A Perspective on Mobile Security
in IoT and How OWASP can Help
Romuald SZKUDLAREK, CISSP CCSP CSSLP C|EH
romuald.szkudlarek@owasp.org

Agenda
• Mobile Application Security in IoT Architecture
• Mobile Application Security at OWASP
MASVS
MSTG
• Practical Use Cases of MASVS and MSTG

INTRODUCTION

Who Am I?
• Romuald SZKUDLAREK
• Senior Cyber Security Architect
• CISSP, CCSP, CSSLP, CEH credentials holder
• Member of OWASP
• Co-Author of Mobile Security Testing Guide
(MSTG)

MOBILE APPLICATION SECURITY IN
AN IOT ARCHITECTURE

Technical Architecture of an IoT solution
IoT device
collecting data on the field (for instance in smart xyz), OS is often Android or iOS
Cloud services
Including Authentication, IAM, Analytics, Moniroting, Storage, Device
management and Data visualization
API
Edge computing
API
End user
Using an application (web, mobile, …) for Remote management, Supervision, …

IoT Attack Surface
A significant part of the attack surface is made by
mobile:
• Local storage
• Insecure communications
• Insecure cryptography
• Insecure authentication
• Reverse engineering
• …

A few facts and figures
• Majority have little to no knowledge of the
number and type of installed mobile apps
• 79% think that using mobile apps increases
security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security)
• Few mobile apps go through security testing
• Focus on usability

Mobile Application Security (M -> I)
What can go wrong? Well,
• Mobile to IoT device: Study reports that
« Mobile App Flaws […] Could Allow Hackers
To Target Critical Infrastructure»
https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html
• IoT device to Mobile

Mobile Application Security (I -> M)
What can go wrong? Well,
• Mobile to IoT device
• IoT device to Mobile: Belkin WeMo devices
used to attack mobile phones (Black Hat Europe, 2016)

And think about it…
What about your smart lock / smart fridge /
security cam / [take virtually any smart device]?
Hint: The architecture is the same!!!

MOBILE SECURITY AT OWASP
-
IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH
MASVS AND MSTG

OWASP
• https://www.owasp.org
• The Open Web Application Security Project is a non-for-profit
worldwide organization (US-based) that support application
security with hundreds of chapters worldwide and thousands
of members
• All OWASP tools / Documents / forums / chapters are free
• Participating in projects is FREE and everyone is welcome!

OWASP
• Not linked to any commercial company
• Organizes and sponsors world-class security
events
• Technical audience
• Meritocracy, core values are:
Open, Innovation, Global, Integrity

Why Mobile Application Security?
• Different Attack Surface
Local storage
Local authentication
OS interaction
• Different Vulnerabilities
Reverse engineering
Secret storage
Fewer (through frameworks
like Cordova) to no XSS and
CSRF (in native apps)
• 16 vulnerabilities per mobile app in average
• Malware also exists on mobile
• Anyway, « Hackers are able to penetrate mobile devices exactly in the same way
they accessed to our confidential data on our computer.» Pierluigi Paganini, ENISA

Mobile Security at OWASP
• https://www.owasp.org/index.php/OWASP_M
obile_Security_Testing_Guide
• Main deliverables are
Testing guide (MSTG)
List of requirements (MASVS)
Checklist for security assessment

A few words on… MASVS
• Mobile Application Security Verification
Standard
• Provides 3 levels of requirements in 8 domains:
- Baseline (MASVS-L1, 43 reqs)
- Defense-In-Depth (MASVS-L2, 19 reqs)
- Adds advanced reqs on resiliency against
reverse engineering and tampering (MASVS-R,
12 reqs)
• Fork of ASVS dedicated to mobile
• Provides scalability in security requirements
management
Available
Download at

MASVS requirements (extracts)

A few words on… MSTG
• Mobile Security Testing Guide
• Risk-based approach
• Promote the use of SDLC*
• Maps directly to MASVS requirements
• Native Android and iOS applications
• Use OWASP Testing Guide for the security
of server side components
• Use cases
Available
*SDLC = Secure Development Life Cycle
Download at

MSTG (table of content)

Security Testing with MSTG (extracts)

MASVS and MSTG in SDLC
• Support « Shifting left » and « Security by
design », promotes security in DevOps
• MASVS early in app creation
• MSTG in Testing phase
MASVS MSTG
Checklist

Mobile Testing Tools
MSTG has a section dedicated to Mobile Security
Testing Tools. Examples include
• Both Android & iOS :
MobSF & objection (Frameworks)
Checkmarx, Fortify & Veracode (SAST)
BurpSuite, OWASP ZAP & Wireshark (Network Analysis)
• Android :
Android Studio (IDE), Androguard / APKTool / Jadx (RE), Drozer
(Dynamic Analysis), Xposed / Cydia (Certificate pinning bypass, …)
• iOS : Xcode (IDE), Frida (Dynamic Instrumentation Toolkit), IDAPro
(debugger), cycript, gdb (Dynamic Analysis), iOS TrustMe
(Certificate pinning bypass, …)

Automating use of MASVS and MSTG
Example using BDD (Behavior Driven
Development) based on Calaba.sh :
https://www.owasp.org/images/f/fb/V2_-
_OWASP_Buscharest_Davide_Cioccia.pdf

Recognition
• Referenced by
• Governments are working on including MSTG
in their standards
• Used by many companies in many industries
in the world (banks, finance, …)
• Many requests for trainings received

Future of MASVS and MSTG
Not static:
• Bug fixing
• Follow iOS / Android new versions
• Add frameworks (Cordova, PhoneGap, …)
• Code samples for SWIFT
• As the guide is meant to evolve: milestoning and versioning strategy
• …
Volunteers are welcome!
Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick
up any issue and submit your pull request!!!

Related OWASP projects
• Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
• Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
• Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project
• Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project
• DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project
And so many others! Check at www.owasp.org

PRACTICAL USE CASES OF MASVS
AND MSTG

Attack scenario – Reverse Engineering
Scenario: An attacker wants to retrieve source code
of your app to (pick one):
- steal your IP
- find secrets to penetrate your network
- find flaws and manipulate your app
- repackage your app with malware
Attacker steps:
• Installs your app on his mobile (use Google Play)
• Retrieves it on his laptop (connect through USB / adb pull <package name>)
• Reverse engineers it (apktool d –f <directory> <appname>.apk or
d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)

MASVS Requirements – Reverse
Engineering
MASVS provides requirements (8.1 to 8.13) to
mitigate such attacks : section 8 entitled
«Resiliency Against Reverse Engineering
Requirements”.
And MSTG allows you to test the proper
implementation of these requirements!

Attack scenario – Local storage
Scenario: An attacker gets physical access to your mobile
(unsupervised or stolen mobile) and wants to find Corporate
secrets
Attacker steps:
Let’s assume the screen-locking protection is poor and has been circumvented:
• Attacker connects his laptop through USB
• Attacker performs a backup of your mobile / one of your apps (adb backup –f
backup.ab <packageName>)
• Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then
opens with 7-zip)
• Retrieve database / logs / preferences and analyse content

MASVS Requirements – Local storage
MASVS provides requirements (2.1 to 2.12) to
mitigate such attacks : section 2 entitled «Data
Storage and Privacy Requirements”.

Security Testing with MSTG – Local
Storage

Additional Attacks Include…
- Starting an activity exported to the outside that
contains sensitive informations (with tools like
Drozer for Android)
- Forensic analysis of screenshots (stored in
Library/Caches/Snapshots/<your app> directory
in iOS devices)
- And so many more 

References
• OWASP - https://www.owasp.org
• MASVS and MSTG -
https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
• iOS Application Security David THIEL no starch press
• Ponemon Institute 2017 Study on Mobile and IoT Application Security -
https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p
df
• IoT devices can hack phones -
https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe-
iot-devices-can-hack-phones.html
• Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical
Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile-
security.html
• Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam-
levin/next-hackers-target-industrial-plants-critical-infrastructure.html
• Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review-
2017/84139/
• Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical-
infrastructure-cyber-security.html

Thanks to those who have supported me when
writting all this material (private joke, cf MSTG foreword)
Kudos to all OWASP authors and contributors!!!
Credits

• Mobile security is an important attack vector
in IoT systems
• Significant variety of attacks
• OWASP provide resources to support:
- manufacturers in raising the security level of
their offers
- users to better understand risks and place
requirements on suppliers
Key takeaways

Thanks for your attention!
Any question?