SlideShare ist ein Scribd-Unternehmen logo

Mobile Security at OWASP - MASVS and MSTG

•Als PPTX, PDF herunterladen•
•
R
Romuald SZKUDLAREK

This is about the Mobile Application Security Verification Standard (MASVS) and the Mobile Security Testing Guide (MSTG) from OWASP. This relates my experience both as an author and a user of these resources and includes some practical examples of what mobile security means and why it is important in IoT. The whole set of documents can be found at https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

Technologie
1 von 38
A Perspective on Mobile Security in IoT and How OWASP can Help Romuald SZKUDLAREK, CISSP CCSP CSSLP C|EH romuald.szkudlarek@owasp.org
Agenda • Mobile Application Security in IoT Architecture • Mobile Application Security at OWASP MASVS MSTG • Practical Use Cases of MASVS and MSTG
INTRODUCTION
Who Am I? • Romuald SZKUDLAREK • Senior Cyber Security Architect • CISSP, CCSP, CSSLP, CEH credentials holder • Member of OWASP • Co-Author of Mobile Security Testing Guide (MSTG)
MOBILE APPLICATION SECURITY IN AN IOT ARCHITECTURE
Technical Architecture of an IoT solution IoT device collecting data on the field (for instance in smart xyz), OS is often Android or iOS Cloud services Including Authentication, IAM, Analytics, Moniroting, Storage, Device management and Data visualization API Edge computing API End user Using an application (web, mobile, …) for Remote management, Supervision, …
IoT Attack Surface A significant part of the attack surface is made by mobile: • Local storage • Insecure communications • Insecure cryptography • Insecure authentication • Reverse engineering • …
A few facts and figures • Majority have little to no knowledge of the number and type of installed mobile apps • 79% think that using mobile apps increases security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security) • Few mobile apps go through security testing • Focus on usability
Mobile Application Security (M -> I) What can go wrong? Well, • Mobile to IoT device: Study reports that « Mobile App Flaws […] Could Allow Hackers To Target Critical Infrastructure» https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html • IoT device to Mobile
Mobile Application Security (I -> M) What can go wrong? Well, • Mobile to IoT device • IoT device to Mobile: Belkin WeMo devices used to attack mobile phones (Black Hat Europe, 2016)
And think about it… What about your smart lock / smart fridge / security cam / [take virtually any smart device]? Hint: The architecture is the same!!!
MOBILE SECURITY AT OWASP - IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH MASVS AND MSTG
OWASP • https://www.owasp.org • The Open Web Application Security Project is a non-for-profit worldwide organization (US-based) that support application security with hundreds of chapters worldwide and thousands of members • All OWASP tools / Documents / forums / chapters are free • Participating in projects is FREE and everyone is welcome!
OWASP • Not linked to any commercial company • Organizes and sponsors world-class security events • Technical audience • Meritocracy, core values are: Open, Innovation, Global, Integrity
Why Mobile Application Security? • Different Attack Surface Local storage Local authentication OS interaction • Different Vulnerabilities Reverse engineering Secret storage Fewer (through frameworks like Cordova) to no XSS and CSRF (in native apps) • 16 vulnerabilities per mobile app in average • Malware also exists on mobile • Anyway, « Hackers are able to penetrate mobile devices exactly in the same way they accessed to our confidential data on our computer.» Pierluigi Paganini, ENISA
Mobile Security at OWASP • https://www.owasp.org/index.php/OWASP_M obile_Security_Testing_Guide • Main deliverables are Testing guide (MSTG) List of requirements (MASVS) Checklist for security assessment
A few words on… MASVS • Mobile Application Security Verification Standard • Provides 3 levels of requirements in 8 domains: - Baseline (MASVS-L1, 43 reqs) - Defense-In-Depth (MASVS-L2, 19 reqs) - Adds advanced reqs on resiliency against reverse engineering and tampering (MASVS-R, 12 reqs) • Fork of ASVS dedicated to mobile • Provides scalability in security requirements management Available Download at
MASVS requirements (extracts)
A few words on… MSTG • Mobile Security Testing Guide • Risk-based approach • Promote the use of SDLC* • Maps directly to MASVS requirements • Native Android and iOS applications • Use OWASP Testing Guide for the security of server side components • Use cases Available *SDLC = Secure Development Life Cycle Download at
MSTG (table of content)
Security Testing with MSTG (extracts)
MASVS and MSTG in SDLC • Support « Shifting left » and « Security by design », promotes security in DevOps • MASVS early in app creation • MSTG in Testing phase MASVS MSTG Checklist
Mobile Testing Tools MSTG has a section dedicated to Mobile Security Testing Tools. Examples include • Both Android & iOS : MobSF & objection (Frameworks) Checkmarx, Fortify & Veracode (SAST) BurpSuite, OWASP ZAP & Wireshark (Network Analysis) • Android : Android Studio (IDE), Androguard / APKTool / Jadx (RE), Drozer (Dynamic Analysis), Xposed / Cydia (Certificate pinning bypass, …) • iOS : Xcode (IDE), Frida (Dynamic Instrumentation Toolkit), IDAPro (debugger), cycript, gdb (Dynamic Analysis), iOS TrustMe (Certificate pinning bypass, …)
Automating use of MASVS and MSTG Example using BDD (Behavior Driven Development) based on Calaba.sh : https://www.owasp.org/images/f/fb/V2_- _OWASP_Buscharest_Davide_Cioccia.pdf
Recognition • Referenced by • Governments are working on including MSTG in their standards • Used by many companies in many industries in the world (banks, finance, …) • Many requests for trainings received
Future of MASVS and MSTG Not static: • Bug fixing • Follow iOS / Android new versions • Add frameworks (Cordova, PhoneGap, …) • Code samples for SWIFT • As the guide is meant to evolve: milestoning and versioning strategy • … Volunteers are welcome! Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick up any issue and submit your pull request!!!
Related OWASP projects • Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 • Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project • Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project • Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project • DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project And so many others! Check at www.owasp.org
PRACTICAL USE CASES OF MASVS AND MSTG
Attack scenario – Reverse Engineering Scenario: An attacker wants to retrieve source code of your app to (pick one): - steal your IP - find secrets to penetrate your network - find flaws and manipulate your app - repackage your app with malware Attacker steps: • Installs your app on his mobile (use Google Play) • Retrieves it on his laptop (connect through USB / adb pull <package name>) • Reverse engineers it (apktool d –f <directory> <appname>.apk or d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)
MASVS Requirements – Reverse Engineering MASVS provides requirements (8.1 to 8.13) to mitigate such attacks : section 8 entitled «Resiliency Against Reverse Engineering Requirements”. And MSTG allows you to test the proper implementation of these requirements!
Attack scenario – Local storage Scenario: An attacker gets physical access to your mobile (unsupervised or stolen mobile) and wants to find Corporate secrets Attacker steps: Let’s assume the screen-locking protection is poor and has been circumvented: • Attacker connects his laptop through USB • Attacker performs a backup of your mobile / one of your apps (adb backup –f backup.ab <packageName>) • Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then opens with 7-zip) • Retrieve database / logs / preferences and analyse content
MASVS Requirements – Local storage MASVS provides requirements (2.1 to 2.12) to mitigate such attacks : section 2 entitled «Data Storage and Privacy Requirements”.
Security Testing with MSTG – Local Storage
Additional Attacks Include… - Starting an activity exported to the outside that contains sensitive informations (with tools like Drozer for Android) - Forensic analysis of screenshots (stored in Library/Caches/Snapshots/<your app> directory in iOS devices) - And so many more 
References • OWASP - https://www.owasp.org • MASVS and MSTG - https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide • iOS Application Security David THIEL no starch press • Ponemon Institute 2017 Study on Mobile and IoT Application Security - https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p df • IoT devices can hack phones - https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe- iot-devices-can-hack-phones.html • Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile- security.html • Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam- levin/next-hackers-target-industrial-plants-critical-infrastructure.html • Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review- 2017/84139/ • Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical- infrastructure-cyber-security.html
Thanks to those who have supported me when writting all this material (private joke, cf MSTG foreword) Kudos to all OWASP authors and contributors!!! Credits
• Mobile security is an important attack vector in IoT systems • Significant variety of attacks • OWASP provide resources to support: - manufacturers in raising the security level of their offers - users to better understand risks and place requirements on suppliers Key takeaways
Thanks for your attention! Any question?

Empfohlen

Ransomware
RansomwareRansomware
Ransomware
m3 Networks Limited
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomware
jeetendra mandal
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 

Empfohlen

Ransomware
RansomwareRansomware
Ransomware
m3 Networks Limited
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
What is Ransomware
What is RansomwareWhat is Ransomware
What is Ransomware
jeetendra mandal
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
ransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptxransomware keylogger rootkit.pptx
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Endpoint Security Solutions
Endpoint Security SolutionsEndpoint Security Solutions
Endpoint Security Solutions
The TNS Group
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
Nikhil Pandit
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
Ahmed Hashem El Fiky
 
Ransomware
RansomwareRansomware
Ransomware
Chaitali Sharma
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
Rubal Sagwal
 
malware
malware malware
malware
Deepak Chawla
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
Sven Schleier
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
AfiqEfendy Zaen
 

Was ist angesagt? (20)

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Endpoint Security Solutions
Endpoint Security SolutionsEndpoint Security Solutions
Endpoint Security Solutions
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
 
Ransomware
RansomwareRansomware
Ransomware
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
 
malware
malware malware
malware
 
Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5Virus and Malicious Code Chapter 5
Virus and Malicious Code Chapter 5
 

Ähnlich wie Mobile Security at OWASP - MASVS and MSTG

Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
Sven Schleier
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]
ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]
ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]
Websec MĂŠxico, S.C.
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
Chirita Ionel
 

Ähnlich wie Mobile Security at OWASP - MASVS and MSTG (20)

Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]
ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]
ProtecciĂłn web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net Developers
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 

KĂźrzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

KĂźrzlich hochgeladen (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Mobile Security at OWASP - MASVS and MSTG

  • 1. A Perspective on Mobile Security in IoT and How OWASP can Help Romuald SZKUDLAREK, CISSP CCSP CSSLP C|EH romuald.szkudlarek@owasp.org
  • 2. Agenda • Mobile Application Security in IoT Architecture • Mobile Application Security at OWASP MASVS MSTG • Practical Use Cases of MASVS and MSTG
  • 4. Who Am I? • Romuald SZKUDLAREK • Senior Cyber Security Architect • CISSP, CCSP, CSSLP, CEH credentials holder • Member of OWASP • Co-Author of Mobile Security Testing Guide (MSTG)
  • 5. MOBILE APPLICATION SECURITY IN AN IOT ARCHITECTURE
  • 6. Technical Architecture of an IoT solution IoT device collecting data on the field (for instance in smart xyz), OS is often Android or iOS Cloud services Including Authentication, IAM, Analytics, Moniroting, Storage, Device management and Data visualization API Edge computing API End user Using an application (web, mobile, …) for Remote management, Supervision, …
  • 7. IoT Attack Surface A significant part of the attack surface is made by mobile: • Local storage • Insecure communications • Insecure cryptography • Insecure authentication • Reverse engineering • …
  • 8. A few facts and figures • Majority have little to no knowledge of the number and type of installed mobile apps • 79% think that using mobile apps increases security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security) • Few mobile apps go through security testing • Focus on usability
  • 9. Mobile Application Security (M -> I) What can go wrong? Well, • Mobile to IoT device: Study reports that ÂŤ Mobile App Flaws […] Could Allow Hackers To Target Critical InfrastructureÂť https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html • IoT device to Mobile
  • 10. Mobile Application Security (I -> M) What can go wrong? Well, • Mobile to IoT device • IoT device to Mobile: Belkin WeMo devices used to attack mobile phones (Black Hat Europe, 2016)
  • 11. And think about it… What about your smart lock / smart fridge / security cam / [take virtually any smart device]? Hint: The architecture is the same!!!
  • 12. MOBILE SECURITY AT OWASP - IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH MASVS AND MSTG
  • 13. OWASP • https://www.owasp.org • The Open Web Application Security Project is a non-for-profit worldwide organization (US-based) that support application security with hundreds of chapters worldwide and thousands of members • All OWASP tools / Documents / forums / chapters are free • Participating in projects is FREE and everyone is welcome!
  • 14. OWASP • Not linked to any commercial company • Organizes and sponsors world-class security events • Technical audience • Meritocracy, core values are: Open, Innovation, Global, Integrity
  • 15. Why Mobile Application Security? • Different Attack Surface Local storage Local authentication OS interaction • Different Vulnerabilities Reverse engineering Secret storage Fewer (through frameworks like Cordova) to no XSS and CSRF (in native apps) • 16 vulnerabilities per mobile app in average • Malware also exists on mobile • Anyway, ÂŤ Hackers are able to penetrate mobile devices exactly in the same way they accessed to our confidential data on our computer.Âť Pierluigi Paganini, ENISA
  • 16. Mobile Security at OWASP • https://www.owasp.org/index.php/OWASP_M obile_Security_Testing_Guide • Main deliverables are Testing guide (MSTG) List of requirements (MASVS) Checklist for security assessment
  • 17. A few words on… MASVS • Mobile Application Security Verification Standard • Provides 3 levels of requirements in 8 domains: - Baseline (MASVS-L1, 43 reqs) - Defense-In-Depth (MASVS-L2, 19 reqs) - Adds advanced reqs on resiliency against reverse engineering and tampering (MASVS-R, 12 reqs) • Fork of ASVS dedicated to mobile • Provides scalability in security requirements management Available Download at
  • 19. A few words on… MSTG • Mobile Security Testing Guide • Risk-based approach • Promote the use of SDLC* • Maps directly to MASVS requirements • Native Android and iOS applications • Use OWASP Testing Guide for the security of server side components • Use cases Available *SDLC = Secure Development Life Cycle Download at
  • 20. MSTG (table of content)
  • 21. Security Testing with MSTG (extracts)
  • 22. MASVS and MSTG in SDLC • Support ÂŤ Shifting left Âť and ÂŤ Security by design Âť, promotes security in DevOps • MASVS early in app creation • MSTG in Testing phase MASVS MSTG Checklist
  • 23. Mobile Testing Tools MSTG has a section dedicated to Mobile Security Testing Tools. Examples include • Both Android & iOS : MobSF & objection (Frameworks) Checkmarx, Fortify & Veracode (SAST) BurpSuite, OWASP ZAP & Wireshark (Network Analysis) • Android : Android Studio (IDE), Androguard / APKTool / Jadx (RE), Drozer (Dynamic Analysis), Xposed / Cydia (Certificate pinning bypass, …) • iOS : Xcode (IDE), Frida (Dynamic Instrumentation Toolkit), IDAPro (debugger), cycript, gdb (Dynamic Analysis), iOS TrustMe (Certificate pinning bypass, …)
  • 24. Automating use of MASVS and MSTG Example using BDD (Behavior Driven Development) based on Calaba.sh : https://www.owasp.org/images/f/fb/V2_- _OWASP_Buscharest_Davide_Cioccia.pdf
  • 25. Recognition • Referenced by • Governments are working on including MSTG in their standards • Used by many companies in many industries in the world (banks, finance, …) • Many requests for trainings received
  • 26. Future of MASVS and MSTG Not static: • Bug fixing • Follow iOS / Android new versions • Add frameworks (Cordova, PhoneGap, …) • Code samples for SWIFT • As the guide is meant to evolve: milestoning and versioning strategy • … Volunteers are welcome! Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick up any issue and submit your pull request!!!
  • 27. Related OWASP projects • Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 • Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project • Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project • Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project • DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project And so many others! Check at www.owasp.org
  • 28. PRACTICAL USE CASES OF MASVS AND MSTG
  • 29. Attack scenario – Reverse Engineering Scenario: An attacker wants to retrieve source code of your app to (pick one): - steal your IP - find secrets to penetrate your network - find flaws and manipulate your app - repackage your app with malware Attacker steps: • Installs your app on his mobile (use Google Play) • Retrieves it on his laptop (connect through USB / adb pull <package name>) • Reverse engineers it (apktool d –f <directory> <appname>.apk or d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)
  • 30. MASVS Requirements – Reverse Engineering MASVS provides requirements (8.1 to 8.13) to mitigate such attacks : section 8 entitled ÂŤResiliency Against Reverse Engineering Requirements”. And MSTG allows you to test the proper implementation of these requirements!
  • 31. Attack scenario – Local storage Scenario: An attacker gets physical access to your mobile (unsupervised or stolen mobile) and wants to find Corporate secrets Attacker steps: Let’s assume the screen-locking protection is poor and has been circumvented: • Attacker connects his laptop through USB • Attacker performs a backup of your mobile / one of your apps (adb backup –f backup.ab <packageName>) • Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then opens with 7-zip) • Retrieve database / logs / preferences and analyse content
  • 32. MASVS Requirements – Local storage MASVS provides requirements (2.1 to 2.12) to mitigate such attacks : section 2 entitled ÂŤData Storage and Privacy Requirements”.
  • 33. Security Testing with MSTG – Local Storage
  • 34. Additional Attacks Include… - Starting an activity exported to the outside that contains sensitive informations (with tools like Drozer for Android) - Forensic analysis of screenshots (stored in Library/Caches/Snapshots/<your app> directory in iOS devices) - And so many more 
  • 35. References • OWASP - https://www.owasp.org • MASVS and MSTG - https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide • iOS Application Security David THIEL no starch press • Ponemon Institute 2017 Study on Mobile and IoT Application Security - https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p df • IoT devices can hack phones - https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe- iot-devices-can-hack-phones.html • Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile- security.html • Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam- levin/next-hackers-target-industrial-plants-critical-infrastructure.html • Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review- 2017/84139/ • Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical- infrastructure-cyber-security.html
  • 36. Thanks to those who have supported me when writting all this material (private joke, cf MSTG foreword) Kudos to all OWASP authors and contributors!!! Credits
  • 37. • Mobile security is an important attack vector in IoT systems • Significant variety of attacks • OWASP provide resources to support: - manufacturers in raising the security level of their offers - users to better understand risks and place requirements on suppliers Key takeaways
  • 38. Thanks for your attention! Any question?