Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification...
-
Upload
nguyenngoc -
Category
Documents
-
view
225 -
download
0
Transcript of Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification...
![Page 1: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/1.jpg)
Introduction to OWASP Mobile Application Security
Verification Standard (MASVS)OWASP Geneva
12/12/2016 – Jérémy MATOS
![Page 2: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/2.jpg)
whois securingapps
Developer backgroundSpent last 10 years working between Geneva and Lausanne on security products and solutions
Focus on mobile since 2010Now software security consultant at my own company
http://www.securingapps.comProvide services to build security in software
MobileWebCloudInternet Of ThingsBitcoin/Blockchain @SecuringApps
![Page 3: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/3.jpg)
Introduction
Providing mobile apps is required by businessNative is often the choice
UsabilityPerformanceAccess to sensorsConnectivity issues
A traditional web security assessment only applies to webviewintegrationsA mobile application is a fat client and hence has a totallydifferent threat model
![Page 4: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/4.jpg)
Some of the most significant differences
Code running client sideReal local storageLots of APIs, including for security (e.g encryption)
Mobile OS are sandboxedMuch more clear than Same Origin Policy
«Trusted» download: applications stores + signature
Not a HTML hackXSS and CSRF not issues anymore
But access to many user data
![Page 5: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/5.jpg)
What should we check then ?
SSL and certificate pinning ?Clear text storage in SQLlite database ?Obfuscation ?Anti-debugging ?Encryption in Trusted Excution Environment (TEE) ?
This is the goal of OWASP Mobile Application Security VerificationStandard (MASVS)
https://github.com/OWASP/owasp-masvsProject leaders: Bernard Mueller & Sven Schleier
http://www.vantagepoint.sg/blog
![Page 6: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/6.jpg)
Security Verification levels 1/3
![Page 7: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/7.jpg)
Security Verification levels 2/3
Level 1: Standard SecurityAnapplicationthatachievesMASVSlevel1adherestomobileapplicationsecuritybestpractices.Itfulfillsbasicrequirementsintermsofcodequality,handlingofsensitivedata,andinteractionwiththemobileenvironment.Atestingprocessmustbeinplacetoverifythesecuritycontrols.Thislevelisappropriateforallmobileapplications.
Level 2 : Defense-in-DepthLevel2introducesadvancedsecuritycontrolsthatgobeyondthestandardrequirements.TofulfillL2,athreatmodelmustexist,andsecuritymustbeconsideredduringthedesignphase.Theeffectivenessofthecontrolsmustbeverifiedusingwhite-boxtesting.Thislevelisappropriateforapplicationsthathandlesensitivedata,suchasmobilebanking.
![Page 8: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/8.jpg)
Security Verification levels 3/3
Level 3 : Defense-in-Depth and resiliencyLevel3addsmechanismsthatincreasethecostofreverseengineeringtheapplication.Itcanbeappliedtoaddanadditionallayerofprotectionforappsthatprocesssensitivedata.VendorsmayalsoopttoimplementtheL3requirementsasameansofprotectingtheirintellectualpropertyandtopreventtamperingwiththeapp.
Level 4 : Defense-in-Depth and strong resiliencyAnapplicationthatachievesMASVSlevel4hasbothstate-of-the-artsecurityandstrongsoftwareprotections.Suchanapplicationleverageshardwaresecurityfeatures orstrongobuscation techniquesandishighlyresilientagainstattacksandreverseengineeringattempts.L4isapplicabletoappsthathandlehighlysensitivedata.TheL4controlsmayalsoserveasameansofprotectingintellectualpropertyortamper-proofinganapp.
![Page 9: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/9.jpg)
Industry specific guidance 1/2
![Page 10: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/10.jpg)
Industry specific guidance 2/2
![Page 11: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/11.jpg)
Detailed verification requirements
V1 Architecture, design and threat modellingV2 Data storage and privacyV3 Cryptography verificationV4 Authentication and session managementV5 Network communicationV6 Interaction with the environmentV7 Code quality and build settingV8 Resiliency against reverse engineering
![Page 12: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/12.jpg)
V1 Architecture,design & threat modelling
Atlevel1,componentsoftheapplicationareidentifiedandhaveareasonforbeingintheappAtlevel2andhigher,thearchitecturehasbeendefinedandthecodeadherestothearchitecture.Additionally,athreatmodelexiststhatidentifiespotentialthreats.
![Page 13: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/13.jpg)
V2 Data storage and privacy
![Page 14: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/14.jpg)
V3 Cryptography verification
![Page 15: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/15.jpg)
V4 Authentication and session mgmt
![Page 16: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/16.jpg)
V5 Network communication
![Page 17: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/17.jpg)
V6 Interaction with the environment
![Page 18: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/18.jpg)
V7 Code quality and build setting
![Page 19: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/19.jpg)
V8 Reverse engineering resiliency
![Page 20: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/20.jpg)
OWASP Mobile Top 10 2016
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10Still release candidate. Really alive ?
More a classification of issuesProvides high level info on what not to do, rather than detailedinfo of what to doSomehow same categories than MASVS
![Page 21: Introduction to OWASP Mobile Application Security ... · Mobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security Verification](https://reader031.fdocuments.in/reader031/viewer/2022022015/5b56b0697f8b9ad9688ce584/html5/thumbnails/21.jpg)
Conclusion
MASVS provides clear guidance of what to check in a mobile applicationReally interesting definition of security levels
And industry specific adviceActionnableReasonable number of controlsStrong security requirements in general
Do not hesitate to provide feedback to the project leaders :https://github.com/OWASP/owasp-masvs