Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Mobile Security at OWASP - MASVS and MSTG

263 vues

Publié le

This is about the Mobile Application Security Verification Standard (MASVS) and the Mobile Security Testing Guide (MSTG) from OWASP. This relates my experience both as an author and a user of these resources and includes some practical examples of what mobile security means and why it is important in IoT.
The whole set of documents can be found at https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

Publié dans : Technologie
  • Soyez le premier à commenter

Mobile Security at OWASP - MASVS and MSTG

  1. 1. A Perspective on Mobile Security in IoT and How OWASP can Help Romuald SZKUDLAREK, CISSP CCSP CSSLP C|EH romuald.szkudlarek@owasp.org
  2. 2. Agenda • Mobile Application Security in IoT Architecture • Mobile Application Security at OWASP MASVS MSTG • Practical Use Cases of MASVS and MSTG
  3. 3. INTRODUCTION
  4. 4. Who Am I? • Romuald SZKUDLAREK • Senior Cyber Security Architect • CISSP, CCSP, CSSLP, CEH credentials holder • Member of OWASP • Co-Author of Mobile Security Testing Guide (MSTG)
  5. 5. MOBILE APPLICATION SECURITY IN AN IOT ARCHITECTURE
  6. 6. Technical Architecture of an IoT solution IoT device collecting data on the field (for instance in smart xyz), OS is often Android or iOS Cloud services Including Authentication, IAM, Analytics, Moniroting, Storage, Device management and Data visualization API Edge computing API End user Using an application (web, mobile, …) for Remote management, Supervision, …
  7. 7. IoT Attack Surface A significant part of the attack surface is made by mobile: • Local storage • Insecure communications • Insecure cryptography • Insecure authentication • Reverse engineering • …
  8. 8. A few facts and figures • Majority have little to no knowledge of the number and type of installed mobile apps • 79% think that using mobile apps increases security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security) • Few mobile apps go through security testing • Focus on usability
  9. 9. Mobile Application Security (M -> I) What can go wrong? Well, • Mobile to IoT device: Study reports that « Mobile App Flaws […] Could Allow Hackers To Target Critical Infrastructure» https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html • IoT device to Mobile
  10. 10. Mobile Application Security (I -> M) What can go wrong? Well, • Mobile to IoT device • IoT device to Mobile: Belkin WeMo devices used to attack mobile phones (Black Hat Europe, 2016)
  11. 11. And think about it… What about your smart lock / smart fridge / security cam / [take virtually any smart device]? Hint: The architecture is the same!!!
  12. 12. MOBILE SECURITY AT OWASP - IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH MASVS AND MSTG
  13. 13. OWASP • https://www.owasp.org • The Open Web Application Security Project is a non-for-profit worldwide organization (US-based) that support application security with hundreds of chapters worldwide and thousands of members • All OWASP tools / Documents / forums / chapters are free • Participating in projects is FREE and everyone is welcome!
  14. 14. OWASP • Not linked to any commercial company • Organizes and sponsors world-class security events • Technical audience • Meritocracy, core values are: Open, Innovation, Global, Integrity
  15. 15. Why Mobile Application Security? • Different Attack Surface Local storage Local authentication OS interaction • Different Vulnerabilities Reverse engineering Secret storage Fewer (through frameworks like Cordova) to no XSS and CSRF (in native apps) • 16 vulnerabilities per mobile app in average • Malware also exists on mobile • Anyway, « Hackers are able to penetrate mobile devices exactly in the same way they accessed to our confidential data on our computer.» Pierluigi Paganini, ENISA
  16. 16. Mobile Security at OWASP • https://www.owasp.org/index.php/OWASP_M obile_Security_Testing_Guide • Main deliverables are Testing guide (MSTG) List of requirements (MASVS) Checklist for security assessment
  17. 17. A few words on… MASVS • Mobile Application Security Verification Standard • Provides 3 levels of requirements in 8 domains: - Baseline (MASVS-L1, 43 reqs) - Defense-In-Depth (MASVS-L2, 19 reqs) - Adds advanced reqs on resiliency against reverse engineering and tampering (MASVS-R, 12 reqs) • Fork of ASVS dedicated to mobile • Provides scalability in security requirements management Available Download at
  18. 18. MASVS requirements (extracts)
  19. 19. A few words on… MSTG • Mobile Security Testing Guide • Risk-based approach • Promote the use of SDLC* • Maps directly to MASVS requirements • Native Android and iOS applications • Use OWASP Testing Guide for the security of server side components • Use cases Available *SDLC = Secure Development Life Cycle Download at
  20. 20. MSTG (table of content)
  21. 21. Security Testing with MSTG (extracts)
  22. 22. MASVS and MSTG in SDLC • Support « Shifting left » and « Security by design », promotes security in DevOps • MASVS early in app creation • MSTG in Testing phase MASVS MSTG Checklist
  23. 23. Mobile Testing Tools MSTG has a section dedicated to Mobile Security Testing Tools. Examples include • Both Android & iOS : MobSF & objection (Frameworks) Checkmarx, Fortify & Veracode (SAST) BurpSuite, OWASP ZAP & Wireshark (Network Analysis) • Android : Android Studio (IDE), Androguard / APKTool / Jadx (RE), Drozer (Dynamic Analysis), Xposed / Cydia (Certificate pinning bypass, …) • iOS : Xcode (IDE), Frida (Dynamic Instrumentation Toolkit), IDAPro (debugger), cycript, gdb (Dynamic Analysis), iOS TrustMe (Certificate pinning bypass, …)
  24. 24. Automating use of MASVS and MSTG Example using BDD (Behavior Driven Development) based on Calaba.sh : https://www.owasp.org/images/f/fb/V2_- _OWASP_Buscharest_Davide_Cioccia.pdf
  25. 25. Recognition • Referenced by • Governments are working on including MSTG in their standards • Used by many companies in many industries in the world (banks, finance, …) • Many requests for trainings received
  26. 26. Future of MASVS and MSTG Not static: • Bug fixing • Follow iOS / Android new versions • Add frameworks (Cordova, PhoneGap, …) • Code samples for SWIFT • As the guide is meant to evolve: milestoning and versioning strategy • … Volunteers are welcome! Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick up any issue and submit your pull request!!!
  27. 27. Related OWASP projects • Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 • Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project • Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project • Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project • DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project And so many others! Check at www.owasp.org
  28. 28. PRACTICAL USE CASES OF MASVS AND MSTG
  29. 29. Attack scenario – Reverse Engineering Scenario: An attacker wants to retrieve source code of your app to (pick one): - steal your IP - find secrets to penetrate your network - find flaws and manipulate your app - repackage your app with malware Attacker steps: • Installs your app on his mobile (use Google Play) • Retrieves it on his laptop (connect through USB / adb pull <package name>) • Reverse engineers it (apktool d –f <directory> <appname>.apk or d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)
  30. 30. MASVS Requirements – Reverse Engineering MASVS provides requirements (8.1 to 8.13) to mitigate such attacks : section 8 entitled «Resiliency Against Reverse Engineering Requirements”. And MSTG allows you to test the proper implementation of these requirements!
  31. 31. Attack scenario – Local storage Scenario: An attacker gets physical access to your mobile (unsupervised or stolen mobile) and wants to find Corporate secrets Attacker steps: Let’s assume the screen-locking protection is poor and has been circumvented: • Attacker connects his laptop through USB • Attacker performs a backup of your mobile / one of your apps (adb backup –f backup.ab <packageName>) • Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then opens with 7-zip) • Retrieve database / logs / preferences and analyse content
  32. 32. MASVS Requirements – Local storage MASVS provides requirements (2.1 to 2.12) to mitigate such attacks : section 2 entitled «Data Storage and Privacy Requirements”.
  33. 33. Security Testing with MSTG – Local Storage
  34. 34. Additional Attacks Include… - Starting an activity exported to the outside that contains sensitive informations (with tools like Drozer for Android) - Forensic analysis of screenshots (stored in Library/Caches/Snapshots/<your app> directory in iOS devices) - And so many more 
  35. 35. References • OWASP - https://www.owasp.org • MASVS and MSTG - https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide • iOS Application Security David THIEL no starch press • Ponemon Institute 2017 Study on Mobile and IoT Application Security - https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p df • IoT devices can hack phones - https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe- iot-devices-can-hack-phones.html • Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile- security.html • Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam- levin/next-hackers-target-industrial-plants-critical-infrastructure.html • Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review- 2017/84139/ • Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical- infrastructure-cyber-security.html
  36. 36. Thanks to those who have supported me when writting all this material (private joke, cf MSTG foreword) Kudos to all OWASP authors and contributors!!! Credits
  37. 37. • Mobile security is an important attack vector in IoT systems • Significant variety of attacks • OWASP provide resources to support: - manufacturers in raising the security level of their offers - users to better understand risks and place requirements on suppliers Key takeaways
  38. 38. Thanks for your attention! Any question?

×