This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Mobile Security Testing Guide"

From OWASP
Jump to: navigation, search
(flagship status)
m (Main Deliverables)
 
(24 intermediate revisions by 3 users not shown)
Line 8: Line 8:
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 +
 +
== Maintenance notice ==
 +
 +
This site is no longer maintained: please go to https://www2.owasp.org/www-project-mobile-security-testing-guide/ for our new website!
 +
  
 
==Our Vision ==
 
==Our Vision ==
Line 20: Line 25:
 
   |-
 
   |-
 
   | [[File:Mstg-cover-release-small2.jpg|200px|link=https://www.github.com/OWASP/owasp-mstg/]]
 
   | [[File:Mstg-cover-release-small2.jpg|200px|link=https://www.github.com/OWASP/owasp-mstg/]]
   | '''Mobile Security Testing Guide (MSTG) - 1.1.2 Release'''
+
   | '''Mobile Security Testing Guide (MSTG) - 1.1.3 Release'''
The [https://github.com/OWASP/owasp-mstg/releases 1.1.2 Release] of the MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:
+
The [https://github.com/OWASP/owasp-mstg/releases 1.1.3 Release] of the MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:
 
# Mobile platform internals
 
# Mobile platform internals
 
# Security testing in the mobile app development lifecycle
 
# Security testing in the mobile app development lifecycle
Line 39: Line 44:
 
   | [[File:checklist.jpg|link=https://github.com/OWASP/owasp-mstg/tree/master/Checklists]]
 
   | [[File:checklist.jpg|link=https://github.com/OWASP/owasp-mstg/tree/master/Checklists]]
 
   | '''Mobile App Security Checklist'''
 
   | '''Mobile App Security Checklist'''
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://github.com/OWASP/owasp-mstg/tree/master/Checklists can be found at Github in English, French, Spanish and Japanese].
+
A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://github.com/OWASP/owasp-mstg/tree/master/Checklists can be found at Github in English, French, Spanish, Japanese and Korean].
 
|}
 
|}
  
Line 54: Line 59:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | rowspan="3" align="center" valign="top" width="50%" | [[File:Midlevel_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects|Lab Project]]
+
   | rowspan="3" align="center" valign="top" width="50%" | [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]
 
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]   
 
   | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]   
 
   |-
 
   |-
Line 73: Line 78:
  
 
[https://www.owasp.org/index.php/User:Jeroenwillemsen Jeroen Willemsen]
 
[https://www.owasp.org/index.php/User:Jeroenwillemsen Jeroen Willemsen]
 +
 +
[mailto:carlos.holguera@owasp.org Carlos Holguera]
  
 
== Training  ==
 
== Training  ==
Line 81: Line 88:
 
== Presentations ==
 
== Presentations ==
 
* OWASP AppSec Day Melbourne October 2019 - [https://appsecday.io/schedule/#session-7 Fixing Mobile AppSec]
 
* OWASP AppSec Day Melbourne October 2019 - [https://appsecday.io/schedule/#session-7 Fixing Mobile AppSec]
 +
* OWASP Global AppSec Amsterdam September 2019
 
* r2con in Barcelona September 2019 - [https://rada.re/con/2019/agenda.html# radare2 and Frida in the OWASP Mobile Security Testing Guide]
 
* r2con in Barcelona September 2019 - [https://rada.re/con/2019/agenda.html# radare2 and Frida in the OWASP Mobile Security Testing Guide]
 
* Open Security summit 2019 - [[File:Mstg 101 summit 2019.pdf|101 & onboarding slides]] & [[File:Mstg outcome summit 2019.pdf|MSTG outcome keynote]]
 
* Open Security summit 2019 - [[File:Mstg 101 summit 2019.pdf|101 & onboarding slides]] & [[File:Mstg outcome summit 2019.pdf|MSTG outcome keynote]]
Line 97: Line 105:
 
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video]
 
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video]
  
== Parent Project ==
+
== Licensing ==
 
 
[[OWASP_Mobile_Security_Project]]
 
 
 
==Licensing==
 
  
 
The guide is licensed under the [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
The guide is licensed under the [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
Line 170: Line 174:
  
 
=News=
 
=News=
 +
 +
==October 2nd, 2019:  MSTG Playground release! ==
 +
Want more training apps? We hear you! We just released the MSTG-Android-Java & MSTG-Android-Kotlin for Android and the MSTG-JWT app for iOS. Come and check it out at [https://github.com/OWASP/MSTG-Hacking-Playground/releases the release page] ! With special thanks to Sven Schleier(@sushi2k), Wen Bin Kong (@kongwenbin), Nikhil Soni (@nikhil), and Ryan Teoh (@ryantzj)!
 +
 +
==October 2nd, 2019: MSTG Project joins Hacktoberfest! ==
 +
We are joining the #hacktoberfest October 2-31. Check out our issues [https://github.com/OWASP/owasp-mstg/labels/Hacktoberfest at Github]. Register at https://hacktoberfest.digitalocean.com.
 +
 +
==September 17th, 2019:  Xamarin experiment! ==
 +
We have launched a react-native experiment based on our compliancy checklist. Want to teach others how to validate React NAtive apps against the MASVS? Check [https://drive.google.com/open?id=1UL1yLRREJwXfe0HlrcX-IuvPYQM7lTtG this Google sheet]!.
 +
 +
== September 6th, 2019: Flutter experiment! ==
 +
We have launched a react-native experiment based on our compliancy checklist. Want to teach others how to validate React NAtive apps against the MASVS? Check [https://drive.google.com/open?id=1wHK3VI1cU1xmYrCu9yb5OHKUEeLIPSkC this Google sheet]!.
 +
 +
== September 6th, 2019: React native experiment! ==
 +
We have launched a react-native experiment based on our compliancy checklist. Want to teach others how to validate React NAtive apps against the MASVS? Check [https://drive.google.com/open?id=1P5FZ_Bup5eSPOmkePZA8cIpKGOKvngkN this Google sheet]!.
 +
 +
== August 29th, 2019: Carlos Holguera joins the leaderteam ==
 +
We are happy to announce that Carlos Holguera joins us as an official MSTG Author and co-leader! With a team of 3 we hope to march further as that would make our lives easier given that all of this hard work is done by volunteers!
 +
 +
== August 4th, 2019: OSS Release! ==
 +
After a lot of work, we finally have a new release of the MSTG! Want to know more? Head over to the [https://github.com/OWASP/owasp-mstg/releases Github release page]
  
 
== August 2nd, 2019: Project promoted to Flagship status! ==
 
== August 2nd, 2019: Project promoted to Flagship status! ==
We have been awarded Flagship status! We are very grateful and excited about this! We could not have done this without our team of awesome volunteers that have committed to the project, wrote issues, and supported us in many other ways. A special thanks goes out to OWASP for facilitating us to function as a project and for awarding this awesome status to the project.
+
We have been awarded Flagship status! We are very grateful and excited about this! We could not have done this without our team of awesome volunteers that have committed to the project, wrote issues, and supported us in many other ways. A special thanks goes out to OWASP and especially Harold Blankenship for facilitating us to function as a project and for leading the project review at OWASP Appsec Tel-Aviv!
 
Thank you!
 
Thank you!
  
Line 378: Line 403:
 
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:
 
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here:
  
[https://owasp.slack.com/join/shared_invite/enQtNjExMTc3MTg0MzU4LTViMDg1MmJiMzMwZGUxZjgxZWQ1MTE0NTBlOTBhNjhhZDIzZTZiNmEwOTJlYjdkMzAxMGVhNDkwNDNiNjZiOWQ owasp slack invite]
+
[https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM owasp slack invite]
  
 
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.
 
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules.
Line 394: Line 419:
 
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.
 
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo.
  
* Contributing to auxiliary projects: The [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.
+
* Contributing to auxiliary projects: There are various projects that we support at this moment, consider: [https://github.com/OWASP/Mobile-Threatmodel the mobile threatmodel project] and our own [https://github.com/OWASP/MSTG-Hacking-Playground Hacking playground]. In the past, there was the [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area.
  
 
==If I am not a programmer can I participate in your project?==
 
==If I am not a programmer can I participate in your project?==
Line 419: Line 444:
  
 
Jeroen is a principal security architect at Xebia with a passion for mobile security and risk management. He has supported companies as a security coach, a security engineer and as a full-stack developer, which makes him a jack of all trades. He loves explaining technical subjects: from security issues to programming challenges.
 
Jeroen is a principal security architect at Xebia with a passion for mobile security and risk management. He has supported companies as a security coach, a security engineer and as a full-stack developer, which makes him a jack of all trades. He loves explaining technical subjects: from security issues to programming challenges.
 +
 +
==== Carlos Holguera ====
 +
 +
Carlos is a security engineer leading the mobile penetration testing team at ESCRYPT. He has gained many years of hands-on experience in the field of security testing for mobile apps and embedded systems such as automotive control units and IoT devices. He is passionate about reverse engineering and dynamic instrumentation of mobile apps and is continuously learning and sharing his knowledge.
  
 
=== Co-Authors ===
 
=== Co-Authors ===
Line 426: Line 455:
 
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.
 
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.
  
==== Carlos Holguera ====
+
==== Jeroen Beckers ====
  
Carlos is a security engineer leading the mobile penetration testing team at ESCRYPT. He has gained many years of hands-on experience in the field of security testing for mobile apps and embedded systems such as automotive control units and IoT devices. He is passionate about reverse engineering and dynamic instrumentation of mobile apps and is continuously learning and sharing his knowledge.
+
Jeroen is the mobile security lead at NVISO where he is responsible for quality assurance on mobile security projects and for R&D on all things mobile. He worked as a Flash developer during high school and college, but switched to a career in cybersecurity once he graduated and now has more than 5 years of experience in mobile security. He loves sharing his knowledge with other people, as is demonstrated by his many talks & trainings at colleges, universities, clients and conferences.
  
 
=== Top Contributors ===
 
=== Top Contributors ===
Line 438: Line 467:
 
* Kyle Benac
 
* Kyle Benac
 
* Alexander Anthuk
 
* Alexander Anthuk
* Jeroen Beckers
 
 
* Wen Bin Kong
 
* Wen Bin Kong
 
* Abdessamad Temmar
 
* Abdessamad Temmar
Line 444: Line 472:
 
* Cláudio André
 
* Cláudio André
 
* Slawomir Kosowski
 
* Slawomir Kosowski
 +
* Abderrahmane Aftahi
  
 
=== Contributors ===
 
=== Contributors ===

Latest revision as of 08:15, 1 November 2019

OWASP MSTG Header.jpg
Flagship big.jpg

Maintenance notice

This site is no longer maintained: please go to https://www2.owasp.org/www-project-mobile-security-testing-guide/ for our new website!


Our Vision

"Define the industry standard for mobile application security."

We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.

Main Deliverables

Mstg-cover-release-small2.jpg Mobile Security Testing Guide (MSTG) - 1.1.3 Release

The 1.1.3 Release of the MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:

  1. Mobile platform internals
  2. Security testing in the mobile app development lifecycle
  3. Basic static and dynamic security testing
  4. Mobile app reverse engineering and tampering
  5. Assessing software protections
  6. Detailed test cases that map to the requirements in the MASVS.

You can contribute and comment in the GitHub Repo. An online book version of the current master branch is available on Gitbook.

Feel free to download the ePub or Mobi for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to for technical editing and designing the book and fund production of future releases.

Masvs-mini-cover2.jpg Mobile App Security Requirements and Verification

The OWASP Mobile Application Security Verification Standard (MASVS) version 1.1.4 is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.You can find the sources on the Github repo. We now have versions in the folllowing languages: Chinese, English, French, German, Japanese, Russian, and Spanish! Want to get a pdf/mobi/epub of the standard? Check the release page on Github.

Checklist.jpg Mobile App Security Checklist

A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is can be found at Github in English, French, Spanish, Japanese and Korean.


Classifications

Flagship Project Owasp-builders-small.png
Owasp-breakers-small.png
Owasp-defenders-small.png
CC-License-4.0.png
Project Type Files DOC.jpg

Project Leaders

Sven Schleier

Jeroen Willemsen

Carlos Holguera

Training

Presentations

Licensing

The guide is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.