This is about the Mobile Application Security Verification Standard (MASVS) and the Mobile Security Testing Guide (MSTG) from OWASP. This relates my experience both as an author and a user of these resources and includes some practical examples of what mobile security means and why it is important in IoT.
The whole set of documents can be found at https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
6. Technical Architecture of an IoT solution
IoT device
collecting data on the field (for instance in smart xyz), OS is often Android or iOS
Cloud services
Including Authentication, IAM, Analytics, Moniroting, Storage, Device
management and Data visualization
API
Edge computing
API
End user
Using an application (web, mobile, …) for Remote management, Supervision, …
7. IoT Attack Surface
A significant part of the attack surface is made by
mobile:
• Local storage
• Insecure communications
• Insecure cryptography
• Insecure authentication
• Reverse engineering
• …
8. A few facts and figures
• Majority have little to no knowledge of the
number and type of installed mobile apps
• 79% think that using mobile apps increases
security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security)
• Few mobile apps go through security testing
• Focus on usability
9. Mobile Application Security (M -> I)
What can go wrong? Well,
• Mobile to IoT device: Study reports that
« Mobile App Flaws […] Could Allow Hackers
To Target Critical Infrastructure»
https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html
• IoT device to Mobile
10. Mobile Application Security (I -> M)
What can go wrong? Well,
• Mobile to IoT device
• IoT device to Mobile: Belkin WeMo devices
used to attack mobile phones (Black Hat Europe, 2016)
11. And think about it…
What about your smart lock / smart fridge /
security cam / [take virtually any smart device]?
Hint: The architecture is the same!!!
12. MOBILE SECURITY AT OWASP
-
IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH
MASVS AND MSTG
13. OWASP
• https://www.owasp.org
• The Open Web Application Security Project is a non-for-profit
worldwide organization (US-based) that support application
security with hundreds of chapters worldwide and thousands
of members
• All OWASP tools / Documents / forums / chapters are free
• Participating in projects is FREE and everyone is welcome!
14. OWASP
• Not linked to any commercial company
• Organizes and sponsors world-class security
events
• Technical audience
• Meritocracy, core values are:
Open, Innovation, Global, Integrity
15. Why Mobile Application Security?
• Different Attack Surface
Local storage
Local authentication
OS interaction
• Different Vulnerabilities
Reverse engineering
Secret storage
Fewer (through frameworks
like Cordova) to no XSS and
CSRF (in native apps)
• 16 vulnerabilities per mobile app in average
• Malware also exists on mobile
• Anyway, « Hackers are able to penetrate mobile devices exactly in the same way
they accessed to our confidential data on our computer.» Pierluigi Paganini, ENISA
16. Mobile Security at OWASP
• https://www.owasp.org/index.php/OWASP_M
obile_Security_Testing_Guide
• Main deliverables are
Testing guide (MSTG)
List of requirements (MASVS)
Checklist for security assessment
17. A few words on… MASVS
• Mobile Application Security Verification
Standard
• Provides 3 levels of requirements in 8 domains:
- Baseline (MASVS-L1, 43 reqs)
- Defense-In-Depth (MASVS-L2, 19 reqs)
- Adds advanced reqs on resiliency against
reverse engineering and tampering (MASVS-R,
12 reqs)
• Fork of ASVS dedicated to mobile
• Provides scalability in security requirements
management
Available
Download at
19. A few words on… MSTG
• Mobile Security Testing Guide
• Risk-based approach
• Promote the use of SDLC*
• Maps directly to MASVS requirements
• Native Android and iOS applications
• Use OWASP Testing Guide for the security
of server side components
• Use cases
Available
*SDLC = Secure Development Life Cycle
Download at
22. MASVS and MSTG in SDLC
• Support « Shifting left » and « Security by
design », promotes security in DevOps
• MASVS early in app creation
• MSTG in Testing phase
MASVS MSTG
Checklist
24. Automating use of MASVS and MSTG
Example using BDD (Behavior Driven
Development) based on Calaba.sh :
https://www.owasp.org/images/f/fb/V2_-
_OWASP_Buscharest_Davide_Cioccia.pdf
25. Recognition
• Referenced by
• Governments are working on including MSTG
in their standards
• Used by many companies in many industries
in the world (banks, finance, …)
• Many requests for trainings received
26. Future of MASVS and MSTG
Not static:
• Bug fixing
• Follow iOS / Android new versions
• Add frameworks (Cordova, PhoneGap, …)
• Code samples for SWIFT
• As the guide is meant to evolve: milestoning and versioning strategy
• …
Volunteers are welcome!
Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick
up any issue and submit your pull request!!!
27. Related OWASP projects
• Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
• Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
• Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project
• Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project
• DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project
And so many others! Check at www.owasp.org
29. Attack scenario – Reverse Engineering
Scenario: An attacker wants to retrieve source code
of your app to (pick one):
- steal your IP
- find secrets to penetrate your network
- find flaws and manipulate your app
- repackage your app with malware
Attacker steps:
• Installs your app on his mobile (use Google Play)
• Retrieves it on his laptop (connect through USB / adb pull <package name>)
• Reverse engineers it (apktool d –f <directory> <appname>.apk or
d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)
30. MASVS Requirements – Reverse
Engineering
MASVS provides requirements (8.1 to 8.13) to
mitigate such attacks : section 8 entitled
«Resiliency Against Reverse Engineering
Requirements”.
And MSTG allows you to test the proper
implementation of these requirements!
31. Attack scenario – Local storage
Scenario: An attacker gets physical access to your mobile
(unsupervised or stolen mobile) and wants to find Corporate
secrets
Attacker steps:
Let’s assume the screen-locking protection is poor and has been circumvented:
• Attacker connects his laptop through USB
• Attacker performs a backup of your mobile / one of your apps (adb backup –f
backup.ab <packageName>)
• Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then
opens with 7-zip)
• Retrieve database / logs / preferences and analyse content
32. MASVS Requirements – Local storage
MASVS provides requirements (2.1 to 2.12) to
mitigate such attacks : section 2 entitled «Data
Storage and Privacy Requirements”.
34. Additional Attacks Include…
- Starting an activity exported to the outside that
contains sensitive informations (with tools like
Drozer for Android)
- Forensic analysis of screenshots (stored in
Library/Caches/Snapshots/<your app> directory
in iOS devices)
- And so many more
35. References
• OWASP - https://www.owasp.org
• MASVS and MSTG -
https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
• iOS Application Security David THIEL no starch press
• Ponemon Institute 2017 Study on Mobile and IoT Application Security -
https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p
df
• IoT devices can hack phones -
https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe-
iot-devices-can-hack-phones.html
• Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical
Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile-
security.html
• Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam-
levin/next-hackers-target-industrial-plants-critical-infrastructure.html
• Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review-
2017/84139/
• Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical-
infrastructure-cyber-security.html
36. Thanks to those who have supported me when
writting all this material (private joke, cf MSTG foreword)
Kudos to all OWASP authors and contributors!!!
Credits
37. • Mobile security is an important attack vector
in IoT systems
• Significant variety of attacks
• OWASP provide resources to support:
- manufacturers in raising the security level of
their offers
- users to better understand risks and place
requirements on suppliers
Key takeaways