and dedication to the Phoenix chapter do not go unnoticed and are appreciated by all who attend."<br />
<br />
'''13th Citation:''' "Joaquin restarted the OWASP chapter in Phoenix/Scottsdale. Chapter meetings have grown significantly to where there were about 65 attendees at the most recent meeting with hundreds more on the mailing list (I was at the meeting, but I've only heard about the mailing list). As someone who works with him, I know how dedicated he is to the work of IT security and he's been able to attract top-notch speakers for OWASP meetings.'<br />
<br />
'''14th Citation:''' "Joaquin had successfully revived the Phoenix OWASP Chapter. Since, the chapter has excelled from zero to filled audience bringing security talent from all around to speak and educate to security professionals on the many facets of security domains.<br />
<br />
Additionally, this has provided a great forum to network with the many security professionals around the community and share their knowledge and strengthen the security community. <br />
<br />
Joaquin has provided his unselfish time as an OWASP Chapter leader, and has breathed new life into the Chapter."<br />
<br />
'''15th Citation:''' "Joaquin does a bang up job of running the Phoenix OWASP chapter. He does a great job of raising awareness and bringing folks from the infosec community into the fold."<br />
<br />
'''16th Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."<br />
<br />
'''17th Citation:''' No citation was submitted<br />
|-<br />
|[https://www.owasp.org/index.php/User:Brianglas Brian Glas]<br />
|'''''Best Community Supporter''''' <br />
"Brian has been paramount in 2 very strategic initiatives for OWASP. He is not only a Project Leader for the OWASP SAMM project but he has been instrumental in revamping the call for data and reorganizing the flagship OWASP Top Ten. Brian continues to support and speak about the benefits of supporting OWASP especially projects and participating in the Summit. Please consider Brian Glas as the Best Community Supporter for this year."<br />
|-<br />
|Brendan Gormley<br />
|'''''Best Community Supporter'''''<br />
"Throughout the Brendan has not only assisted in making the dublin chapter events happen but taken a lead role. Brendan has organised venues and speakers for these events often going above and beyond to ensure success. Brendan has also been involved in some of the outreach programs the Dublin chapter had been involved in. No task is too big or too small for Brendan and without him I don't believe the Dublin chapter would be what it is."<br />
|-<br />
|[https://www.owasp.org/index.php/User:Tanyajanca Tanya Janca]<br />
|'''''Best Community Supporter'''''<br />
"Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."<br />
|-<br />
|[https://www.owasp.org/index.php/Jeremy_Long Jeremy Long]<br />
|'''''Best Community Supporter'''''<br />
"Jeremy is a dedicated security engineer who contributes to the community as a developer, mentor, contributor and leader. He's one of the smartest people I know - and one of the few who has patience with "the rest of us". He is generous with his time and knowledge, helping not only to contribute apps and resources, but to build up the community itself."<br />
|-<br />
|[[User:Makash|Akash Mahajan]]<br />
|'''''Best Community Supporter'''''<br />
"Akash has been backbone of OWASP bangalore chapter he has done lot of work for evangelizing OWASP. For more than 7 years now he has been working with the chapter and mentored lot of folks. No wonder he is called "the web app security guy"."<br />
|-<br />
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]<br />
|'''''Best Community Supporter'''''<br />
"Dhiraj Mishra - has been contributed and volunteered to, OWASP Mumbai Student chapter and Mumbai local chapter.<br />
<br />
He has endorse students to be part of multiple open community, however been an Sudent Chapter leader for OWASP he has discussed and shared multiple Information Security topics start from the scratch and spreading the idea's and awareness via chapter Meets, he has taken multiple session in NULL as well which runs with OWASP local chapter Mumbai, recently he invited Mozilla Club Mumbai to student chapter so that students can go to their area of interest, he always pushup/boost women in infosec. Apart from this he has taken various sessions in different colleges and have shared knowledge about Cyber Security."<br />
|-<br />
|Denise Murtagh-Dunne<br />
|'''''Best Community Supporter'''''<br />
"Denise has been a hugely active member of the Dublin chapter and has been involved in all chapter meeting throughout the year and is ever keen to role up her sleeves and get stuck into work that others shy away from. This includes everything from setting up the meeting tools, organising venues, working with sponsors, getting speakers and assisting speakers in the run up and during events. She's been a very positively influence on the community and chapter and has encouraged other people to get involved. She's constantly updating and posting content on our social media accounts and making sure our members get relevant and interesting content. While in full time employment, Denise gives up family time to contribute to the chapter and ensure OWASP Dublin remains a vibrant and relevant group that engages the developer and security community locally."<br />
|-<br />
|[[User:Owen_Pendlebury|Owen Pendlebury]]<br />
|'''''Best Community Supporter'''''<br />
"Owen Pendlebury has been a key local OWASP volunteer over the last number of years. From being on the local Dublin chapter board to leading the Dublin chapter he regularly hosted and spoke at numerous collaborative and insightful security meetups.<br />
<br />
He has also been involved in organising AppSec EU in Rome and more recently co-organised the Belfast conference which was the biggest ever EU conference. As part of organising the conference in Belfast he negotiated that all chapters within Ireland would benefit financially getting a percentage of the conference profits to allow the chapters to bring bigger, better and more collaborative meetings to the Irish OWASP community and grow the communities across the country. <br />
<br />
I don’t know where he has found the time but has also been part of the Women in AppSec committee mentoring a number of individuals throughout the year. He took part in the Women in AppSec events in Belfast giving some insightful opinions into how improve attendees career. Owen is an asset that helps to improve Ireland's security community’s capabilities with a real can-do attitude."<br />
|-<br />
|Mick Ryan<br />
|'''''Best Community Supporter'''''<br />
"Mick always assists with chapter meetings and works to ensure we give the community good quality sessions. Mick assists will all areas including reaching out to potential speakers, getting info and bios from them, arranging dates and venues, posting on social media and the logistics of the meetings and ensuring speakers have the right cables, meetings run to time, that speakers are happy with everything, taking photos to promote the chapter on social media, encouraging people to speak, printing the chapter and getting people to events! Thanks Mick for your contribution in 2017!"<br />
|-<br />
|[https://www.owasp.org/index.php/Sriram Sriram]<br />
|'''''Best Community Supporter'''''<br />
"[https://www.owasp.org/index.php/Sriram Sriram] has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone. Sriram has been tremendously supporting the OWASP Chapter by giving trainings to various college student, corporates and various chapters.."<br />
|-<br />
|Michelle Simpson<br />
|'''''Best Community Supporter'''''<br />
"Michelle has done an amazing job with the Belfast chapter and works tirelessly to improve the OWASP community and advocate strong app sec practices. This is very evident from the people attending the chapter events, organisations participating and the very successful AppSecEU conference that was held in Belfast in 2017. Michelle put a huge amount of work and effort into planning and preparation for AppSecEU to ensure the conference was of a high calibre. This was a sustained commitment over the majority of 2017 on top of local chapter commitments. I'd like to nominate Michelle for all the hard work and effort she puts into the chapter. Thanks Michelle!"<br />
|-<br />
|Steve Springett<br />
|'''''Best Community Supporter'''''<br />
<br />
"Steve has been a tremendous supporter of the OWASP dependency-check project and leader on the related dependency-track platform. He is quick to respond to community question, answering with insightful and accurate responses assisting the community in their use of the dependency-check suite of tools."<br />
|-<br />
|[https://www.owasp.org/index.php/John_Vargas John Vargas]<br />
|'''''Best Community Supporter'''''<br />
<br />
"During the last 9 years John, together with a very small group of volunteers, has been making efforts to keep the chapter of Lima, Peru. Performing activities such as monthly meetings, internal trainings and participating actively in the OWASP Latam Tour. For the chapters in Latin America to keep afloat these activities with few resources is something very complicated and deserves recognition."<br />
|-<br />
|Tara Williams<br />
|'''''Best Community Supporter'''''<br />
<br />
"Tara cares about integrity, inclusion and transparency, she is passionate about making OWASP a better place for all members of the community. With her talents in communications, she is getting the word out about OWASP's benefits to community members and attracting new members to chapter meetings, especially identifying successful pathways to transition meetup members to full members."<br />
|-<br />
|Aatral Arasu<br />
|'''''Best Mission Outreach'''''<br />
'''"'''A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"<br />
|-<br />
|Sean Auriti<br />
|'''''Best Mission Outreach'''''<br />
"Sean mentors, is a speaker, leads projects, is an active chapter leader and chapter Treasurer, participating in meetup events and a great representative at global, regional and external events."<br />
|-<br />
|Tony Clarke<br />
|'''''Best Mission Outreach'''''<br />
"Tony has grown the chapter over the last year to a point where hundreds of people are attending meetings. The meetings are organised in advance now and have a theme. There were some really interesting people speaking at the chapter meetings including Simon Singh, James Lyne, Brian Honan and Jane Franklin. He has also engaged support from local companies with a lot more attending and sponsoring the chapter. There is a real buzz at chapter meetings and they're not just death by PowerPoint which they had been in the past."<br />
|-<br />
|[[User:cfrenz|Christopher Frenz]]<br />
|'''''Best Mission Outreach'''''<br />
<br />
'''"'''Christopher Frenz should be nominated for the Best Mission Outreach WASPY for his work as the Project Lead for the OWASP Anti-Ransomware Guide Project and the OWASP Secure Medical Device Deployment Standard Project. In the wake of WannaCry, anti-ransomware guidance has become more pertinent than ever and the project is regularly updated to keep abreast of the latest ransomware adaptations. Chris regularly shares his anti-ransomware knowledge with the security and healthcare communities and is an advocate for organizations conducting mock ransomware incidents. Chris has shared his knowledge of ransomware protections and of pertinent OWASP resources in numerous venues including articles (<nowiki>https://iapp.org/news/a/why-the-wannacry-outbreak-should-be-a-wake-up-call/</nowiki>) and conference presentations at both the local and international level (<nowiki>https://iapp.org/conference/iapp-canada-privacy-symposium/sessions/?id=a191a000000zrqPAAQ</nowiki>). A Spanish version of the guidance is also available. In addition, he has worked to call attention to the need for healthcare facilities to improve the security of their medical device implementations and is responsible for authoring version 1 of the OWASP Secure Medical Device Deployment Standard. The project has really worked to raise awareness of these issues and has been covered by CSO magazine (<nowiki>http://www.csoonline.com/article/3188230/security/how-to-securely-deploy-medical-devices.html</nowiki>) and other news sources. Chris has given interviews on medical device security for the Cloud Security Alliance and others and will be speaking on medical device security at the Defcon BioHacking Village. Chris is always willing to share his knowledge with all who ask and is an active member of the NYC and Brooklyn OWASP chapters."<br />
|-<br />
|[[User:Fuentes.joaquin|Joaquin Fuentes]]<br />
|'''''Best Mission Outreach'''''<br />
"For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."<br />
<br />
'''2nd Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"<br />
<br />
'''3rd Citation''': "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."<br />
<br />
'''4th Citation''': "My job takes me to many different OWASP Chapters, along with ISSA, CSA, ISACA, etc.<br />
The Phoenix OWASP Chapter was DEAD before Joaquin volunteered to lead the Chapter a few years ago.<br />
It is now consistently one of the BEST ITSec community gatherings, and I go out of my way to be in Phoenix for their meetings.<br />
To put it a different way, at my first Phoenix OWASP meeting there were less than 12 attendees, including myself and the speaker. Last week it was standing room only (75+) *and* there would have been more if Interstate 17 hadn't been closed in both directions at the start of rush-hour.<br />
Part of the reason Joaquin deserves this award is that he is EXTREMELY knowledgeable about AppSec and many other aspects of data security and he is ALWAYS friendly and willing to share. His day-job is no picnic, but he finds the time to put together great meetings and do it in a way that everybody has a good time."<br />
|-<br />
|[https://www.owasp.org/index.php/User:Tanyajanca Tanya Janca]<br />
|'''''Best Mission Outreach'''''<br />
"Tanya has been instrumental in outreach in the Ottawa Ontario Canada region building membership and participation in the local OWASP chapter, as well as building bridges with other local organizations (Python user group, Ruby Rails user group, WIA, etc.). Tanya has also been a driver in getting a mentoring program setup via the Ottawa chapter. She has also encouraged participation in local CTF events, presented at local conferences (BSides, etc). Tanya's enthusiasm, support, and interaction is often contagious (in a good way :) ). Lastly, Tanya is a strong advocate or evangelist for OWASP projects, promoting such as appropriate per audience/presentation (including, but not limited to: ZAP, Top 10, SKF)."<br />
<br />
'''2nd Citation:''' "Tanya Janca is an excellent ambassador for OWASP. Since her entry into the lead team of the OWASP Ottawa chapter, she has doubled the size of the chapter and developed the chapter into a meeting place for dozens of women interested in Application Security.<br />
Tanya Janca is an energetic speaker who held a fantastic presentation at AppSecEU in Belfast. <nowiki>https://www.youtube.com/watch?v=mPTmuaC2lOI</nowiki> She was subsequently invited to the Swiss Cyberstorm Conference where her addition to the rooster was explained in an admiring blogpost <nowiki>https://swisscyberstorm.com/2017/05/23/Introducing_Tany_Janca.html</nowiki><br />
Tanya Janca has the ability to talk security to techies and management alike. She is pushing for the adoption of OWASP practices and project by the government of Canada her employer. Having been nominated for the Government of Canada’s CIO Award for “Excellent in Security” in 2016 she refused to move into the private sector, but continues to support the security community inside the public sector, where her excellent know-how is very important."<br />
<br />
'''3rd Citation:''' "Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."<br />
|-<br />
|Kitisak Jirawannakool<br />
|'''''Best Mission Outreach'''''<br />
<br />
"Web security is notoriously bad in Thailand, so an actives security community is sorely needed. Kitisak is a central figure in that community. He has worked on establishing the OWASP Bangkok chapter for the past six years, organizing meetups, community outreach and engaging with security experts internationally. His work has played a pivotal role in creating IT security awareness in the fast-growing South-East-Asian country."<br />
|-<br />
|James Manico<br />
|'''''Best Mission Outreach'''''<br />
"Jim's influence on OWASP materials (and therefore on application security) is amazing - he's cited on nearly every cheat sheet on OWASP Top 10 document. His name is synonymous with application security."<br />
<br />
'''2nd Citation: "'''While Jim may not be the "unsung hero" - he is the first and foremost cheerleader/champion of OWASP. His efforts and contributions are innumerable. As anyone who knows Jim - he is not a reserved individual when touting the resources available via OWASP. He has likely done more then anyone else working with OWASP to bring together, motivate, and get individuals to contribute to OWASP. From the immensely popular checklists to motivating individuals to contribute. OWASP would not be nearly as successful as it has been without Jim." <br />
|-<br />
|Mateo Martinez<br />
|'''''Best Mission Outreach'''''<br />
"Mateo is one of the leaders in Latin America more recognized, during the last years his efforts to join the chapters chapter along with other leaders of Latam made that the community grew and that today the Latam Tour 2017 has more than 15 participating countries. He also managed to spread the spirit of owasp and help establish new chapters in the region.<br />
The effort to maintain more communication between OWASP GLobal and local communities is reflected in each activity that encourages other leaders to ensure that they strive every day to spread Owasp projects and to grow the community."<br />
|-<br />
|Mark Miller<br />
|'''''Best Mission Outreach'''''<br />
<br />
"The OWASP Podcast is a effort that is in line with the mission of OWASP raising visability for software security. This is a VERY powerful voice in the community globally and Mark Miller should be applauded for his efforts on this<br />
<nowiki>https://www.owasp.org/index.php/OWASP_Podcast</nowiki>"<br />
|-<br />
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]<br />
|'''''Best Mission Outreach'''''<br />
<br />
"Dhiraj was nominated for WASPY 2016, his contribution to the community is from past one 'n half year in various areas, start from the projects, local volunteering and what not, he was also listed in OWASP Hall Of Fame."<br />
|-<br />
|[[User:Owen_Pendlebury|Owen Pendlebury]]<br />
|'''''Best Mission Outreach'''''<br />
"Owen is an active participator in OWASP meetings and has been a great inspiration to me.<br />
He has shown himself to be a great leader and OWASP advocate.<br />
Owen has recommended other AppSec communities in which I have become involved in since moving to Dublin. He is an evangelist for women in technology and I have witnessed this first hand.<br />
I don't hesitate to recommend Owen for this award."<br />
<br />
'''2nd Citation:''' "Owen has introduced me to the OWASP Community in Ireland and EU. Help me to get involve with Women in AppSec and participate in the AppSec EU event in Belfast. He is a great leader, who enjoys talking about OWASP and the great community behind it.<br />
I've moved to Ireland a couple of months ago, and getting to know Owen and the OWASP community has completely changed my life, both professionally and personally. <br />
So, yes, I would like to nominate Owen Pendlebury because he the proof that Women in AppSec is not just a women matter. :)"<br />
|-<br />
|[https://www.owasp.org/index.php/Sriram Sriram Shyam]<br />
|'''''Best Mission Outreach'''''<br />
"Sriram has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone."<br />
|-<br />
|[[User:Nwhysel|Noreen Whysel]]<br />
|'''''Best Mission Outreach'''''<br />
<br />
"Noreen is helping each day to improve OWASP members' experiences bringing her expertise and knowledge as a mentor and projects as a Chapter Leader, one member at a time. She understands what members want, how to improve member benefits and is applying that knowledge to improving local and global member experiences from the ground up. Her efforts are multiplied by her sharing of knowledge and grassroots approach creating a membership groundswell."<br />
|-<br />
|Aatral Arasu<br />
|'''''Best Innovator''''' <br />
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"<br />
|-<br />
|Sean Auriti<br />
|'''''Best Innovator''''' <br />
"Sean leads the BLT Project and is a Team Leader for the Learning Gateway project. He has helped improve the quality of web experiences, including OWASP.org ."<br />
|-<br />
|[https://www.owasp.org/index.php/Glenn_%26_Riccardo_ten_Cate Glenn & Riccardo ten Cate]<br />
|'''''Best Innovator'''''<br />
"I am hereby nominating the brothers Glenn & Riccardo ten Cate from the Netherlands for the WASPY award in this category. They are known for their work on the open-source project SKF (Security Knowledge Framework). These are two guys who are dedicated to spreading security knowledge trough the means OWASP has to offer. You might have encountered them talking at seminars, promoting their project and OWASP, or different companies where they teach development teams how to integrate the OWASP core principles in their workflow using their project. Not only professional development teams but also students of security can only be amazed at the sheer knowledge they gathered and contribute to the global OWASP community trough open source. The sheer effort they put in this project teaches, guides, structures and shows by example how to test and write secure applications by design. There is no other software out there that does this. And that is why they deserve this nomination for best innovator 2017."<br />
|-<br />
|Mark Deenihan<br />
|'''''Best Innovator''''' <br />
"Mark for his constant devotion and work on the OWASP security shepherd project and continuing to develop it and teach people globally about app sec."<br />
|-<br />
|Seba Deleersnyder<br />
|'''''Best Innovator''''' <br />
"One of the main projects to date is SAMM. Seba with the support of project colliders has made this a flagship project of OWASP. The level of maturity and the number of improvements obtained indicates that this project is one of the most mature and a great projection to the future."<br />
|-<br />
|[[User:cfrenz|Christopher Frenz]]<br />
|'''''Best Innovator''''' <br />
"Chris' projects are opening doors for OWASP in the standards development and getting the word out about important IoT with his Medical Device Deployment Standard: <nowiki>https://www.owasp.org/index.php/OWASP_Secure_Medical_Device_Deployment_Standard</nowiki> which already has a Turkish translation and attracted attention from the Turkish public health department. He has delivered presentations at meetups, and presenting to the IDESG, www.idesg.org in July. He has a "soup label" tool that gives simple guidance for the implementation of the OSMDDS. This is not Chris' first project but it is surely one of the best OWASP innovations of the year."<br />
|-<br />
|[[User:Fuentes.joaquin|Joaquin Fuentes]]<br />
|'''''Best Innovator''''' <br />
"Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"<br />
<br />
'''2nd Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."<br />
|-<br />
|Evin Hernandez<br />
|'''''Best Innovator''''' <br />
"Evins focus on the core of the information security platform with Virtual Village has provided the global community with a place to experiment and leverage for testing... <nowiki>https://www.owasp.org/index.php/OWASP_Virtual_Village_Project</nowiki>"<br />
|-<br />
|[https://www.owasp.org/index.php/Jeremy_Long Jeremy Long]<br />
|'''''Best Innovator''''' <br />
"Considering how often projects have a great start and plateau, we should recognize the ongoing effort and dedication given to one of the Flagship projects in our community.<br />
Jeremy Long has continued to not only maintain the Dependency Check project but develop and improve it each year.<br />
This year he added Improvements in the core dependency-check platform in terms of code quality, achieved 100% for the CII Best Practices for dependency-check, continued to develop the ODC community with several contributors submitting PRs, and over the last several months he's been working on platform maturity and will be releasing 2.0.0 in the first half of July 2017.<br />
After 2.0 is released he has planned work on Python support and expanding the tool by integrating additional data-sources such as Artifactory, Redhat Victim's, OSS-Index, etc."<br />
<br />
'''2nd Citation:''' "Jeremy has been an avid contributor/leader for the OWASP dependency-check project. Under his leadership the project has garnered substantial community support in terms of pull requests, improved code quality via Sonarcloud, Coverity, Codacy, and CII Best Practices. While the last six months have been primarily around code quality and bug fixes; these improvements are setting the dependency-check project up for major enhancements over the coming months!"<br />
|-<br />
|[[User:DanielMiessler|Daniel Miessler]]<br />
|'''''Best Innovator'''''<br />
"Daniel seems to be everywhere at once - despite have a full-time job, he is leading or co-leading several OWASP projects, has created ideas for groups out of thin air, and has performed work in much needed areas.<br />
This year, Daniel has lead or co-lead the Internet of Things security project, completed an IoT: Medical Devices attack surface overview, and created the Game Security project."<br />
|-<br />
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]<br />
|'''''Best Innovator'''''<br />
<br />
"Dhiraj is one of the top contributor in OWASP Cheat Sheet Project, which have security guidance in an easy read format, his contribution for SQL Injection WAF Bypass and XSS Evasion - OWASP, was mostly recommended and used by Cyber Security professional, dhiraj has contributed to Benchmark project by contributing SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring and many such projects."<br />
|-<br />
|[[User:Bernhard_Mueller|Bernhard Mueller]]<br />
|'''''Best Innovator'''''<br />
"During the last 18 months Bernhard has been spearheading the OWASP Mobile Testing Guide Project. He has invested several man-months of writing, editing, reviewing, rallying authors, and pushing the project into new directions. This also resulted in the novel agile book writing process and book production pipeline which enables OWASP to produce a professional tech book. The project has produced a security standard and early-release ebook, and is on track become one of OWASP's main flagship projects."<br />
|-<br />
|Steve Springett<br />
|'''''Best Innovator'''''<br />
"Steve's work on dependency-track is fantastic - he's moved forward to address the next round of issues, with an innovative solution all companies can leverage."<br />
|-<br />
|thc202<br />
|'''''Best Innovator'''''<br />
"Simon Bennets "wingman" in the ZAP project, by now even the top committer in the project! (<nowiki>https://github.com/zaproxy/zaproxy/graphs/contributors</nowiki>) So "unsung of" that I do not even know his real name!"<br />
|}<br />
<br />
==Results==<br />
Coming July 25, 2017<br />
<br />
==Sponsorship Opportunities==<br />
The support from our sponsors, is what makes these awards truly successful!<br />
<br />
Sponsorships coming soon!<br />
<br />
==Communication==<br />
# June 7, 2017 Email to the Leaders & Community list. Posted to the OWASP [https://owasp.blogspot.com/2017/06/nominations-are-now-being-accepted-for.html Blog]<br />
# June 30, 2017 Email to the Leaders & Community list.<br />
# July 5, 2017 Email to the Nominees<br />
# July 5, 2017 Email to the Leaders & Community list, and Blog post announcing the nominees have been announced.<br />
<br />
=='''Past WASPY Awards'''==<br />
[https://www.owasp.org/index.php/WASPY_Awards_2016 2016]<br><br />
[https://www.owasp.org/index.php/WASPY_Awards_2015 2015] <br><br />
[https://www.owasp.org/index.php/WASPY_Awards_2014 2014] <br><br />
[https://www.owasp.org/index.php/WASPY_Awards_2013 2013] <br><br />
[https://www.owasp.org/index.php/WASPY_Awards_2012 2012] <br></div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=User:Bernhard_Mueller&diff=231752User:Bernhard Mueller2017-07-19T08:06:02Z<p>Bernhard Mueller: </p>
<hr />
<div>[[File:bernhardmueller.png|thumb]]<br />
<br />
= Bernhard Mueller = <br />
Bernhard is an uncertified software security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry he has published many bugs and papers in a variety of fields including Internet protocols, web apps, mobile operating systems, WAFs and others. If you can name it, he has probably broken it at least once. <br />
<br />
Since early 2016, he volunteers as a project leader and author for the [https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide].<br />
<br />
=== OWASP Links ===<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide Mobile Security Testing Guide Project Page]<br />
* [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide on GitHub]<br />
* [https://leanpub.com/mobile-security-testing-guide Mobile Security Testing Guide Early Access Edition on Leanpub]<br />
* [https://github.com/OWASP/owasp-masvs Mobile Security Verification Standard on GitHub]<br />
* [https://www.youtube.com/watch?v=THJVzf-u7Iw Fixing Mobile AppSec - AppSec EU Presentation]<br />
<br />
=== Some Papers, Talks and Security Advisories ===<br />
* Attacking Software Tokens – Advanced Reverse Engineering on Android (HITB GSEC 2016)<br />
* Cisco Call Manager Multiple Vulnerabilities CVE-2014-6271, CVE-2014-8008)<br />
* ModSecurity multipart / invalid part ruleset bypass (CVE-2014-4528)<br />
* IBM Director Privilege Escalation (CVE-2009-0880)<br />
* Microsoft SQL Server “sp_replwritetovarbin” Heap Overflow (CVE-2008-4270)<br />
* From 0 to 0day on Symbian (2008)<br />
* Perdition IMAPD Format String Vulnerability (CVE-2007-5740)<br />
<br />
=== Online Presence ===<br />
* [https://www.linkedin.com/in/bernhardm/ Linkedin]<br />
* [https://twitter.com/muellerberndt Twitter]<br />
* [https://github.com/b-mueller Github]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=User:Bernhard_Mueller&diff=231751User:Bernhard Mueller2017-07-19T08:05:42Z<p>Bernhard Mueller: Update profile</p>
<hr />
<div>[[File:bernhardmueller.png|thumb]]<br />
<br />
= Bernhard Mueller = <br />
Bernhard is an uncertified software security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry he has published many bugs and papers in a variety of fields including Internet protocols, web apps, mobile operating systems, WAFs and others. If you can name it, he has probably broken it at least once. <br />
<br />
Since early 2016, he volunteers as a project leader and author for the [https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide].<br />
<br />
=== OWASP Links ===<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide Mobile Security Testing Guide Project Page]<br />
* [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide on GitHub]<br />
* [https://leanpub.com/mobile-security-testing-guide Mobile Security Testing Guide Early Access Edition on Leanpub]<br />
* [https://github.com/OWASP/owasp-masvs Mobile Security Verification Standard on GitHub]<br />
* [https://www.youtube.com/watch?v=THJVzf-u7Iw Fixing Mobile AppSec - AppSec EU Presentation]<br />
<br />
=== Some Papers, Talks and Security Advisories ===<br />
* Attacking Software Tokens – Advanced Reverse Engineering on Android (HITB GSEC 2016)<br />
* Cisco Call Manager Multiple Vulnerabilities CVE-2014-6271, CVE-2014-8008)<br />
* ModSecurity multipart / invalid part ruleset bypass (CVE-2014-4528)<br />
* IBM Director Privilege Escalation (CVE-2009-0880)<br />
* Microsoft SQL Server “sp_replwritetovarbin” Heap Overflow (CVE-2008-4270 / MSF: )<br />
* From 0 to 0day on Symbian (2008)<br />
* Perdition IMAPD Format String Vulnerability (CVE-2007-5740)<br />
<br />
=== Online Presence ===<br />
* [https://www.linkedin.com/in/bernhardm/ Linkedin]<br />
* [https://twitter.com/muellerberndt Twitter]<br />
* [https://github.com/b-mueller Github]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=File:Bernhardmueller.png&diff=231750File:Bernhardmueller.png2017-07-19T08:05:08Z<p>Bernhard Mueller: </p>
<hr />
<div></div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231237OWASP Mobile Security Testing Guide2017-07-05T03:34:49Z<p>Bernhard Mueller: /* July 5th, 2017: Sponsorship Packages Announced */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[:File:MSTG-Sponsor-Packages.pdf|sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231236OWASP Mobile Security Testing Guide2017-07-05T03:33:05Z<p>Bernhard Mueller: /* July 5th, 2017: Sponsorship Packages Announced */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of [[https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Sponsorship_Packages sponsorship packages]] will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. 100% of the funds raised go directly into the project budget and will be used to fund production of the final release.<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231235OWASP Mobile Security Testing Guide2017-07-05T03:29:45Z<p>Bernhard Mueller: /* Why Sponsors? */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation to the mobile security project for future use.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. The funds raised<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231234OWASP Mobile Security Testing Guide2017-07-05T03:29:25Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation for use in the mobile security project.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. The funds raised<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231233OWASP Mobile Security Testing Guide2017-07-05T03:28:30Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised k go directly into the project budget and will be used to fund production of the final release, including:<br />
* Editing and proofreading by professional editors<br />
* Graphic design and layout<br />
* Purchase an ISBN<br />
Any leftover funds will be donated to the OWASP Foundation for use in the mobile security project.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. The funds raised<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231232OWASP Mobile Security Testing Guide2017-07-05T03:27:44Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised k go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
- Editing and proofreading by professional editors<br />
- Graphic design and layout<br />
- Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation for use in the mobile security project.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. The funds raised<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231231OWASP Mobile Security Testing Guide2017-07-05T03:26:49Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
==Why Sponsors?==<br />
<br />
As it turns out, writing a book to a professional standard is a challenging task, even more so if there's 50+ authors that aren't necessarily native speakers. Also, professional editors, graphic designers and layouters don't work for free. Thus, some funds are needed to make the tech book a reality.<br />
<br />
100% of the funds raised k go directly into the project budget and will be used to fund production of the final release, including:<br />
<br />
- Editing and proofreading by professional editors<br />
- Graphic design and layout<br />
- Purchase an ISBN<br />
<br />
Any leftover funds will be donated to the OWASP Foundation for use in the mobile security project.<br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
=News=<br />
<br />
== July 5th, 2017: Sponsorship Packages Announced == <br />
<br />
We are happy to announce that a limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. With these packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. The funds raised<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231230OWASP Mobile Security Testing Guide2017-07-05T03:19:38Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or [[:File:MSTG-Sponsor-Packages.pdf|download as PDF]] ):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
=News=<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=File:MSTG-Sponsor-Packages.pdf&diff=231229File:MSTG-Sponsor-Packages.pdf2017-07-05T03:17:03Z<p>Bernhard Mueller: </p>
<hr />
<div></div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231228OWASP Mobile Security Testing Guide2017-07-05T03:15:41Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
= Sponsorship Packages =<br />
With the Mobile Security Testing Guide sponsorship packages, we offer companies opportunities to create brand awareness and maximize visibility in the mobile security space. A limited amount of sponsorship packages will be made available shortly through our crowdfunding campaign. <br />
<br />
The following packages will be available (or download as PDF):<br />
<br />
=== Good Samaritan (USD 500) ===<br />
* Listed as supporter on the project website and GitHub<br />
* Listed as supporter in the printed and ebook versions<br />
* 5 Paperback Books<br />
<br />
=== Honourable Benefactor (USD 2,000 / 10 Available) ===<br />
* Small company logo in the “Honourable Benefactors” section on project website and Github<br />
* Small company logo on the sponsors page of the printed and ebook versions<br />
* 10 Paperback Books<br />
<br />
=== God Mode Sponsor (USD 4,000 / 5 Available) ===<br />
* Large company logo in the “God mode sponsors” section on project website and Github<br />
* Large company logo on the sponsors page of the printed and ebook versions<br />
* 20 Paperback Books<br />
<br />
== Pre-book a package ==<br />
Contact [mailto:bernhard&#x5B;dot&#x5D;mueller&#x5B;at&#x5D;owasp&#x5B;dot&#x5D;org Bernhard Mueller] to reserve your slot. We will contact you as soon as the packages become available.<br />
<br />
=News=<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231219OWASP Mobile Security Testing Guide2017-07-04T11:56:46Z<p>Bernhard Mueller: /* Main Deliverables */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-3.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=File:Mstg-mini-3.jpg&diff=231218File:Mstg-mini-3.jpg2017-07-04T11:56:37Z<p>Bernhard Mueller: </p>
<hr />
<div></div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231217OWASP Mobile Security Testing Guide2017-07-04T11:54:31Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Early-access-mini.jpg|link=https://leanpub.com/mobile-security-testing-guide]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The early access edition contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=File:Early-access-mini.jpg&diff=231216File:Early-access-mini.jpg2017-07-04T11:53:36Z<p>Bernhard Mueller: </p>
<hr />
<div></div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=231215OWASP Mobile Security Testing Guide2017-07-04T11:50:38Z<p>Bernhard Mueller: /* "Define the industry standard for mobile application security." */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Early-Access Ebook ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Bites.jpg|link=https://leanpub.com/mobile-security-testing-guide-preview]]<br />
| '''Mobile Security Testing Guide - Early Access'''<br />
The Summit Preview contains sample chapters with content on mobile security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230784OWASP Mobile Security Testing Guide2017-06-19T10:41:31Z<p>Bernhard Mueller: Update Gitbook URL</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Preview Release ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Bites.jpg|link=https://leanpub.com/mobile-security-testing-guide-preview]]<br />
| '''Mobile Security Testing Guide - OWASP Summit Preview'''<br />
The Summit Preview contains sample chapters on Android security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/the-owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230747OWASP Mobile Security Testing Guide2017-06-17T03:53:21Z<p>Bernhard Mueller: /* Security Engineering in the SDLC */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Preview Release ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Bites.jpg|link=https://leanpub.com/mobile-security-testing-guide-preview]]<br />
| '''Mobile Security Testing Guide - OWASP Summit Preview'''<br />
The Summit Preview contains sample chapters on Android security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== June 17th, 2017: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230727OWASP Mobile Security Testing Guide2017-06-16T16:18:00Z<p>Bernhard Mueller: /* Acknowledgments */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Preview Release ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Bites.jpg|link=https://leanpub.com/mobile-security-testing-guide-preview]]<br />
| '''Mobile Security Testing Guide - OWASP Summit Preview'''<br />
The Summit Preview contains sample chapters on Android security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== New Release: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
The full list of contributors, including those with less than 50 additions logged, is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230726OWASP Mobile Security Testing Guide2017-06-16T16:15:47Z<p>Bernhard Mueller: /* Contributors */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Preview Release ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Bites.jpg|link=https://leanpub.com/mobile-security-testing-guide-preview]]<br />
| '''Mobile Security Testing Guide - OWASP Summit Preview'''<br />
The Summit Preview contains sample chapters on Android security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== New Release: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
== Acknowledgments ==<br />
<br />
=== Authors ===<br />
<br />
====Bernhard Mueller ====<br />
<br />
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.<br />
<br />
==== Sven Schleier ====<br />
<br />
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about a range of security topics.<br />
<br />
=== Co-Authors ===<br />
<br />
Co-authors have consistently contributed quality content, and have at least 2,000 additions logged in the GitHub repository.<br />
<br />
==== Romuald Szkudlarek ====<br />
<br />
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.<br />
<br />
==== Jeroen Willemsen ====<br />
<br />
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.<br />
<br />
=== Top Contributors ===<br />
<br />
Top contributors have consistently contributed quality content with at least 500 additions logged in the GitHub repository.<br />
<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Andreas Happe<br />
* Henry Hoggard<br />
* Wen Bin Kong<br />
* Abdessamad Temmar<br />
* Alexander Anthuk<br />
* Slawomir Kosowski<br />
* Bolot Kerimbaev<br />
<br />
=== Contributors ===<br />
<br />
Contributors have made a quality contribution with at least 50 additions logged in the GitHub repository.<br />
<br />
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Wen Bin Kong, Michael Helwig, Jeroen Willemsen, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani, Anuruddha<br />
<br />
=== Reviewers ===<br />
<br />
Reviewers have consistently provided useful feedback through GitHub issues and pull request comments.<br />
<br />
* Anant Shrivastava<br />
* Sjoerd Langkemper<br />
<br />
=== Others ===<br />
<br />
Many other contributors have committed small amounts of content, such as a single word or sentence (less than 50 additions). The full list of contributors is available on [https://github.com/OWASP/owasp-mstg/graphs/contributors GitHub].<br />
<br />
=== Old Version - MSTG "Beta" on Google Drive ===<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive.<br />
<br />
'''Authors:'''<br />
<br />
Mirza Ali, Stephen Corbiaux, Ryan Dewhurst, Mohammad Hamed Dadpour, David Fern, Ali Yazdani, Bao Lee, Anto Joseph, Nutan Kumar Panda, Rahil Parikh, Julian Schütte, Abhinav Sejpal, Anant Shrivastava, Pragati Singh, Milan Singh Thakur, Stephanie Vanroelen, Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230725OWASP Mobile Security Testing Guide2017-06-16T16:05:57Z<p>Bernhard Mueller: /* Preview Release */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Preview Release ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:Bites.jpg|link=https://leanpub.com/mobile-security-testing-guide-preview]]<br />
| '''Mobile Security Testing Guide - OWASP Summit Preview'''<br />
The Summit Preview contains sample chapters on Android security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== New Release: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Co-Authors:'''<br />
* Romuald Szkudlarek<br />
<br />
'''Top Contributors:'''<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Henry Hoggard<br />
* Abdessamad Temmar<br />
* Slawomir Kosowski<br />
<br />
'''Contributors:'''<br />
* Andreas Happe<br />
* Wen Bin Kong<br />
* Jin Kung Ong<br />
* Gerhard Wagner<br />
* Michael Helwig<br />
* Jeroen Willemsen<br />
* Alexander Antukh<br />
* Ryan Teoh<br />
* Daniel Ramirez Martin<br />
* Claudio André<br />
* Prathan Phongthiproek<br />
* Luander Ribeiro<br />
* Dharshin De Silva<br />
* Oguzhan Topgul<br />
* Pishu Mahtani<br />
* Anuruddha (L3Osi13nT)<br />
<br />
'''Reviewers:''' Anant Shrivastava<br />
<br />
This list includes everyone who committed 50+ lines of content. The full list of contributors is [https://github.com/OWASP/owasp-mstg/graphs/contributors available on GitHub].<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=File:Bites.jpg&diff=230724File:Bites.jpg2017-06-16T16:04:43Z<p>Bernhard Mueller: </p>
<hr />
<div></div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230723OWASP Mobile Security Testing Guide2017-06-16T16:01:51Z<p>Bernhard Mueller: Add summit preview</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Preview Release ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://leanpub.com/mobile-security-testing-guide-preview]]<br />
| '''Mobile Security Testing Guide - OWASP Summit Preview'''<br />
The Summit Preview contains sample chapters on Android security testing and reverse engineering. Feel free to download it for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to fund production of the final release.<br />
|}<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== New Release: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Co-Authors:'''<br />
* Romuald Szkudlarek<br />
<br />
'''Top Contributors:'''<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Henry Hoggard<br />
* Abdessamad Temmar<br />
* Slawomir Kosowski<br />
<br />
'''Contributors:'''<br />
* Andreas Happe<br />
* Wen Bin Kong<br />
* Jin Kung Ong<br />
* Gerhard Wagner<br />
* Michael Helwig<br />
* Jeroen Willemsen<br />
* Alexander Antukh<br />
* Ryan Teoh<br />
* Daniel Ramirez Martin<br />
* Claudio André<br />
* Prathan Phongthiproek<br />
* Luander Ribeiro<br />
* Dharshin De Silva<br />
* Oguzhan Topgul<br />
* Pishu Mahtani<br />
* Anuruddha (L3Osi13nT)<br />
<br />
'''Reviewers:''' Anant Shrivastava<br />
<br />
This list includes everyone who committed 50+ lines of content. The full list of contributors is [https://github.com/OWASP/owasp-mstg/graphs/contributors available on GitHub].<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230709OWASP Mobile Security Testing Guide2017-06-16T11:49:44Z<p>Bernhard Mueller: /* New Release: The OWASP Mobile Security Testing Guide - Summit Preview */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== New Release: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/owasp-mstg-summit-edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Co-Authors:'''<br />
* Romuald Szkudlarek<br />
<br />
'''Top Contributors:'''<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Henry Hoggard<br />
* Abdessamad Temmar<br />
* Slawomir Kosowski<br />
<br />
'''Contributors:'''<br />
* Andreas Happe<br />
* Wen Bin Kong<br />
* Jin Kung Ong<br />
* Gerhard Wagner<br />
* Michael Helwig<br />
* Jeroen Willemsen<br />
* Alexander Antukh<br />
* Ryan Teoh<br />
* Daniel Ramirez Martin<br />
* Claudio André<br />
* Prathan Phongthiproek<br />
* Luander Ribeiro<br />
* Dharshin De Silva<br />
* Oguzhan Topgul<br />
* Pishu Mahtani<br />
* Anuruddha (L3Osi13nT)<br />
<br />
'''Reviewers:''' Anant Shrivastava<br />
<br />
This list includes everyone who committed 50+ lines of content. The full list of contributors is [https://github.com/OWASP/owasp-mstg/graphs/contributors available on GitHub].<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230708OWASP Mobile Security Testing Guide2017-06-16T11:43:32Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== New Release: The OWASP Mobile Security Testing Guide - Summit Preview ==<br />
<br />
The MSTG Summit Preview is an experimental proof-of-concept book created on the OWASP Summit 2017 in London. The goal was to improve the authoring process and book deployment pipeline, as well as to demonstrate the viability of the project. Note that the content is not final and will likely change significantly in subsequent releases.<br />
<br />
Download the ebook [https://github.com/OWASP/owasp-mstg/releases/download/1.0/OWASP-Mobile-Testing-Guide-Summit-Edition.epub here].<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Co-Authors:'''<br />
* Romuald Szkudlarek<br />
<br />
'''Top Contributors:'''<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Henry Hoggard<br />
* Abdessamad Temmar<br />
* Slawomir Kosowski<br />
<br />
'''Contributors:'''<br />
* Andreas Happe<br />
* Wen Bin Kong<br />
* Jin Kung Ong<br />
* Gerhard Wagner<br />
* Michael Helwig<br />
* Jeroen Willemsen<br />
* Alexander Antukh<br />
* Ryan Teoh<br />
* Daniel Ramirez Martin<br />
* Claudio André<br />
* Prathan Phongthiproek<br />
* Luander Ribeiro<br />
* Dharshin De Silva<br />
* Oguzhan Topgul<br />
* Pishu Mahtani<br />
* Anuruddha (L3Osi13nT)<br />
<br />
'''Reviewers:''' Anant Shrivastava<br />
<br />
This list includes everyone who committed 50+ lines of content. The full list of contributors is [https://github.com/OWASP/owasp-mstg/graphs/contributors available on GitHub].<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230139OWASP Mobile Security Testing Guide2017-05-31T03:31:25Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Co-Authors:'''<br />
* Romuald Szkudlarek<br />
<br />
'''Top Contributors:'''<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Henry Hoggard<br />
* Abdessamad Temmar<br />
* Slawomir Kosowski<br />
<br />
'''Contributors:'''<br />
* Andreas Happe<br />
* Wen Bin Kong<br />
* Jin Kung Ong<br />
* Gerhard Wagner<br />
* Michael Helwig<br />
* Jeroen Willemsen<br />
* Alexander Antukh<br />
* Ryan Teoh<br />
* Daniel Ramirez Martin<br />
* Claudio André<br />
* Prathan Phongthiproek<br />
* Luander Ribeiro<br />
* Dharshin De Silva<br />
* Oguzhan Topgul<br />
* Pishu Mahtani<br />
* Anuruddha (L3Osi13nT)<br />
<br />
'''Reviewers:''' Anant Shrivastava<br />
<br />
This list includes everyone who committed 50+ lines of content. The full list of contributors is [https://github.com/OWASP/owasp-mstg/graphs/contributors available on GitHub].<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230138OWASP Mobile Security Testing Guide2017-05-31T03:28:28Z<p>Bernhard Mueller: /* Where do you guys need help the most? */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Co-Authors:'''<br />
* Romuald Szkudlarek<br />
'''Top Contributors:'''<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Henry Hoggard<br />
* Abdessamad Temmar<br />
* Slawomir Kosowski<br />
'''Contributors*:'''<br />
* Andreas Happe<br />
* Wen Bin Kong<br />
* Jin Kung Ong<br />
* Gerhard Wagner<br />
* Michael Helwig<br />
* Jeroen Willemsen<br />
* Alexander Antukh<br />
* Ryan Teoh<br />
* Daniel Ramirez Martin<br />
* Claudio André<br />
* Prathan Phongthiproek<br />
* Luander Ribeiro<br />
* Dharshin De Silva<br />
* Oguzhan Topgul<br />
* Pishu Mahtani<br />
* Anuruddha (L3Osi13nT)<br />
'''Reviewers:''' Anant Shrivastava<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230071OWASP Mobile Security Testing Guide2017-05-29T03:21:33Z<p>Bernhard Mueller: lol</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
The OWASP MSTG team is organizing a 5-days mobile security track on the OWASP Summit 2017. The track consists of a series of book sprints, each of which focuses on producing content for a specific section in the OWASP MSTG, as well as proof-reading and editing the existing content. The goal is to make as much progress on the guide as is humanly possible. Depending on the number of participants, we’ll split into sub-groups to work on different subsections or topic areas.<br />
<br />
=== How to Join ===<br />
<br />
Join up for the working session(s) you like by following the link(s) on the [http://owaspsummit.org/Working-Sessions/Mobile-Security/ mobile security track page], then hitting the "Edit this page here" link at the bottom, and adding yourself to the "participants" field. Signing up is not mandatory, but helps us to better organize the sessions. Don’t worry though if your session of choice happens on the "wrong" day - you can always simply stop by and we’ll brief you on your topic of choice. After all, this is the Woodstock of appsec!<br />
<br />
Mobile security track main page:<br />
<br />
http://owaspsummit.org/Working-Sessions/Mobile-Security/<br />
<br />
Mobile security track schedule:<br />
<br />
http://owaspsummit.org/schedule/tracks/Mobile-Security.html/<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=230070OWASP Mobile Security Testing Guide2017-05-29T02:57:14Z<p>Bernhard Mueller: /* Main Deliverables */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Security testing in the mobile app development lifecycle<br />
# Basic static and dynamic security testing<br />
# Mobile app reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
During the last few months the [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] has made a lot of progress. As we want to push things forward in order to have a first draft of the guide) at the end of Q2, we will be holding a five days working session during the [http://owaspsummit.org OWASP Summit 2017 in London]. Our ambitious goal is to complete the mobile security testing guide. To achieve this, we’ll need to at least close the 126 “missing content” tickets listed on the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] and produce an estimated 200 book-sized pages of content. This sounds like a lot - however, if we can gather 10 people for this working session, this amounts to 4 pages of content per person/day which is achievable.<br />
<br />
The main tasks of the five days workshop are:<br />
<br />
- Write original content, such as describing testing processes and writing test cases.<br />
- Proofreading and technical editing to improve the overall quality of the MSTG.<br />
<br />
Work will be split between working groups based on mobile OS and topic. On top of completing the content, we want to apply a basic level of proof-reading, review and editing to get the guide beta-ready.<br />
<br />
In order to be able to schedule work during the summit and create work groups we need to know who will be attending the OWASP Summit and how much time you can/will spend for the mobile workshop. Please [https://github.com/OWASP/owasp-summit-2017/blob/master/Working-Sessions/Mobile-Security/MSTG.md add yourself to the list of participants] and reach out directly to Sven via Slack.<br />
<br />
If you do not have time during the summit but are interested to help, you can start immediately by assigning issues to yourself and creating pull requests. We can also loop you in remotely during the submit.<br />
<br />
Let’s work on the testing guide and fix mobile application security!<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Code_Sprint_2017&diff=230058OWASP Code Sprint 20172017-05-27T04:27:34Z<p>Bernhard Mueller: Remove OWASP Mobile Project</p>
<hr />
<div>== '''Goal''' ==<br />
The OWASP Code Sprint 2017 is a program that aims to provide incentives to students to contribute to OWASP projects. By participating in the OWASP Code Sprint 2017 a student can get real life experience while contributing to an open source project. A student that successfully completes the program will receive in total $1500.<br />
<br />
== '''Program details''' ==<br />
<br />
''Projects that are eligible:'' All code/tools projects. Documentation projects are excluded.<br />
<br />
''Duration:'' 8 weeks of full-time coding engagement .<br />
<br />
== '''How it works''' ==<br />
<br />
Any code/tool project can participate in the OWASP Code Sprint. Each project will be guided by an OWASP mentor. Students are evaluated in the middle and at the end of the coding period, based on success criteria identified at the beginning of the project. Successful students will receive $750 after each evaluation, a total of $1500 per student.<br />
<br />
Projects are focused on developing security tools. It is required that the code any student produces for those projects will be released as Open Source. <br />
<br />
Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language. <br />
<br />
== '''How you can participate''' ==<br />
<br />
=== As a student: ===<br />
<br />
1. Review the list of OWASP Projects currently participating in the OWASP Code Sprint 2017.<br />
<br />
2. Get in touch with the OWASP Project mentor of your choice.<br />
<br />
3. Agree deliverables with OWASP mentor. <br />
<br />
4. Work away during May thru September<br />
<br />
5. Rise to Open Source Development Glory :-)<br />
<br />
=== [https://docs.google.com/forms/d/e/1FAIpQLSdAyBg5x9gapfLTL4Q_so7faNpR2QZmtuL3q4la2g5NZnhvyA/viewform ALL STUDENTS PLEASE APPLY HERE] ===<br />
<br />
Student application submission is now open: [https://goo.gl/forms/it8hieQAcvCTuPG83 APPLY HERE].<br />
<br />
=== As an OWASP Project Leader: ===<br />
<br />
1. Edit this page adding your project and some proposed tasks as per the examples<br />
<br />
2. Promote the initiative to your academic contacts<br />
<br />
== '''Timeplan''' ==<br />
<br />
'''Phase 1: Proposals'''<br />
<br />
Project leaders who want to include their project to the program should submit some initial proposal ideas on this page. These ideas serve as guidance to the students; they are things that project leaders would like to get done, like new features, improvements, etc.<br />
<br />
Subsequently students are invited to submit detailed proposals that can (but do not necessarily have to) be based on these ideas. Students are strongly encouraged to engage with project leaders and each project's community (e.g. through the project's mailing list) in order to discuss the details of their proposal. Proposals should provide details about the implementation, time plan, milestones, etc.<br />
<br />
'''Phase 2: Scoring of proposals'''<br />
<br />
After the submission of proposals, project leaders and contributors/mentors are required to review the submitted proposals and score them (on a 1 to 5 scale). Each proposal should receive at least 3 assessments/scores from different mentors. Each mentor, contributor or leader can score only proposals for their OWN project. All assessments should provide justification. Reviewers are strongly encouraged to provide constructive comments for students so that they can improve in the future.<br />
<br />
Project leaders are responsible to attract a sufficient number of volunteer mentors to score proposals and subsequently supervise those that will get selected.<br />
<br />
'''Phase 3: Slot allocation.'''<br />
<br />
When proposal scoring has been completed, each project leader requests a specific number of slots. This number should be based on:<br />
The number of truly outstanding proposals according to submitted scores.<br />
The importance of the proposal to the project's roadmap.<br />
The number of available mentors for the project. At least 2 mentors are needed for each proposal that gets accepted.<br />
If the total number of requested slots is less than or equal to the available number of slots, then all projects get the requested slots. If not, the following rules apply:<br />
All projects that have requested a slot get at least 1 slot, provided they have a high quality proposal and sufficient number of mentors.<br />
Two mentors are required per slot allocated to the project.<br />
The program's administrators get in touch with project leaders, especially those that have requested a large number of slots to receive additional feedback on the requested slots and explore any available possibilities for reducing the requested number of slots. A project leader might choose to donate one or more requested slots back to the pool so that other projects can get more slots. The program administrators can choose to initiate a public discussion between projects in need of more slots and projects that have requested a lot of slots in order to determine the best possible outcome for everyone.<br />
If all else fails, slots are equally allocated to projects, i.e. all projects get 1 slot; projects that have requested 2 or more slots get an extra slot if available; projects that have requested 3 or more slots get an extra slot if available, etc. When there are no more slots available for all projects that have requested them a draw is used to allocate the remaining slots.<br />
<br />
In any case, the program's administrators should perform a final review of the selected proposals to ensure that they are of high quality. If concerns arise they should request additional information from project leaders.<br />
<br />
'''Phase 4: Coding.'''<br />
<br />
This is the main phase of the program. Students implement their proposal according to the submitted timeplan and under the supervision <br />
of their mentors.<br />
<br />
== '''Evaluations''' ==<br />
<br />
In the middle of the coding period, mentors should submit an evaluation of their students to ensure that they are on track and provide some feedback both to OWASP and the students.<br />
<br />
If no/little progress has been made up to this point, the mentors could decide to fail the student in which case the student does not receive money. If successful, OWASP will pay half the amount ($750). The final evaluations are submitted at the end of the coding period and the second installment ($750) is paid to the student if all agreed deliverables are met. If the student has failed to demonstrate progress during the second period, then the second installment will not be paid and the student will get only half of the amount.<br />
== '''Deadlines''' == <br />
Program announcement: May 15''', 2017''' <br />
<br />
Deadline for Student Applications: '''June 15, 2015''' <br />
<br />
Proposal Evaluations: from: '''June''' '''15 thru June 23 2017''' <br />
<br />
Successful proposals announcement:: '''June 26, 2017''' <br />
<br />
Bonding Period Announcement: June 26, 2017 - July 1, 2017 <br />
<br />
Coding Period Starts: '''July 3, 2017''' <br />
<br />
Mid-term evaluations: Submitted from :'''July 31, 2017 thru August 4, 2017'''<br />
<br />
Coding Period Re-starts: August 7, 2017<br />
<br />
Coding period ends: '''September 1, 2017''' <br />
<br />
Final evaluations:'''September 4, 2017 thru September 8, 2017''' <br />
<br />
== '''Mailing List''' ==<br />
Please subscribe to the following mailing list to receive updates or ask any particular questions:<br />
<br />
[https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/owasp-code-sprint-2017 OWASP Code Sprint 2017 Mailing List]<br />
<br />
== '''Project Ideas''' ==<br />
== OWASP ZAP ==<br />
<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
We have just included a few of the ideas we have here, for a more complete list see the issues on the ZAP bug tracker with the [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3Aproject project] label.<br />
<br />
=== Field Enumeration ===<br />
:<br />
:This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.<br />
:<br />
:The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form.<br />
:<br />
:''' Expected Results '''<br />
:* User able to specify a specific field to enumerate via the ZAP UI<br />
:* A list of all valid characters to be returned from the sets of characters the user specifies<br />
:* Ability to configure a wide range of success and failure conditions to cope with as many possible situations as possible<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
=== Scripting Code Completion ===<br />
:<br />
:ZAP provides a very powerful scripting interface. Unfortunately to use it effectively is only really possible with a good knowledge of the ZAP internals. Adding code completion (eg using a project like https://github.com/bobbylight/AutoComplete) would significantly help users.<br />
:<br />
:''' Expected Results '''<br />
:* Code completion for all of the parameters for all available functions in the standard scripts<br />
:* Implementations for JavaScript, JRuby and Jython<br />
:* Helper classes with code completion for commonly required functionality<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== SSRF Detector Integration ===<br />
:<br />
:Currently ZAP does not detect SSRF vulnerabilities, due to the lack of this sort of service. https://ssrfdetector.com/ is an online service for detecting Server Side Request Forgery vulnerabilities (SSRF). It is developed and maintained by Jake Reynolds and is open source https://github.com/jacobreynolds/ssrfdetector<br />
:<br />
:''' Expected Results '''<br />
:* Extend ZAP to detect SSRF vulnerabilities and interact with other services such as outlined above.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Zest Text Representation and Parser ===<br />
:<br />
:Zest is a graphical scripting language from the Mozilla Security team, and is used as the ZAP macro language.<br />
:<br />
:A standardized text representation and parser would be very useful and help its adoption.<br />
:<br />
:''' Expected Results '''<br />
:* A documented definition of a text representation for Zest<br />
:* A parser that converts the text representation into a working Zest script<br />
:* An option in the Zest java implementation to output Zest scripts text format<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Support Java as a Scripting Language ===<br />
:<br />
:It would be very useful to support Java in addition to the JSR223 scripting languages within the ZAP script console'.<br />
:<br />
:It should be possible to provide much better auto complete support than will be possible with dynamically typed scripting languages.<br />
:<br />
:''' Expected Results '''<br />
:* The ability to run Java code in the ZAP Script Console to the same leval as other supported scripting languages<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Bamboo Support ===<br />
:<br />
:ZAP already has an official plugin for Jenkins (https://wiki.jenkins-ci.org/display/JENKINS/zap+plugin). <br />
:<br />
:It would be great if we also had similar integration for Bamboo (https://www.atlassian.com/software/bamboo, https://en.wikipedia.org/wiki/Bamboo_(software))<br />
:<br />
:''' Expected Results '''<br />
:* Facilitate the invocation and configuration of various ZAP functionalities from Bamboo CI. Including (but not limited to):<br />
::*Manage Sessions (Loading/Persisting)<br />
::*Define Context (Name, Include & Exclude URLs)<br />
::* Attack Contexts (Spider, Ajax Spider, Active Scan)<br />
::* Setup Autentication (Formed or Script Based)<br />
::* Generate Reports<br />
:* Templates for all of the current script types<br />
:* Optionally auto complete supported<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:The Zest reference implementation is written in Java, so a good knowledge of this language is recommended. Some knowledge of CI/CD/Bamboo would be useful.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Backslash Powered Scanner ===<br />
:<br />
:This is a brand new technique developed by one of the Burp guys: http://blog.portswigger.net/2016/11/backslash-powered-scanning-hunting.html<br />
:Their implementation is open source: https://github.com/PortSwigger/backslash-powered-scanner so hopefully shouldn't be too hard to port to ZAP :)<br />
:<br />
:''' Expected Results '''<br />
:* Extend ZAP's active scanner to leverage Backslash type scanning.<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:ZAP is a great framework for building new and innovative security testing solutions. If you have an idea that is not on this list then don't worry, you can still submit it, we have accepted original projects in previous years and have even paid a student to work on their idea when we did not get enough GSoC slots to accept all of the projects we wanted.<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes ZAP even better<br />
:* Code that conforms to our [https://github.com/zaproxy/zaproxy/wiki/DevGuidelines Development Rules and Guidelines]<br />
:<br />
:'''Knowledge Prerequisites:'''<br />
:ZAP is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
:<br />
:'''Mentors:''' <br />
:[https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== BLT ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
lets anyone report issues they find on the internet. Found something out of place on Amazon.com ? Let them know. Companies are held accountable and shows their response time and history. Get points for reporting bugs and help keep the internet bug free.<br />
<br />
''' Getting started '''<br />
* Get in touch with us :)<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes Bugheist even better<br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
BLT is written in Python / Django, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
[https://www.owasp.org/index.php/User:Sauriti Sean Auriti] [mailto:sean.auriti@owasp.org @] and the rest of the BLT Core Team<br />
<br />
<br />
<br />
== OWASP Security Knowledge framework ==<br />
<br />
===Brief Explanation===<br />
The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle. This software can be run on Windows/Linux/OSX using python-flask.<br />
<br />
'''In a nutshell''' <br />
<br />
- Training developers in writing secure code<br />
<br />
- Security support pre-development ( Security by design, early feedback of possible security issues )<br />
<br />
- Security support post-development ( Double check your code by means of the OWASP ASVS checklists )<br />
<br />
- Code examples for secure coding<br />
<br />
===Your idea / Getting started===<br />
* Please send an email to riccardo.ten.cate@owasp.org [riccardo.ten.cate@owasp.org] or glenn.ten.cate@owasp.org [glenn.ten.cate@owasp.org] and we would love to tell you all about it! :-)<br />
<br />
===Expected Results===<br />
* Adding features to SKF project<br />
* Adding more function examples to pre-development phase<br />
* Adding/updating code examples ( PHP, Java, .NET, Go, Python, NodeJS and more )<br />
* Adding/updating Knowledgebase items<br />
* Adding CWE references to knowledgebase items<br />
* Adding low/medium level verification testing guides for developers to teach how to manually verify the existence of injection/logic flaws. (pen-testing)<br />
<br />
===Knowledge Prerequisites===<br />
<br />
* For helping in the development of new features and functions Python flask would come in handy since the framework is written in python flask.<br />
* For writing knowledgebase items only technical knowledge of application security is required<br />
* For writing / updating code examples you need to know a programming language along with secure development.<br />
* For writing the verification guide you need some penetration testing experience. <br />
<br />
'''Mentors:''' <br />
<br />
Riccardo ten Cate [mailto:riccardo.ten.cate@owasp.org]<br />
Glenn ten Cate [mailto:glenn.ten.cate@owasp.org]<br />
<br />
== OWASP ZSC ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python<br />
https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project<br />
<br />
''' Getting started '''<br />
* Get in touch with us on Github:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
Project Leaders:<br />
*https://www.owasp.org/index.php/User:Ali_Razmjoo<br />
*https://www.owasp.org/index.php/User:Johanna_Curiel<br />
<br />
'''Expected Results:'''<br />
We have a list of potential modules we want to build<br />
To get familiar with the project, please check our installation and developer guidelines:<br />
https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details<br />
<br />
Contact us through Github, send us a question:<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
* New obfuscation modules<br />
* New shellcodes for OSX and Windows <br />
<br />
<br />
'''Knowledge Prerequisites:'''<br />
OWASP ZSC is written in Python, so a good knowledge of this language and framework is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential.<br />
<br />
'''Mentors:''' <br />
Brian Beaudry & Patrik Patel<br />
Please contact us through Github<br />
https://github.com/zscproject/OWASP-ZSC<br />
<br />
<br />
<br />
== OWASP Seraphimdroid mobile security project ==<br />
<br />
<br />
=== Behavioral malware and intrusion analysis ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is an Android mobile app which already has a capability to statically analyze malware using machine learning (weka toolkit) relying on permissions. However, this is usually not enough and we intend to improve this with behavioral analysis. There are a number of paper in scientific literature describing how to detect malware and intrusions by dynamically analyzing its behavior (system calls, battery consumption, etc.). The idea of this project is to find the best approach that can be implemented on the device and implement it.<br />
<br />
'''Expected Results:'''<br />
<br />
* Reviewing scientific literature and find feasible approach we can take<br />
* Implement and possibly improve the approach in Seraphimdroid<br />
* Test the model and provide controls to switch algorithm on or off and possibly fine tune it<br />
* Documenting approach as a technical report<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
* Basic knowledge and interest in machine learning<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
=== Framework for plugin development ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
[[OWASP_SeraphimDroid_Project|OWASP Seraphimdroid]] is well rounded security and privacy app, however, it lacks some components community can provide. We would like to provide community the way to develop plugins that can add features to OWASP Seraphimdroid app. However, the way of integrating external components into Android app may be challenge. The way of presenting GUI and integration between processes need to be examined and developed. <br />
<br />
'''Expected Results:'''<br />
<br />
* Examining the way of integrating third party apps through some provided API to OWASP Seraphimdroid<br />
* Providing GUI integration with third party components<br />
* Develop at least one test plugin<br />
* Document the development process and API<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Java<br />
* Android<br />
* CSV, XML<br />
<br />
'''Mentors:''' <br />
* [[User:Nikola_Milosevic|Nikola Milosevic]] - OWASP Seraphimdroid Project Leader<br />
<br />
== OWASP DefectDojo ==<br />
<br />
'''Brief Explanation:'''<br />
<br />
DefectDojo is a security automation and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers.<br />
<br />
'''Expected Results:'''<br />
<br />
* Multiple opportunities for students to get involved with DefectDojo ranging in difficulty from easy to advanced<br />
* Students will receive hands-on experience in a full-stack software development project<br />
* Students will have the opportunity to work on a project with multiple moving parts and third-party interactions<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Python<br />
* HTML, Bootstrap<br />
<br />
''' Getting started: '''<br />
* We have a [http://defectdojo.readthedocs.io/en/latest/ Read the Docs Site]<br />
<br />
<br />
'''Mentors:''' <br />
* [[User:devgreg|Greg Anderson]] - OWASP DefectDojo Project Leader<br />
<br />
== OWASP AppSensor ==<br />
<br />
[[OWASP AppSensor Project]] The OWASP AppSensor project is a project to help you build self-defending applications through real-time event detection and response. Previous GSoC students have implemented key AppSensor contributions, and we've had very successful engagements. We look forward to hearing your ideas and hopefully working with you to execute them.<br />
<br />
=== Machine Learning Driven Web Server Log Analysis ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:The goal of this project would be to build a web server log analysis tool suite based on ML (machine learning). This tool suite will accept as input web server logs (apache, nginx) and will provide as output a determination of requests that are considered "attacks" There are a number of key points for this project:<br />
:* Almost everybody has web server logs. It's a common format that is well understood, and is a good starting place for many security teams<br />
:* Because the format is well understood, the data points (features) are well understood. <br />
:* This tool suite would have applicability far beyond just our project. The goal is to give away a tool that can process a set of log files, build a custom model for the traffic, and then be used to process future log files and find attacks (outliers / anomalies)<br />
:<br />
:Note that this project would extend work done in last year's GSOC to get an initial machine learning capability developed. <br />
:<br />
:''' Expected Results '''<br />
:* User provides tool suite a set of web server logs (User has option to annotate data set with known attacks)<br />
:* System is pre-coded with knowledge of certain anomalous patterns (attacks)<br />
:* System builds ML model for processing future log files<br />
:* System provides mechanism for processing future logs using trained model.<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. The toolset used previously for the ML effort was scala/spark, but this is not a hard requirement. The preference would be to use either the JVM (java/scala), or possibly python, as both of these stacks are well understood and have significant ML capabilities. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
=== Your Idea ===<br />
:<br />
:'''Brief Explanation:'''<br />
:<br />
:AppSensor is a great tool and many organizations are starting to use it. If you have an idea that is not on this list, please submit it - we would love to give you the chance to work on an idea you came up with!<br />
:<br />
:''' Getting started '''<br />
:* Get in touch with us :)<br />
:<br />
:'''Expected Results:'''<br />
:* A new feature that makes AppSensor even better<br />
:<br />
:''' Knowledge Prerequisite: '''<br />
:AppSensor is written in Java, so a good knowledge of this language is recommended. <br />
:<br />
:''' Mentors '''<br />
:[https://www.owasp.org/index.php/User:John_Melton John Melton] [mailto:jtmelton@gmail.com @] and the rest of the AppSensor Team<br />
:<br />
<br />
== OWASP OWTF ==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular.<br />
<br />
=== OWASP OWTF - MiTM proxy interception and replay capabilities ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy). <br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
<br />
* ability to intercept the transactions<br />
* modify or replay transaction on the fly<br />
* add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
<br />
Bonus: <br />
<br />
* Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
* Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
* The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
* Create a browser instance and do the necessary login procedure<br />
* Handle the browser for the URI<br />
* When called to close the browser, do a clean logout and kill the browser instance.<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Report enhancements ===<br />
<br />
'''Brief explanation:'''<br />
<br />
The current OWTF report is very interactive but it cannot be exported in its current form. A reporter service can be written (which was in the very early releases of OWTF) which exports a nice report with template, findings, and additional pentester's notes into multiple formats. A small set of export formats should be supported such as:<br />
<br />
* HTML (pure static html here)<br />
* PDF<br />
* XML (for processing)<br />
* JSON (for processing)<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python, React.JS and general JavaScript proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
=== OWASP OWTF - Distributed architecture ===<br />
<br />
To be updated soon!<br />
<br />
<br />
=== OWASP OWTF - Off-line HTTP traffic uploader ===<br />
<br />
'''Brief explanation:'''<br />
<br />
Although it is awesome that OWTF runs a lot of tools on behalf of the user, there are situations where uploading the HTTP traffic of another tool off-line can be very interesting for OWTF, for example:<br />
<br />
* Tools that OWTF has trouble proxying right now: skipfish, hoppy<br />
* Tools that the user may have run manually OR even from a tool aggregator -very common! :)-<br />
* Tools that we just don't run from OWTF: ZAP, Burp, Fiddler<br />
<br />
This project is about implementing an off-line utility able to parse HTTP traffic:<br />
<br />
1) Figure out how to read output files from various tools like:<br />
skipfish, hoppy, w3af, arachni, etc.<br />
Nice to have: ZAP database, Burp database<br />
<br />
2) Translate that into the following clearly defined fields:<br />
<br />
* HTTP request<br />
* HTTP response status code<br />
* HTTP response headers<br />
* HTTP response body<br />
<br />
3) IMPORTANT: Implement a plugin-based uploader system<br />
<br />
4) IMPORTANT: Implement ONE plugin, that uploads that into the OWTF database<br />
<br />
5) IMPORTANT: OWTF should ideally be able to invoke the uploader right after running a tool<br />
Example: OWTF runs skipfish, skipfish finishes, OWTF runs the HTTP traffic uploader, all skipfish data is pushed to the OWTF DB.<br />
<br />
6) CRITICAL: The off-line HTTP traffic uploader should be smart enough to read + push 1-by-1 instead of *stupidly* trying to load everything into memory first, you have been warned! :)<br />
<br />
Why? Because in a huge assessment, the output of "tool X" can be "10 GB", which is *stupid* to load into memory, this is OWTF, we *really* try to foresee the crash before it happens! ;)<br />
<br />
<br />
CRITICAL: It is important to implement a plugin-based uploader system, so that other projects can benefit from this work (i.e. to be able to import third-party tool data to ZAP, Burp, and other tools in a similar fashion), and hence hopefully join us in maintaining this project moving forward.<br />
<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
<br />
'''Expected results:'''<br />
<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
* '''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
* '''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
* CRITICAL: Excellent reliability<br />
* Good performance<br />
* Unit tests / Functional tests<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:'''<br />
Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
<br />
<br />
== OWASP Hackademic Challenges Project ==<br />
<br />
[[OWASP Hackademic Challenges Project]] The OWASP Hackademic Challenges project helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment.<br />
<br />
=== New CMS ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
The CMS part of the project is really old and has accumulated a significant amount of technical debt.<br />
In addition many design decisions are either outdated or could be improved. <br />
Therefore it may be a good idea to leverage the power of modern web frameworks to create a new CMS.<br />
The new cms can be written in python using Django.<br />
<br />
'''Expected Results:'''<br />
* New cms with same functionality as the old one (3 types of users -- student, teacher, admin--, 3 types of resources -- article challenge, class--, ACL type permissions, CRUD operations on every resource/user, all functionality can be extended by Plugins.<br />
* REST endpoints in addition to classic ones<br />
* tests covering all routes implemented, also complete ACL unit tests, it would be embarassing if a cms by OWASP has rights vulnerabilities.<br />
* PEP 8 code<br />
<br />
''' Note: '''<br />
This is a huge project, it is ok if the student implements a part of it. However whatever implemented must be up to spec.<br />
If you decide to take on this project contact us and we can agree on a list of routes.<br />
If you don't decide to take on this project contact us.<br />
Generally contact us, we like it when students have insightful questions and the community is active<br />
<br />
<br />
''' Getting Started: '''<br />
* Install and take a brief look around the old cms so you have an idea of the functionality needed<br />
* It's ok to scream in frustration<br />
* If you want to contribute to get a feeling of the platform a good idea would be lettuce tests for the current functionality (which won't change and you can port in the new cms eventually)<br />
<br />
'''Knowledge Prerequisites:'''<br />
Python, Django, what REST is, the technologies used, some security knowledge would be nice.<br />
<br />
'''Mentors:''' [mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders<br />
<br />
=== Course Type Challenge ===<br />
<br />
'''Brief Explanation:'''<br />
We have a sandbox engine which allows for complex guided challenges to be implemented.<br />
We'd like to build a challenge that guides the user through a series of steps to an end goal and teaches more information on the subject matter on the way.<br />
This is a very open-ended project on purpose to allow creative student to come up with nice ideas.<br />
Bellow you will find some examples that we thought might be interesting.<br />
<br />
Ideas on the project:<br />
* Purposefully vulnerable web page that guides the user via javascript tooltips and hints to exploiting it using ZAP. ( Bonus: using ZAP via the ZAP api). The challenge is solved when the the student submits the contents of a text file located on the disk (obtained by exploited an RCE)<br />
<br />
* Reversing a provided binary to extract information by providing step by step instructions to reversing using any popular reversing tool (well, you can't use IDA so gdb should have to do). Challenge is solved when the keys are extracted from the binary and submitted. Bonus points if each binary donwloaded has different keys.<br />
<br />
* Guide to exploiting the TOP10. (Using ZAP?)<br />
<br />
* Defensive Type challenges -- Here's how to create a patch for this kind of vulnerability -- Challenge is solved when the unit tests are run and the vulnerability isn't there.<br />
<br />
''' Getting started '''<br />
* Check popular javascript guide tools such as: (http://introjs.com/ and http://github.hubspot.com/shepherd/docs/welcome/ )<br />
* If you're more interested in system or non-web challenges check serverspec and definitely check quest (https://github.com/puppetlabs/quest)<br />
* If you think contributing is a good idea to make yourself familiar with the project you can either port one of the existing simpler 1-page challenges to a docker container and submit a pull request or write a guide on how to create such a challenge<br />
<br />
'''Expected Results:'''<br />
<br />
* One or more Course - style challenges provided either as a docker container or as a vagrant box.<br />
* Concrete documentation on how to build a challenge like this.<br />
<br />
'''Knowledge Prerequisites:'''<br />
The technologies used.<br />
<br />
<br />
'''Mentors:''' [mailto:spyros.gasteratos@owasp.org Spyros Gasteratos] - Hackademic Challenges Project Leaders</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=229610OWASP Mobile Security Testing Guide2017-05-14T05:58:48Z<p>Bernhard Mueller: Fix link</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
During the last few months the [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] has made a lot of progress. As we want to push things forward in order to have a first draft of the guide) at the end of Q2, we will be holding a five days working session during the [http://owaspsummit.org OWASP Summit 2017 in London]. Our ambitious goal is to complete the mobile security testing guide. To achieve this, we’ll need to at least close the 126 “missing content” tickets listed on the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] and produce an estimated 200 book-sized pages of content. This sounds like a lot - however, if we can gather 10 people for this working session, this amounts to 4 pages of content per person/day which is achievable.<br />
<br />
The main tasks of the five days workshop are:<br />
<br />
- Write original content, such as describing testing processes and writing test cases.<br />
- Proofreading and technical editing to improve the overall quality of the MSTG.<br />
<br />
Work will be split between working groups based on mobile OS and topic. On top of completing the content, we want to apply a basic level of proof-reading, review and editing to get the guide beta-ready.<br />
<br />
In order to be able to schedule work during the summit and create work groups we need to know who will be attending the OWASP Summit and how much time you can/will spend for the mobile workshop. Please [https://github.com/OWASP/owasp-summit-2017/blob/master/Working-Sessions/Mobile-Security/MSTG.md add yourself to the list of participants] and reach out directly to Sven via Slack.<br />
<br />
If you do not have time during the summit but are interested to help, you can start immediately by assigning issues to yourself and creating pull requests. We can also loop you in remotely during the submit.<br />
<br />
Let’s work on the testing guide and fix mobile application security!<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=229609OWASP Mobile Security Testing Guide2017-05-14T05:58:00Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== Mobile Security Testing Workshop on the OWASP Summit 2017 ==<br />
<br />
During the last few months the [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] has made a lot of progress. As we want to push things forward in order to have a first draft of the guide) at the end of Q2, we will be holding a five days working session during the [http://owaspsummit.org OWASP Summit 2017 in London]. Our ambitious goal is to complete the mobile security testing guide. To achieve this, we’ll need to at least close the 126 “missing content” tickets listed on the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] and produce an estimated 200 book-sized pages of content. This sounds like a lot - however, if we can gather 10 people for this working session, this amounts to 4 pages of content per person/day which is achievable.<br />
<br />
The main tasks of the five days workshop are:<br />
<br />
- Write original content, such as describing testing processes and writing test cases.<br />
- Proofreading and technical editing to improve the overall quality of the MSTG.<br />
<br />
Work will be split between working groups based on mobile OS and topic. On top of completing the content, we want to apply a basic level of proof-reading, review and editing to get the guide beta-ready.<br />
<br />
In order to be able to schedule work during the summit and create work groups we need to know who will be attending the OWASP Summit and how much time you can/will spend for the mobile workshop. Please [add yourself to the list of participants https://github.com/OWASP/owasp-summit-2017/blob/master/Working-Sessions/Mobile-Security/MSTG.md] and reach out directly to Sven via Slack.<br />
<br />
If you do not have time during the summit but are interested to help, you can start immediately by assigning issues to yourself and creating pull requests. We can also loop you in remotely during the submit.<br />
<br />
Let’s work on the testing guide and fix mobile application security!<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_01/ Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS/Level_02/ Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=229123OWASP Mobile Security Testing Guide2017-04-25T04:40:57Z<p>Bernhard Mueller: /* How can I participate in your project? */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level1 Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level2 Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
<br />
'''We are searching for additional authors, reviewers and editors.''' The best way to get started is to browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content]. Also, check the [https://github.com/OWASP/owasp-mstg/projects/1 project dashboard] for a list of open tasks.<br />
<br />
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:<br />
<br />
http://owasp.herokuapp.com/<br />
<br />
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.<br />
<br />
If there's something you really want to see in the guide, or you want to suggest an improvement, create an issue [https://github.com/OWASP/owasp-mstg/issues issue] or ping us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=228347OWASP Mobile Security Testing Guide2017-04-05T08:40:00Z<p>Bernhard Mueller: /* News */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
[https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf Version 0.9.3] of the MASVS is now [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level1 Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level2 Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
First of all, check the [https://github.com/OWASP/owasp-mstg/blob/master/README.md README], browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content], and decide where you would like to contribute.<br />
Then, ping the contact responsible for the chapter you are interested in. You can find their name and GitHub handle in the project [https://github.com/OWASP/owasp-mstg/blob/master/README.md README]. Please always check with the responsible person first, or you might end up working on a chapter that's already being done by someone else. <br />
In any case, we encourage you to join [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
The home of the OWASP Mobile Security Testing Guide is on [https://github.com/OWASP/owasp-mstg GitHub.] The MASVS is hosted in a [https://github.com/OWASP/owasp-masvs separate repository].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=228346OWASP Mobile Security Testing Guide2017-04-05T08:39:05Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf version 0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
Version 0.9.3 of the MASVS is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level1 Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level2 Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
First of all, check the [https://github.com/OWASP/owasp-mstg/blob/master/README.md README], browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content], and decide where you would like to contribute.<br />
Then, ping the contact responsible for the chapter you are interested in. You can find their name and GitHub handle in the project [https://github.com/OWASP/owasp-mstg/blob/master/README.md README]. Please always check with the responsible person first, or you might end up working on a chapter that's already being done by someone else. <br />
In any case, we encourage you to join [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
The home of the OWASP Mobile Security Testing Guide is on [https://github.com/OWASP/owasp-mstg GitHub.] The MASVS is hosted in a [https://github.com/OWASP/owasp-masvs separate repository].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=228345OWASP Mobile Security Testing Guide2017-04-05T08:37:50Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/f/fe/MASVS_v0.9.3.pdf].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
Version 0.9.3 of the MASVS is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level1 Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level2 Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
First of all, check the [https://github.com/OWASP/owasp-mstg/blob/master/README.md README], browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content], and decide where you would like to contribute.<br />
Then, ping the contact responsible for the chapter you are interested in. You can find their name and GitHub handle in the project [https://github.com/OWASP/owasp-mstg/blob/master/README.md README]. Please always check with the responsible person first, or you might end up working on a chapter that's already being done by someone else. <br />
In any case, we encourage you to join [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
The home of the OWASP Mobile Security Testing Guide is on [https://github.com/OWASP/owasp-mstg GitHub.] The MASVS is hosted in a [https://github.com/OWASP/owasp-masvs separate repository].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=File:MASVS_v0.9.3.pdf&diff=228344File:MASVS v0.9.3.pdf2017-04-05T08:36:44Z<p>Bernhard Mueller: MASVS v0.9.3 with fixed footer...</p>
<hr />
<div>MASVS v0.9.3 with fixed footer...</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=228343OWASP Mobile Security Testing Guide2017-04-05T08:34:10Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/8/8e/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/8/8e/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf MASVS v0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
Version 0.9.3 of the MASVS is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level1 Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level2 Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
First of all, check the [https://github.com/OWASP/owasp-mstg/blob/master/README.md README], browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content], and decide where you would like to contribute.<br />
Then, ping the contact responsible for the chapter you are interested in. You can find their name and GitHub handle in the project [https://github.com/OWASP/owasp-mstg/blob/master/README.md README]. Please always check with the responsible person first, or you might end up working on a chapter that's already being done by someone else. <br />
In any case, we encourage you to join [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
The home of the OWASP Mobile Security Testing Guide is on [https://github.com/OWASP/owasp-mstg GitHub.] The MASVS is hosted in a [https://github.com/OWASP/owasp-masvs separate repository].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Muellerhttps://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Testing_Guide&diff=228342OWASP Mobile Security Testing Guide2017-04-05T08:33:26Z<p>Bernhard Mueller: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_MSTG_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Our Vision ==<br />
<br />
=== '''"Define the industry standard for mobile application security."''' ===<br />
<br />
We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.<br />
<br />
== Main Deliverables ==<br />
<br />
{| cellpadding="5"<br />
|-<br />
| [[File:mstg-mini-2.jpg|link=https://www.github.com/OWASP/owasp-mstg/]]<br />
| '''Mobile Security Testing Guide'''<br />
A comprehensive guide for iOS and Android mobile security testers with the following content:<br />
# Mobile platform internals<br />
# Testing in the secure development lifecycle<br />
# Basic white-box and black-box security testing<br />
# Mobile reverse engineering and tampering<br />
# Assessing software protections<br />
# Detailed white-box and black-box test cases that map to the requirements in the MASVS.<br />
The MSTG is a work-in-progress. Currently, we hope to be "feature-complete" in Q3 2017. You can contribute and comment in the [https://github.com/OWASP/owasp-mstg GitHub Repo]. A book version of the current master branch is available on [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ Gitbook].<br />
|-<br />
| [[File:masvs-sample-mini.jpg|link=https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf]]<br />
| '''Mobile App Security Requirements and Verification'''<br />
The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf OWASP Mobile Application Security Verification Standard (MASVS)] is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results. The latest release is [https://www.owasp.org/images/8/8e/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf MASVS v0.9.3].<br />
|-<br />
| [[File:checklist.jpg|link=https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx]]<br />
| '''Mobile App Security Checklist'''<br />
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://www.owasp.org/images/1/1b/Mobile_App_Security_Checklist_0.9.3.xlsx version 0.9.3].<br />
|}<br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Breakers]] <br />
[[Category:OWASP_Document]]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="center" width="50%" | [[File:Owasp-breakers-small.png|link=https://www.owasp.org/index.php/Breakers]]<br />
|<br />
|-<br />
| align="center" valign="center" width="50%" | <br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
== Project Leaders ==<br />
<br />
<span style="color:#ff0000"><br />
<br />
[https://www.owasp.org/index.php/User:Bernhard_Mueller Bernhard Mueller]<br />
<br />
[https://www.owasp.org/index.php/User:Sven_Schleier Sven Schleier]<br />
<br />
== Road Map ==<br />
<br />
* Q3 2017: Beta release<br />
* Q4 2017: Version 1.0<br />
* Q1 2018: Produce A Printable Book<br />
<br />
== Parent Project ==<br />
<br />
[[OWASP_Mobile_Security_Project]]<br />
<br />
==Licensing==<br />
<br />
The guide is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
|}<br />
<br />
=How-To=<br />
<br />
== Using the OWASP Mobile App Security Verification Standard, Testing Guide and Checklist ==<br />
<br />
The documents produced in this project cover many aspects of mobile application security, from the high-level requirements to the nitty-gritty implementation details and test cases. They can be used to plan and verify security controls during any phase of mobile app development, as well as during pre-release code review and penetration testing.<br />
<br />
# The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf Mobile Application Security Verification Standard (MASVS)] contains generic security requirements along with mappings to verification levels that can be chosen depending on the overall need for security.<br />
# The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide (MSTG)] provides verification instructions for each requirement in the MASVS, as well as security best practices for apps on each supported mobile operating system (currently Android and iOS). It is also useful as a standalone learning resource and reference guide for mobile application security testers.<br />
# The [https://www.owasp.org/images/6/6f/Mobile_App_Security_Checklist_0.9.2.xlsx Mobile App Security Checklist] can be used to apply the MASVS requirements during practical assessments. It also conveniently links to the MSTG test case for each requirement, making mobile penetration testing a breeze.<br />
<br />
It is important to note that the security standard, testing guide and checklists are closely related: They all map to the same basic set of requirements. Depending on the context, the documents can be used stand-alone or in combination to achieve different objectives.<br />
<br />
[[File:Overview-800px.jpg]]<br />
<br />
For example, the MASVS requirements may be used in the planning and architecture design stages, while the checklist and testing guide may serve as a baseline for manual security testing or as a template for automated security tests.<br />
<br />
== Mobile App Security Testing ==<br />
<br />
The [https://www.owasp.org/images/9/94/Mobile_App_Security_Verification_Checklist_0.8.2.xlsx checklist] works great as a reference during mobile app security assessments. You can walk through the requirements one-by-one - for more information on each requirement, simply click on the link in the "Testing procedures" column. Or, fill out the checklist at the end of an assessment to ensure completeness. <br />
<br />
== Security Engineering in the SDLC ==<br />
<br />
Properly defined security requirements are an important part of the Secure SDLC. The [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf MASVS] levels can be used along with threat modeling to determine the appropriate set of security controls for a particular mobile app. MASVS V1 also lists requirements pertaining to the architecture and design of the mobile apps, as well as general processes and activities that should be part of the development process.<br />
<br />
== Mobile App Security Education ==<br />
<br />
The [https://github.com/OWASP/owasp-mstg Mobile Security Testing Guide] can be used as a standalone learning resource. Its main chapters contain general how-tos and tutorials that cover a variety of topics from mobile OS internals to advanced reverse engineering techniques.<br />
<br />
=News=<br />
<br />
== April 5th, 2017: Mobile App Security Verification Standard Update ==<br />
<br />
Version 0.9.3 of the MASVS is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.3.pdf available for download] . This release contains several bug fixes and modifications to security requirements:<br />
<br />
* Merged requirements 7.8 and 7.9 into for simplification<br />
* Removed Anti-RE controls 8.1 and 8.2<br />
* Updated MSTG links to current master<br />
* Section "Environmental Interaction" renamed to "Platform Interaction"<br />
* Removed To-dos<br />
* Fixed some wording & spelling issues<br />
<br />
== January 31st, 2017: Mobile App Security Verification Standard v0.9.2 Available For Download ==<br />
<br />
The Mobile App Security Verification Standard (MASVS) has undergone a major revision, including a re-design of the security model and verification levels. We also revised many security requirements to address the multitude of [https://github.com/OWASP/owasp-masvs/issues?q=is%3Aissue%20 issues raised on GitHub]. The result is MASVS v0.9.2, which is now [https://www.owasp.org/images/f/f2/OWASP_Mobile_AppSec_Verification_Standard_v0.9.2.pdf available for download in PDF format].<br />
<br />
As the MASVS is nearing maturity, we have decided to freeze the requirements until the Mobile Testing Guide and checklists "catch up" (due to the one-to-one mapping between requirements in the MASVS and MSTG, changes to the requirements make it necessary to update the other documents as well, causing repeated effort). Unless major issues pop up, the current list will therefore remain in place until MASVS/MSTG v1.0, and further changes will be reserved for v1.1 or later releases.<br />
<br />
The MASVS is a community effort to establish security requirements for designing, developing and testing secure mobile apps on iOS and Android. Join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] to meet the project members! You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 28th, 2017: Mobile Crackmes and Reversing Tutorials ==<br />
{| cellpadding="5"<br />
|-<br />
| [[File:uncrackable-250.png|link=]]<br />
| <br />
A key goal of the OWASP Mobile Testing Project is to build the ultimate learning resource and reference guide for mobile app reversers. As hands-on hacking is by far the best way to learn, we'd like to link most of the content to practical examples. <br />
<br />
Starting now, we'll be adding [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md crackmes for Android and iOS] to the [https://github.com/OWASP/owasp-mstg GitHub repo] that will then be used as examples throughout the guide. The goal is to collect enough resources for demonstrating the most important tools and techniques in our guide, plus additional crackmes for practicing. For starters there are three challenges:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/01_Android/01_License_Validation Android License Validator]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level1 Uncrackable App for iOS Level 1]<br />
* [https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes/02_iOS/UnCrackable_Level2 Uncrackable App for iOS Level 2]<br />
<br />
|}<br />
<br />
One of these three already has a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#symbolicexec documented solution] in the guide. Tutorials for solving the other two [https://github.com/OWASP/owasp-mstg/blob/master/OMTG-Files/02_Crackmes/List_of_Crackmes.md still need to be added].<br />
<br />
=== We Need More Authors and Contributors! ===<br />
<br />
Maybe you have noticed that [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html the reverse engineering sections in the Mobile Testing Guide are incomplete]. The reason: We're still in the starting stages and don't have a lot of authors and contributors (in fact, 99% of the reversing content was produced by one guy). We'd love to welcome *you* as a contributor of crackmes, tutorials, writeups, or simply new ideas for this project. <br />
<br />
==== What You Can Do ====<br />
<br />
The OWASP MSTG is an open project and there's a lot of flexibility - it mostly depends on your skill set and willingness to commit your time. That said, the some areas that need help are:<br />
<br />
* Solving crackmes and contributing a tutorial to the guide (preferable a technique that's not already documented. Check the [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html TOC] first).<br />
* Writing and adding new crackmes along with solutions (should also describe something not already in the guide. Cracking white-boxes, dynamic analysis using an emulator / introspection, etc. etc.).<br />
* General reversing write-ups to describe specific processes and techniques<br />
* Help us figure out [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x07b-Assessing_Software_Protections.md resiliency testing processes] and [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics]<br />
<br />
The reversing part of the guide consists of the following chapters:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Tampering and Reverse Engineering - General Overview]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md#tampering-and-reverse-engineering-on-android Tampering and Reverse Engineering on Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios Tampering and Reverse Engineering on iOS]<br />
<br />
==== How To Join ====<br />
<br />
Read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first, and join the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
== January 22nd, 2017: Mobile Testing Guide TOC Available ==<br />
<br />
As of now, we'll be auto-generating a [https://rawgit.com/OWASP/owasp-mstg/master/Generated/OWASP-MSTG-Table-of-Contents.html table of contents] out of the current MSTG master branch. This reflects the current state of the guide, and should make it easier to coordinate work between authors. A short-term goal is to finalize the structure of the guide so we get a clearer picture of what will be included in the final document. Lead authors are encouraged to complete the outline of their respective chapters. <br />
<br />
'''On another note, we still need additional authors to help with all sections of the guide, including mobile operating system overviews, testing processes and techniques, and reverse engineering.''' Especially iOS authors are in short supply! As usual, ping us on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ Slack Channel] if you want to contribute.<br />
<br />
== December 4th, 2016: Call For Authors: The Ultimate Open-Source Mobile App Reverse Engineering Guide ==<br />
<br />
Reverse engineering is an art, and describing every available facet of it would fill a whole library. The sheer range techniques and possible specializations is mind-blowing: One can spend years working on a very specific, isolated sub-problem, such as automating malware analysis or developing novel de-obfuscation methods. For mobile app security testers, it can be challenging to filter through the vast amount of information and build a working methodology. Things become even more problematic when one is tasked to assess apps that are heavily obfuscated and have anti-tampering measures built in.<br />
<br />
One of the main goals in the MSTG is to build the ultimate resource for mobile reverse engineers. This includes not only basic static and dynamic analysis, but also advanced de-obfuscation, scripting and automation. Obviously, writing all this content is a lot of work, both in terms of general content and OS-specific how-tos. We're therefore looking for talented authors that want to join the project early on. Topics include the following:<br />
<br />
* Basic Hybrid Static/Dynamic Analysis<br />
* Code Injection and Dynamic Instrumentation (Substrate, FRIDA)<br />
* Dynamic Binary Instrumentation (Valgrind, PIE)<br />
* Analysis Frameworks (Metasm / Miasm)<br />
* Symbolic Execution<br />
* DCA and DPA attacks on white-box crypto<br />
* Dynamic analysis frameworks (PANDA / DroidScope,...)<br />
* Anything else we might have missed<br />
<br />
=== What is in for me? ===<br />
<br />
All of this is unpaid, volunteer work. However, depending on your contribution, you will be named in the "lead authors" or "contributors" list, and you'll be able to point to the fact that you co-authored the guide. You'll also be contributing to the field, helping others who are just starting out, and in turn becoming a happier person yourself (reaping the full benefits of your altruism).<br />
<br />
=== Where do I sign up? ===<br />
<br />
First of all, have a look at the existing RE chapters outline:<br />
<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05-Testing-Processes-and-Techniques.md#tampering-and-reverse-engineering Generic / Introduction]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Reverse-Engineering-and-Tampering-Android.md Android]<br />
* [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Reverse-Engineering-and-Tampering-iOS.md#tampering-and-reverse-engineering-on-ios iOS]<br />
<br />
You'll probably immediately have ideas on how you can contribute. If that's the case, read the [https://github.com/OWASP/owasp-mstg/blob/master/authors_guide.md author's guide] first. <br />
<br />
Then contact [https://github.com/b-mueller Bernhard Mueller] - ideally directly on the [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
First of all, check the [https://github.com/OWASP/owasp-mstg/blob/master/README.md README], browse the [https://b-mueller.gitbooks.io/owasp-mobile-security-testing-guide/content/ existing content], and decide where you would like to contribute.<br />
Then, ping the contact responsible for the chapter you are interested in. You can find their name and GitHub handle in the project [https://github.com/OWASP/owasp-mstg/blob/master/README.md README]. Please always check with the responsible person first, or you might end up working on a chapter that's already being done by someone else. <br />
In any case, we encourage you to join [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel], where you'll find all the other project members. You can sign up for an account [http://owasp.herokuapp.com/ here].<br />
<br />
The home of the OWASP Mobile Security Testing Guide is on [https://github.com/OWASP/owasp-mstg GitHub.] The MASVS is hosted in a [https://github.com/OWASP/owasp-masvs separate repository].<br />
<br />
==Where do you guys need help the most?==<br />
<br />
There's a lot of areas where you can help out:<br />
<br />
* Writing original content, such as describing testing processes and writing test cases. We're all doing this in our spare time, which unfortunately means that things sometimes slow down to a crawl. If you're knowledgeable in some area and have time available, we'd be incredibly thankful to anyone who contributes, even if it's only one or two test cases.<br />
<br />
* Reviewing content and giving feedback. The proper channel for questions and feedback is the GitHub issues system of the respective repo, contacting us on [https://owasp.slack.com/messages/project-mobile_omtg/details/ OWASP Mobile Security Project Slack Channel] is another possibility.<br />
<br />
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.<br />
<br />
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.<br />
<br />
==I contributed to the original Google Doc, but I'm not credited in the new version of the MSTG? ==<br />
As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a [https://github.com/OWASP/owasp-mstg/blob/master/Document/0x02-Frontispiece.md revision history] that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact [https://github.com/b-mueller Bernhard] or [https://github.com/sushi2k Sven] and they'll fix it. Or better yet, re-join the author's team and start contributing to the new guide.<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The Mobile Security Testing Guide was initiated by [https://www.owasp.org/index.php/User:Milan_Singh_Thakur Milan Singh Thakur] in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016. Below is the full list of contributors for each revision.<br />
<br />
=== MSTG in its current form ===<br />
<br />
'''Authors:'''<br />
<br />
* Bernhard Mueller<br />
* Sven Schleier<br />
<br />
'''Contributors:'''<br />
<br />
* Abdessamad Temmar<br />
* Francesco Stillavato<br />
* Pawel Rzepa<br />
* Gerhard Wagner<br />
* Daniel Ramirez Martin<br />
*Jin Kung Ong<br />
* Alexander Antukh<br />
* Claudia André<br />
* Ryan Teoh<br />
* Prathan Phongthiproek<br />
* Jeroen Willemsen<br />
* Romuald Szkudlarek<br />
* Luander Ribeiro<br />
* Pishu Mahtani<br />
* Sebastian Banescu<br />
* Prabhant Singh<br />
* Stephen Corbiaux<br />
* Ali Yazdani<br />
<br />
'''Reviewers:'''<br />
<br />
=== MSTG "Beta 2" on Google Drive ===<br />
<br />
'''Authors:'''<br />
<br />
* Mirza Ali<br />
* Stephen Corbiaux<br />
* Ryan Dewhurst<br />
* Mohammad Hamed Dadpour<br />
* David Fern<br />
* Ali Yazdani<br />
* Bao Lee<br />
* Anto Joseph<br />
* Nutan Kumar Panda<br />
* Rahil Parikh<br />
* Julian Schütte<br />
* Abhinav Sejpal<br />
* Anant Shrivastava<br />
* Pragati Singh<br />
* Milan Singh Thakur<br />
* Stephanie Vanroelen<br />
* Gerhard Wagner<br />
<br />
'''Reviewers:'''<br />
<br />
* Andrew Muller<br />
* Jonathan Carter<br />
* Stephanie Vanroelen<br />
* Milan Singh Thakur<br />
<br />
=== MSTG "Beta 1" on Google Drive ===<br />
<br />
'''Authors:''' <br />
<br />
*Mirza Ali <br />
*Mohammad Hamed Dadpour<br />
*David Fern<br />
*Rahil Parikh<br />
*Abhinav Sejpal<br />
*Pragati Singh<br />
*Milan Singh Thakur<br />
<br />
'''Reviewers:'''<br />
<br />
*Andrew Muller<br />
*Jonathan Carter<br />
<br />
'''Top Contributors:'''<br />
<br />
*Jim Manico<br />
*Yair Amit<br />
*Amin Lalji<br />
*OWASP Mobile Team<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]] <br />
[[Category:OWASP_Builders]] <br />
[[Category:OWASP_Defenders]] <br />
[[Category:OWASP_Document]]</div>Bernhard Mueller