This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Mobile Security Testing Guide"
From OWASP
(flagship status) |
m (→Main Deliverables) |
||
(24 intermediate revisions by 3 users not shown) | |||
Line 8: | Line 8: | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | | ||
+ | |||
+ | == Maintenance notice == | ||
+ | |||
+ | This site is no longer maintained: please go to https://www2.owasp.org/www-project-mobile-security-testing-guide/ for our new website! | ||
+ | |||
==Our Vision == | ==Our Vision == | ||
Line 20: | Line 25: | ||
|- | |- | ||
| [[File:Mstg-cover-release-small2.jpg|200px|link=https://www.github.com/OWASP/owasp-mstg/]] | | [[File:Mstg-cover-release-small2.jpg|200px|link=https://www.github.com/OWASP/owasp-mstg/]] | ||
− | | '''Mobile Security Testing Guide (MSTG) - 1.1. | + | | '''Mobile Security Testing Guide (MSTG) - 1.1.3 Release''' |
− | The [https://github.com/OWASP/owasp-mstg/releases 1.1. | + | The [https://github.com/OWASP/owasp-mstg/releases 1.1.3 Release] of the MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content: |
# Mobile platform internals | # Mobile platform internals | ||
# Security testing in the mobile app development lifecycle | # Security testing in the mobile app development lifecycle | ||
Line 39: | Line 44: | ||
| [[File:checklist.jpg|link=https://github.com/OWASP/owasp-mstg/tree/master/Checklists]] | | [[File:checklist.jpg|link=https://github.com/OWASP/owasp-mstg/tree/master/Checklists]] | ||
| '''Mobile App Security Checklist''' | | '''Mobile App Security Checklist''' | ||
− | A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://github.com/OWASP/owasp-mstg/tree/master/Checklists can be found at Github in English, French, Spanish and | + | A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is [https://github.com/OWASP/owasp-mstg/tree/master/Checklists can be found at Github in English, French, Spanish, Japanese and Korean]. |
|} | |} | ||
Line 54: | Line 59: | ||
{| width="200" cellpadding="2" | {| width="200" cellpadding="2" | ||
|- | |- | ||
− | | rowspan="3" align="center" valign="top" width="50%" | [[File: | + | | rowspan="3" align="center" valign="top" width="50%" | [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]] |
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] | | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] | ||
|- | |- | ||
Line 73: | Line 78: | ||
[https://www.owasp.org/index.php/User:Jeroenwillemsen Jeroen Willemsen] | [https://www.owasp.org/index.php/User:Jeroenwillemsen Jeroen Willemsen] | ||
+ | |||
+ | [mailto:carlos.holguera@owasp.org Carlos Holguera] | ||
== Training == | == Training == | ||
Line 81: | Line 88: | ||
== Presentations == | == Presentations == | ||
* OWASP AppSec Day Melbourne October 2019 - [https://appsecday.io/schedule/#session-7 Fixing Mobile AppSec] | * OWASP AppSec Day Melbourne October 2019 - [https://appsecday.io/schedule/#session-7 Fixing Mobile AppSec] | ||
+ | * OWASP Global AppSec Amsterdam September 2019 | ||
* r2con in Barcelona September 2019 - [https://rada.re/con/2019/agenda.html# radare2 and Frida in the OWASP Mobile Security Testing Guide] | * r2con in Barcelona September 2019 - [https://rada.re/con/2019/agenda.html# radare2 and Frida in the OWASP Mobile Security Testing Guide] | ||
* Open Security summit 2019 - [[File:Mstg 101 summit 2019.pdf|101 & onboarding slides]] & [[File:Mstg outcome summit 2019.pdf|MSTG outcome keynote]] | * Open Security summit 2019 - [[File:Mstg 101 summit 2019.pdf|101 & onboarding slides]] & [[File:Mstg outcome summit 2019.pdf|MSTG outcome keynote]] | ||
Line 97: | Line 105: | ||
* OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] | * OWASP AppSec EU 2017 - [http://sched.co/A66j Fixing Mobile AppSec] - [https://2017.appsec.eu/presos/Developer/Fixing%20Mobile%20AppSec%20The%20OWASP%20Mobile%20Project-%20Bernhard%20Mueller%20and%20Sven%20Schleier%20-%20OWASP_AppSec-Eu_2017.pdf Slides], [https://www.youtube.com/watch?v=THJVzf-u7Iw Video] | ||
− | + | == Licensing == | |
− | |||
− | |||
− | |||
− | ==Licensing== | ||
The guide is licensed under the [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. | The guide is licensed under the [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. | ||
Line 170: | Line 174: | ||
=News= | =News= | ||
+ | |||
+ | ==October 2nd, 2019: MSTG Playground release! == | ||
+ | Want more training apps? We hear you! We just released the MSTG-Android-Java & MSTG-Android-Kotlin for Android and the MSTG-JWT app for iOS. Come and check it out at [https://github.com/OWASP/MSTG-Hacking-Playground/releases the release page] ! With special thanks to Sven Schleier(@sushi2k), Wen Bin Kong (@kongwenbin), Nikhil Soni (@nikhil), and Ryan Teoh (@ryantzj)! | ||
+ | |||
+ | ==October 2nd, 2019: MSTG Project joins Hacktoberfest! == | ||
+ | We are joining the #hacktoberfest October 2-31. Check out our issues [https://github.com/OWASP/owasp-mstg/labels/Hacktoberfest at Github]. Register at https://hacktoberfest.digitalocean.com. | ||
+ | |||
+ | ==September 17th, 2019: Xamarin experiment! == | ||
+ | We have launched a react-native experiment based on our compliancy checklist. Want to teach others how to validate React NAtive apps against the MASVS? Check [https://drive.google.com/open?id=1UL1yLRREJwXfe0HlrcX-IuvPYQM7lTtG this Google sheet]!. | ||
+ | |||
+ | == September 6th, 2019: Flutter experiment! == | ||
+ | We have launched a react-native experiment based on our compliancy checklist. Want to teach others how to validate React NAtive apps against the MASVS? Check [https://drive.google.com/open?id=1wHK3VI1cU1xmYrCu9yb5OHKUEeLIPSkC this Google sheet]!. | ||
+ | |||
+ | == September 6th, 2019: React native experiment! == | ||
+ | We have launched a react-native experiment based on our compliancy checklist. Want to teach others how to validate React NAtive apps against the MASVS? Check [https://drive.google.com/open?id=1P5FZ_Bup5eSPOmkePZA8cIpKGOKvngkN this Google sheet]!. | ||
+ | |||
+ | == August 29th, 2019: Carlos Holguera joins the leaderteam == | ||
+ | We are happy to announce that Carlos Holguera joins us as an official MSTG Author and co-leader! With a team of 3 we hope to march further as that would make our lives easier given that all of this hard work is done by volunteers! | ||
+ | |||
+ | == August 4th, 2019: OSS Release! == | ||
+ | After a lot of work, we finally have a new release of the MSTG! Want to know more? Head over to the [https://github.com/OWASP/owasp-mstg/releases Github release page] | ||
== August 2nd, 2019: Project promoted to Flagship status! == | == August 2nd, 2019: Project promoted to Flagship status! == | ||
− | We have been awarded Flagship status! We are very grateful and excited about this! We could not have done this without our team of awesome volunteers that have committed to the project, wrote issues, and supported us in many other ways. A special thanks goes out to OWASP for facilitating us to function as a project and for | + | We have been awarded Flagship status! We are very grateful and excited about this! We could not have done this without our team of awesome volunteers that have committed to the project, wrote issues, and supported us in many other ways. A special thanks goes out to OWASP and especially Harold Blankenship for facilitating us to function as a project and for leading the project review at OWASP Appsec Tel-Aviv! |
Thank you! | Thank you! | ||
Line 378: | Line 403: | ||
Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here: | Drop a us line on the [https://owasp.slack.com/messages/project-mobile_omtg/details/) Slack channel] before you start working on a topic. This helps us to keep track of what everyone is doing and prevent conflicts. You can create a Slack account here: | ||
− | [https:// | + | [https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM owasp slack invite] |
Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules. | Before you start contributing, please read our brief [https://github.com/OWASP/owasp-mstg/blob/master/style_guide.md style guide] which contains a few basic writing rules. | ||
Line 394: | Line 419: | ||
* Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo. | * Developing tools. For example, we still don't have an automated way of generating checklists out of the GitHub repo. | ||
− | * Contributing to auxiliary projects: | + | * Contributing to auxiliary projects: There are various projects that we support at this moment, consider: [https://github.com/OWASP/Mobile-Threatmodel the mobile threatmodel project] and our own [https://github.com/OWASP/MSTG-Hacking-Playground Hacking playground]. In the past, there was the [https://github.com/b-mueller/obfuscation-metrics obfuscation metrics project] is an auxiliary project that deals with specific forms of control flow and data obfuscation. This project needs experts in advanced obfuscation / de-obfuscation. Please contact us if you have experience in this area. |
==If I am not a programmer can I participate in your project?== | ==If I am not a programmer can I participate in your project?== | ||
Line 419: | Line 444: | ||
Jeroen is a principal security architect at Xebia with a passion for mobile security and risk management. He has supported companies as a security coach, a security engineer and as a full-stack developer, which makes him a jack of all trades. He loves explaining technical subjects: from security issues to programming challenges. | Jeroen is a principal security architect at Xebia with a passion for mobile security and risk management. He has supported companies as a security coach, a security engineer and as a full-stack developer, which makes him a jack of all trades. He loves explaining technical subjects: from security issues to programming challenges. | ||
+ | |||
+ | ==== Carlos Holguera ==== | ||
+ | |||
+ | Carlos is a security engineer leading the mobile penetration testing team at ESCRYPT. He has gained many years of hands-on experience in the field of security testing for mobile apps and embedded systems such as automotive control units and IoT devices. He is passionate about reverse engineering and dynamic instrumentation of mobile apps and is continuously learning and sharing his knowledge. | ||
=== Co-Authors === | === Co-Authors === | ||
Line 426: | Line 455: | ||
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials. | Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials. | ||
− | ==== | + | ==== Jeroen Beckers ==== |
− | + | Jeroen is the mobile security lead at NVISO where he is responsible for quality assurance on mobile security projects and for R&D on all things mobile. He worked as a Flash developer during high school and college, but switched to a career in cybersecurity once he graduated and now has more than 5 years of experience in mobile security. He loves sharing his knowledge with other people, as is demonstrated by his many talks & trainings at colleges, universities, clients and conferences. | |
=== Top Contributors === | === Top Contributors === | ||
Line 438: | Line 467: | ||
* Kyle Benac | * Kyle Benac | ||
* Alexander Anthuk | * Alexander Anthuk | ||
− | |||
* Wen Bin Kong | * Wen Bin Kong | ||
* Abdessamad Temmar | * Abdessamad Temmar | ||
Line 444: | Line 472: | ||
* Cláudio André | * Cláudio André | ||
* Slawomir Kosowski | * Slawomir Kosowski | ||
+ | * Abderrahmane Aftahi | ||
=== Contributors === | === Contributors === |