This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Mobile Security Project"

From OWASP
Jump to: navigation, search
m (OWASP Mobile Security Project)
 
(50 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Home =
+
=Main=
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
 
 
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
  
 
== OWASP Mobile Security Project ==
 
== OWASP Mobile Security Project ==
 
[[File:OWASP_Mobile_Logo_Milan.PNG|center ]]
 
[[File:OWASP_Mobile_Logo_Milan.PNG|center ]]
  
'''[https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 **New** Mobile Top Ten 2016 - Final Release]'''
 
  
'''[https://www.owasp.org/index.php/Mobile_Security_Project_Archive Click here to goto Mobile Security Page Archive]'''
+
== Maintenance notice ==
 +
 
 +
This site is no longer maintained: please go to https://www2.owasp.org/www-project-mobile-security/ for our new website!
 +
 
  
 
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
 
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
 +
The project is a breading ground for many different mobile security projects within OWASP. Right now, you can find the following active OWASP mobile security projects:
 +
{| class="wikitable"
 +
!Project/deliverable
 +
!More info:
 +
!Description:
 +
!Current leaders
 +
|-
 +
|Mobile Top Ten
 +
|[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Project Page]
 +
|The OWASP Mobile Security top 10 is created to raise awareness for the current mobile security issues.
 +
|
 +
* [mailto:jason.haddix@owasp.org Jason Haddix - HP Fortify]
 +
* [mailto:daniel.meissler@owasp.org Daniel Miessler - HP Fortify]
 +
* [mailto:jonthan.carter@owasp.org Jonathan Carter - Arxan Technologies]
 +
*[mailto:milan@owasp.org Milan Singh Thakur]
 +
|-
 +
|Mobile Security Testing Guide
 +
|[[OWASP Mobile Security Testing Guide|Project Page]]
 +
|A comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers as well as developers.
 +
|
 +
* [mailto:sven.schleier@owasp.org Sven Schleier]
 +
* [mailto:jeroen.willemsen@owasp.org Jeroen Willemsen]
 +
* [mailto:carlos.holguera@owasp.org Carlos Holguera]
 +
|-
 +
|Mobile Application Security Verification Standard
 +
|[[OWASP Mobile Security Testing Guide|Project Page]]
 +
|A standard for mobile app security which outlines the security requirements of a mobile application.
 +
|
 +
* [mailto:sven.schleier@owasp.org Sven Schleier]
 +
* [mailto:jeroen.willemsen@owasp.org Jeroen Willemsen]
 +
* [mailto:carlos.holguera@owasp.org Carlos Holguera]
 +
|-
 +
|Mobile Security Checklist
 +
|[[OWASP Mobile Security Testing Guide|Project Page]]
 +
|A checklist which allows easy mapping and scoring of the requirements from the Mobile Application Security Verification Standard based on the Mobile Security Testing Guide.
 +
|
 +
* [mailto:sven.schleier@owasp.org Sven Schleier]
 +
* [mailto:jeroen.willemsen@owasp.org Jeroen Willemsen]
 +
* [mailto:carlos.holguera@owasp.org Carlos Holguera]
 +
|-
 +
|iGoat Tool Project
 +
|[[OWASP iGoat Project|Project Page]]
 +
|A learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.
 +
|
 +
* [mailto:swaroop.yermalkar@owasp.org Swaroop Yermalkar]
 +
|-
 +
|Damn Vulnerable iOS Application
 +
|[[OWASP DVIA|Project Page]]
 +
|An iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment.
 +
|
 +
* [https://twitter.com/prateekg147 Prateek Gianchandani]
 +
|-
 +
|Android CK project
 +
|[[Projects/OWASP Androick Project|Project Page]]
 +
|A python tool to help in forensics analysis on android.
 +
|
 +
* [https://twitter.com/phonesec Florian Pradines]
 +
|-
 +
|Seraphimdroid
 +
|[[OWASP SeraphimDroid Project|Project Page]]
 +
|A privacy and security protection app for Android devices.
 +
|
 +
* [mailto:nikola.milosevic@owasp.org Nikola Milosevic]
 +
* [mailto:kartik.kholi@owasp.org Kartik Kholi]
 +
 +
|}
 +
 +
Not what you are looking for? Please have a look at the '''[https://www.owasp.org/index.php/Mobile_Security_Project_Archive Mobile Security Page Archive]'''
 +
 +
Want to start a new mobile security project? Follow https://www.owasp.org/index.php/Category:OWASP_Project#Starting_a_New_Project or contact one of the leaders of the active projects.
 +
 +
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 +
== Active OWASP mobile projects ==
 +
* [[OWASP Mobile Security Testing Guide|OWASP Mobile Security Testing Guide]]
 +
* [[OWASP Mobile Security Testing Guide|OWASP Mobile Application Security Verification Standard]]
 +
* [[OWASP iGoat Tool Project]]
 +
* [[OWASP DVIA|Damn Vulnerable iOS Application]]
 +
* [[Projects/OWASP Androick Project|AndroidCK project]]
 +
* [[OWASP SeraphimDroid Project|OWASP SeraphimDroid]]
  
Our primary focus is at the application layer.  While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference.  Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with.  We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.
+
|}
  
This project is still a work in progress. We are small group doing this work and could use more help! If you are interested, please contact one of the project leads or feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!
+
= Top 10 Mobile Risks =
  
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
Please visit the [[OWASP Mobile Top 10|project page]] for current information.
  
== Email List ==
+
== About this list  ==
 +
In 2015, we performed a survey and initiated a Call for Data submission Globally . This helped us to analyze and re-categorize the OWASP Mobile Top Ten for 2016. So the top ten categories are now more focused on Mobile application rather than Server.
  
[[Image:Asvs-bulb.jpg]] [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks Project Email List]
+
Our goals for the 2016 list included the following:
  
 +
* Updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc;
 +
* Generation of more data; and
 +
* A PDF release.
 +
 +
This list has been finalized after a 90-day feedback period from the community. Based on feedback, we have released a Mobile Top Ten 2016 list following a similar approach of collecting data, grouping the data in logical and consistent ways.
 +
 +
Feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!
 +
 +
== Top 10 Mobile Risks - Final List 2016 ==
 +
*[[Mobile_Top_10_2016-M1-Improper_Platform_Usage|M1: Improper Platform Usage]]
 +
*[[Mobile_Top_10_2016-M2-Insecure_Data_Storage|M2: Insecure Data Storage]]
 +
*[[Mobile_Top_10_2016-M3-Insecure_Communication|M3: Insecure Communication]]
 +
*[[Mobile_Top_10_2016-M4-Insecure_Authentication|M4: Insecure Authentication]]
 +
*[[Mobile_Top_10_2016-M5-Insufficient_Cryptography|M5: Insufficient Cryptography]]
 +
*[[Mobile_Top_10_2016-M6-Insecure_Authorization|M6: Insecure Authorization]]
 +
*[[Mobile_Top_10_2016-M7-Poor_Code_Quality|M7: Client Code Quality]]
 +
*[[Mobile_Top_10_2016-M8-Code_Tampering|M8: Code Tampering]]
 +
*[[Mobile_Top_10_2016-M9-Reverse_Engineering|M9: Reverse Engineering]]
 +
*[[Mobile_Top_10_2016-M10-Extraneous_Functionality|M10: Extraneous Functionality]]
 +
 +
== Top 10 Mobile Risks - Final List 2014 ==
 +
[[File:2014-01-26 20-23-29.png|right|550px]]
 +
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls]]
 +
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage]]
 +
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection]]
 +
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage]]
 +
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication]]
 +
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography]]
 +
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection]]
 +
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs]]
 +
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling]]
 +
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections]]
 +
 +
== Project Methodology ==
 +
 +
* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''
 +
 +
== Archive ==
 +
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks. &nbsp;This list was initially released on September 23, 2011 at Appsec USA. &nbsp;
 +
** The original presentation can be found here:&nbsp;[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
 +
** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
 +
** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
 +
 +
= Mobile Security Testing Guide =
 +
 +
Please see the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide project page] for more details.
 +
 +
=Acknowledgements =
 +
 +
The OWASP Mobile Security project has a long history. It has been a source for many projects their predecessors as is clearly visible in [https://www.owasp.org/index.php/Mobile_Security_Project_Archive the archive].
 
== Project Leaders ==
 
== Project Leaders ==
 
{{Template:Contact
 
{{Template:Contact
 
| name = Jonathan Carter
 
| name = Jonathan Carter
 
| email = jonathan.carter@owasp.org
 
| email = jonathan.carter@owasp.org
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Milan Singh Thakur
 
| name = Milan Singh Thakur
 
| email = milan@owasp.org
 
| email = milan@owasp.org
 
| username =  Milan Singh Thakur
 
| username =  Milan Singh Thakur
}}<br/>
+
}}<br />
  
 
== Former Leaders ==
 
== Former Leaders ==
 
{{Template:Contact | name = Mike Zusman
 
{{Template:Contact | name = Mike Zusman
 
| email = mike.zusman@owasp.org
 
| email = mike.zusman@owasp.org
| username = schmoilito }}<br/>
+
| username = schmoilito }}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Tony DeLaGrange
 
| name = Tony DeLaGrange
 
| email = mobisec@secureideas.net
 
| email = mobisec@secureideas.net
 
| username = Tony DeLaGrange
 
| username = Tony DeLaGrange
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Sarath Geethakumar
 
| name = Sarath Geethakumar
 
| email = sarath.geethakumar@owasp.org
 
| email = sarath.geethakumar@owasp.org
 
| username =  Sarath Geethakumar
 
| username =  Sarath Geethakumar
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Tom Eston
 
| name = Tom Eston
 
| email = teston@veracode.com
 
| email = teston@veracode.com
 
| username = Tom Eston
 
| username = Tom Eston
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Don Williams
 
| name = Don Williams
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Jason Haddix
 
| name = Jason Haddix
 
| email = jason.haddix@hp.com
 
| email = jason.haddix@hp.com
 
| username =  Jason Haddix
 
| username =  Jason Haddix
}}<br/>
+
}}<br />
  
 
== Top Contributors ==
 
== Top Contributors ==
Line 68: Line 199:
 
| email = zach.lanier@n0where.org
 
| email = zach.lanier@n0where.org
 
| username = Zach_Lanier
 
| username = Zach_Lanier
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Ludovic Petit
 
| name = Ludovic Petit
 
| email = ludovic.petit@owasp.org
 
| email = ludovic.petit@owasp.org
 
| username =  Ludovic Petit
 
| username =  Ludovic Petit
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Swapnil Deshmukh
 
| name = Swapnil Deshmukh
 
| email = sd.swapz@gmail.com
 
| email = sd.swapz@gmail.com
 
| username =  Swapnil Deshmukh
 
| username =  Swapnil Deshmukh
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Beau Woods
 
| name = Beau Woods
 
| email = owasp@beauwoods.com
 
| email = owasp@beauwoods.com
 
| username =  Beau Woods
 
| username =  Beau Woods
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = David Martin Aaron
 
| name = David Martin Aaron
 
| email = davidmartinaaron@gmail.com
 
| email = davidmartinaaron@gmail.com
 
| username =  David Martin Aaron
 
| username =  David Martin Aaron
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Luca De Fulgentis
 
| name = Luca De Fulgentis
 
| email = luca@securenetwork.it
 
| email = luca@securenetwork.it
 
| username =  Daath
 
| username =  Daath
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Andrew Pannell
 
| name = Andrew Pannell
 
| email = andrew.pannell@owasp.org
 
| email = andrew.pannell@owasp.org
 
| username =  Andipannell
 
| username =  Andipannell
}}<br/>
+
}}<br />
 
{{Template:Contact
 
{{Template:Contact
 
| name = Stephanie V
 
| name = Stephanie V
 
| email = vanroelens@gmail.com
 
| email = vanroelens@gmail.com
 
| username =  Stephanie V
 
| username =  Stephanie V
}}<br/>
+
}}<br />
|}
 
 
 
= Top 10 Mobile Risks =
 
 
 
Please visit the [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks project page] for current information.
 
 
 
== About this list  ==
 
In 2015, we performed a survey and initiated a Call for Data submission Globally . This helped us to analyze and re-categorize the OWASP Mobile Top Ten for 2016. So the top ten categories are now more focused on Mobile application rather than Server.
 
 
 
Our goals for the 2016 list included the following:
 
 
 
* Updates to the wiki content; including cross-linking to testing guides, more visual exercises, etc;
 
* Generation of more data; and
 
* A PDF release.
 
 
 
This list has been finalized after a 90-day feedback period from the community. Based on feedback, we have released a Mobile Top Ten 2016 list following a similar approach of collecting data, grouping the data in logical and consistent ways.
 
 
 
Feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!
 
 
 
== Top 10 Mobile Risks - Final List 2016 ==
 
*[[Mobile_Top_10_2016-M1-Improper_Platform_Usage|M1: Improper Platform Usage ]]
 
*[[Mobile_Top_10_2016-M2-Insecure_Data_Storage|M2: Insecure Data Storage ]]
 
*[[Mobile_Top_10_2016-M3-Insecure_Communication|M3: Insecure Communication ]]
 
*[[Mobile_Top_10_2016-M4-Insecure_Authentication|M4: Insecure Authentication ]]
 
*[[Mobile_Top_10_2016-M5-Insufficient_Cryptography|M5: Insufficient Cryprography ]]
 
*[[Mobile_Top_10_2016-M6-Insecure_Authorization|M6: Insecure Authorization ]]
 
*[[Mobile_Top_10_2016-M7-Poor_Code_Quality|M7: Client Code Quality ]]
 
*[[Mobile_Top_10_2016-M8-Code_Tampering|M8: Code Tampering ]]
 
*[[Mobile_Top_10_2016-M9-Reverse_Engineering|M9: Reverse Engineering ]]
 
*[[Mobile_Top_10_2016-M10-Extraneous_Functionality|M10: Extraneous Functionality ]]
 
 
 
 
 
== Top 10 Mobile Risks - Final List 2014 ==
 
[[File:2014-01-26 20-23-29.png|right|550px]]
 
*[[Mobile_Top_10_2014-M1|M1: Weak Server Side Controls ]]
 
*[[Mobile_Top_10_2014-M2|M2: Insecure Data Storage ]]
 
*[[Mobile_Top_10_2014-M3|M3: Insufficient Transport Layer Protection ]]
 
*[[Mobile_Top_10_2014-M4|M4: Unintended Data Leakage ]]
 
*[[Mobile_Top_10_2014-M5|M5: Poor Authorization and Authentication ]]
 
*[[Mobile_Top_10_2014-M6|M6: Broken Cryptography ]]
 
*[[Mobile_Top_10_2014-M7|M7: Client Side Injection ]]
 
*[[Mobile_Top_10_2014-M8|M8: Security Decisions Via Untrusted Inputs ]]
 
*[[Mobile_Top_10_2014-M9|M9: Improper Session Handling ]]
 
*[[Mobile_Top_10_2014-M10|M10: Lack of Binary Protections ]]
 
 
 
== Project Methodology ==
 
 
 
* '''We adhered loosely to the [https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology OWASP Web Top Ten Project methodology]. '''
 
 
 
== Archive ==
 
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks. &nbsp;This list was initially released on September 23, 2011 at Appsec USA. &nbsp;
 
** The original presentation can be found here:&nbsp;[http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES]<br>
 
** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
 
** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
 
 
 
=Mobile Security Checklist =
 
 
 
The checklist is hosted on the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Main OWASP MSTG project page].
 
 
 
=Mobile Security Testing Guide=
 
 
 
The OWASP Mobile Security Testing Guide is now a separate project - check the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Main OWASP MSTG project page] for details.
 
 
 
= M-Tools =
 
 
 
 
 
[[File:Reverse_Engineering_Arsenals.png]]
 
 
 
 
 
[[File:IOS_Arsenal.png]]
 
 
 
 
 
== iMAS  ==
 
 
 
iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.
 
 
 
[https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project iMas Project Page]
 
 
 
The source code for iMAS is available on GitHub: [https://github.com/project-imas/about iMAS Source Code]
 
 
 
== GoatDroid  ==
 
 
 
OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several features that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.
 
 
 
As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.
 
 
 
You can find GoatDroid on GitHub: [https://github.com/jackMannino/OWASP-GoatDroid-Project GoatDroid Source Code]
 
 
 
[https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project GoatDroid Project Page]
 
 
 
== iGoat ==
 
 
 
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.
 
 
 
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
 
 
 
The lessons are laid out in the following steps:
 
 
 
# Brief introduction to the problem.
 
# Verify the problem by exploiting it.
 
# Brief description of available remediations to the problem.
 
# Fix the problem by correcting and rebuilding the iGoat program.
 
 
 
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.
 
 
 
iGoat is free software, released under the GPLv3 license.
 
 
 
[https://www.owasp.org/index.php/OWASP_iGoat_Project iGoat Project Page]
 
 
 
The iGoat source code is available on Google Code [http://code.google.com/p/owasp-igoat/ iGoat Source Code]
 
 
 
== Damn Vulnerable iOS Application ==
 
 
 
Damn Vulnerable iOS application is a project started by Prateek Gianchandani which gives mobile testers and developers an iOS application to practice attacking/defending skill sets. Each challenge area corresponds to an in-depth article designed to teach the fundamentals of mobile security on the iOS platform. Some challenge categories include multiple challenge types.
 
 
 
The current challenge categories:
 
 
 
* Insecure Data Storage (4 exercises)
 
* Jailbreak Detection (2 exercises)
 
* Runtime Manipulation (3 exercises)
 
* Transport Layer Security (1 exercise)
 
* Client Side Injection (1 exercise)
 
* Broken Cryptography (1 exercise)
 
* Binary Patching (4 exercises)
 
 
 
[http://damnvulnerableiosapp.com DVIA Home Page]
 
 
 
[https://www.owasp.org/index.php/OWASP_DVIA DVIA OWASP Project Page]
 
 
 
[https://github.com/prateek147/DVIA DVIA Github Source]
 
 
 
[http://damnvulnerableiosapp.com/#learn DVIA Learning Resources]
 
 
 
== MobiSec ==
 
 
 
The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing mobile environments, including devices, applications, and supporting infrastructure. The purpose is to provide attackers and defenders the ability to test their mobile environments to identify design weaknesses and vulnerabilities. The MobiSec Live Environment provides a single environment for testers to leverage the best of all available open source mobile testing tools, as well as the ability to install additional tools and platforms, that will aid the penetration tester through the testing process as the environment is structured and organized based on an industry­‐proven testing framework. Using a live environment provides penetration testers the ability to boot the MobiSec Live Environment on any Intel-­based system from a DVD or USB flash drive, or run the test environment within a virtual machine.
 
 
 
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_MobiSec Project Page]
 
 
 
MobiSec can be downloaded from Sourceforge: [http://sourceforge.net/p/mobisec/wiki/Home/ MobiSec Download Repository]
 
 
 
== Androick  ==
 
 
 
Androick is a collaborative research project from PHONESEC Ltd. With our tool, you can evaluate some risks on Android mobile applications.
 
Androick is a tool that allows any user to analyze an Android application. It can get the apk file, all the datas and the databases in sqlite3 and csv format.
 
Only for Pentesters or Researchers.
 
 
 
[https://www.owasp.org/index.php/Projects/OWASP_Androick_Project Androick Project Page]
 
 
 
== NowSecure App Testing Community Edition ==
 
 
 
The NowSecure App Testing Community Edition is the freely downloadable version of the powerful App Testing suite. Users are offered a number of features such as network capture, automation, import / export, and reporting to test and secure mobile apps.
 
 
 
It provides the opportunity to complete mobile app security tests on any application on Android or iOS mobile devices (or installed in an emulator).
 
 
 
The suite is provided as a preconfigured virtual machine (VM). After downloading the VM and licensing your version of the suite you will have everything you need to test the security of mobile apps.
 
 
 
Built in emulator - Don’t have a device? No worries. The suite includes a built in Emulator that may be used to test the security of your mobile applications.
 
 
 
[https://www.nowsecure.com/apptesting/community/ NowSecure App Testing Suite]
 
 
 
== OWASP Seraphimdroid ==
 
OWASP SeraphimDroid is educational, privacy and device protection application for android devices that helps users learn about risks and threats coming from other android applications. SeraphimDroid is also an application firewall for android devices not allowing malicious SMS or MMS to be sent, USSD codes to be executed or calls to be called without user permission and knowledge.
 
 
 
[https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project OWASP Seraphimdroid project page]
 
 
 
[https://github.com/nikolamilosevic86/owasp-seraphimdroid OWASP Seraphimdroid code]
 
 
 
[https://play.google.com/store/apps/details?id=org.owasp.seraphimdroid OWASP Seraphimdroid on Google Play]
 
 
 
== OWASP Summer of Code 2008 ==
 
 
 
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.
 
 
 
  
 
= Secure M-Development =
 
= Secure M-Development =
Line 283: Line 240:
  
 
The OWASP Secure Development Guidelines provides developers with the knowledge they need to build secure mobile applications. An extendable framework will be provided that includes the core security flaws found across nearly all mobile platforms. It will be a living reference where contributors can plug in newly exposed APIs for various platforms and provide good/bad code examples along with remediation guidance for those issues.
 
The OWASP Secure Development Guidelines provides developers with the knowledge they need to build secure mobile applications. An extendable framework will be provided that includes the core security flaws found across nearly all mobile platforms. It will be a living reference where contributors can plug in newly exposed APIs for various platforms and provide good/bad code examples along with remediation guidance for those issues.
 +
 +
== Status note ==
 +
'''Note: Given that the MASVS/MSTG is becoming the leading framework in terms of requirements, we will archive this page and merge requirements with the MASVS, this process is currently taken care of by Abderrahmane AFTAHI (see [https://github.com/OWASP/owasp-masvs/issues/189 the github issue for more details]) and Rocco Gränitz (see [https://github.com/OWASP/owasp-masvs/issues/203 the github issue for more details])'''
  
 
== Mobile Application Coding Guidelines ==
 
== Mobile Application Coding Guidelines ==
Line 422: Line 382:
 
==OWASP/ENISA Collaboration==
 
==OWASP/ENISA Collaboration==
  
OWASP and the European Network and Information Security Agency (ENISA) collaborated to build a joint set of controls. ENISA has published the results of the collaborative effort as the "Smartphone Secure Development Guideline": http://www.enisa.europa.eu/activities/application-security/smartphone-security-1/smartphone-secure-development-guidelines
+
OWASP and the European Network and Information Security Agency (ENISA) collaborated to build a joint set of controls. ENISA has published the results of the collaborative effort as the "Smartphone Secure Development Guideline", which is published in 2011 at: https://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines/at_download/fullReport. In 2017, an update was published by ENISA at https://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines-2016.
  
 
[[File:OWASP_Mobile_Top_10_Controls.jpg|center|800px]]
 
[[File:OWASP_Mobile_Top_10_Controls.jpg|center|800px]]
 +
 +
 +
== Status note ==
 +
'''Note: Given that the MASVS/MSTG is becoming the leading framework in terms of requirements, we will archive this page and merge requirements with the MASVS, this process is currently taken care of by Abderrahmane AFTAHI (see [https://github.com/OWASP/owasp-masvs/issues/189 the github issue for more details]) and Rocco Gränitz (see [https://github.com/OWASP/owasp-masvs/issues/203 the github issue for more details])'''
  
 
==Contributors==
 
==Contributors==
Line 593: Line 557:
 
**Device certificates can be used for stronger device authentication.'
 
**Device certificates can be used for stronger device authentication.'
  
''References"
+
''References"''
 
*1.ENISA. Top Ten Smartphone Risks . [Online] http://www.enisa.europa.eu/act/application-security/smartphone-security-1/top-ten-risks.
 
*1.ENISA. Top Ten Smartphone Risks . [Online] http://www.enisa.europa.eu/act/application-security/smartphone-security-1/top-ten-risks.
 
*2. OWASP. Top 10 mobile risks. [Online] https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks.
 
*2. OWASP. Top 10 mobile risks. [Online] https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks.
Line 619: Line 583:
  
 
This is the first release (February 2013) of the Mobile Application Threat Model developed by the initial project team (listed at the end of this release).  Development began mid-2011 and is being released in beta form for public comment and input.  It is by no means complete and some sections will need more contributions, details and also real world case studies.  It's the hope of the project team that others in the community can help contribute to this project to further enhance and improve this threat model.
 
This is the first release (February 2013) of the Mobile Application Threat Model developed by the initial project team (listed at the end of this release).  Development began mid-2011 and is being released in beta form for public comment and input.  It is by no means complete and some sections will need more contributions, details and also real world case studies.  It's the hope of the project team that others in the community can help contribute to this project to further enhance and improve this threat model.
 +
 +
=== Maintenance note ===
 +
 +
We are in the process of creating a new threatmodel. Want to join? Drop a line at [https://github.com/OWASP/OWASP-Mobile-Threatmodel our threatmodel git].
  
 
===Mobile Threat Model Introduction Statement===
 
===Mobile Threat Model Introduction Statement===
Line 805: Line 773:
  
 
* '''App Store Approvers/Reviewers:''' Any app store which fails to review potentially dangerous code or malicious application which executes on a user’s device and performs suspicious/ malicious activities
 
* '''App Store Approvers/Reviewers:''' Any app store which fails to review potentially dangerous code or malicious application which executes on a user’s device and performs suspicious/ malicious activities
 
 
  
  
Line 814: Line 780:
  
  
* '''Malware on the device''': Any program / mobile application which performs suspicious activity. It can be an application, which is copying real time data from the user’s device and transmitting it to any server. This type of program executes parallel to all the processes running in the background and stays alive performing malicious activity all the time. E.g. Olympics App which stole text messages and browsing history:[http://venturebeat.com/2012/08/06/olympics-android-app/ ][http://venturebeat.com/2012/08/06/olympics-android-app/ http://venturebeat.com/2012/08/06/olympics-android-app/]
+
* '''Malware on the device''': Any program / mobile application which performs suspicious activity. It can be an application, which is copying real time data from the user’s device and transmitting it to any server. This type of program executes parallel to all the processes running in the background and stays alive performing malicious activity all the time. E.g. Olympics App which stole text messages and browsing history:[http://venturebeat.com/2012/08/06/olympics-android-app/]http://venturebeat.com/2012/08/06/olympics-android-app/
  
 
* '''Scripts executing at the browser with HTML5''': Any script code written in a language similar to JavaScript having capability of accessing the device level content falls under this type of agent section. A script executing at the browser reading and transmitting browser memory data / complete device level data.
 
* '''Scripts executing at the browser with HTML5''': Any script code written in a language similar to JavaScript having capability of accessing the device level content falls under this type of agent section. A script executing at the browser reading and transmitting browser memory data / complete device level data.
Line 980: Line 946:
  
 
Ritesh Taank
 
Ritesh Taank
 
  
  
  
 
__NOTOC__ <headertabs />
 
__NOTOC__ <headertabs />

Latest revision as of 17:48, 22 October 2019

OWASP Mobile Security Project

OWASP Mobile Logo Milan.PNG


Maintenance notice

This site is no longer maintained: please go to https://www2.owasp.org/www-project-mobile-security/ for our new website!


The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. The project is a breading ground for many different mobile security projects within OWASP. Right now, you can find the following active OWASP mobile security projects:

Project/deliverable More info: Description: Current leaders
Mobile Top Ten Project Page The OWASP Mobile Security top 10 is created to raise awareness for the current mobile security issues.
Mobile Security Testing Guide Project Page A comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers as well as developers.
Mobile Application Security Verification Standard Project Page A standard for mobile app security which outlines the security requirements of a mobile application.
Mobile Security Checklist Project Page A checklist which allows easy mapping and scoring of the requirements from the Mobile Application Security Verification Standard based on the Mobile Security Testing Guide.
iGoat Tool Project Project Page A learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it.
Damn Vulnerable iOS Application Project Page An iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment.
Android CK project Project Page A python tool to help in forensics analysis on android.
Seraphimdroid Project Page A privacy and security protection app for Android devices.

Not what you are looking for? Please have a look at the Mobile Security Page Archive

Want to start a new mobile security project? Follow https://www.owasp.org/index.php/Category:OWASP_Project#Starting_a_New_Project or contact one of the leaders of the active projects.

Active OWASP mobile projects