Click here to load reader

Introduction to OWASP Mobile Application Security ... · PDF fileMobile Application Security Verification Standard (MASVS) ... This is the goal of OWASP Mobile Application Security

  • View

  • Download

Embed Size (px)

Text of Introduction to OWASP Mobile Application Security ... · PDF fileMobile Application Security...

  • Introduction to OWASP Mobile Application Security

    Verification Standard (MASVS)OWASP Geneva

    12/12/2016 Jrmy MATOS

  • whois securingapps

    Developer backgroundSpent last 10 years working between Geneva and Lausanne on security products and solutions

    Focus on mobile since 2010Now software security consultant at my own company

    http://www.securingapps.comProvide services to build security in software

    MobileWebCloudInternet Of ThingsBitcoin/Blockchain @SecuringApps

  • Introduction

    Providing mobile apps is required by businessNative is often the choice

    UsabilityPerformanceAccess to sensorsConnectivity issues

    A traditional web security assessment only applies to webviewintegrationsA mobile application is a fat client and hence has a totallydifferent threat model

  • Some of the most significant differences

    Code running client sideReal local storageLots of APIs, including for security (e.g encryption)

    Mobile OS are sandboxedMuch more clear than Same Origin Policy

    Trusted download: applications stores + signature

    Not a HTML hackXSS and CSRF not issues anymore

    But access to many user data

  • What should we check then ?

    SSL and certificate pinning ?Clear text storage in SQLlite database ?Obfuscation ?Anti-debugging ?Encryption in Trusted Excution Environment (TEE) ?

    This is the goal of OWASP Mobile Application Security VerificationStandard (MASVS) leaders: Bernard Mueller & Sven Schleier

  • Security Verification levels 1/3

  • Security Verification levels 2/3

    Level 1: Standard SecurityAnapplicationthatachievesMASVSlevel1adherestomobileapplicationsecuritybestpractices.Itfulfillsbasicrequirementsintermsofcodequality,handlingofsensitivedata,andinteractionwiththemobileenvironment.Atestingprocessmustbeinplacetoverifythesecuritycontrols.Thislevelisappropriateforallmobileapplications.

    Level 2 : Defense-in-DepthLevel2introducesadvancedsecuritycontrolsthatgobeyondthestandardrequirements.TofulfillL2,athreatmodelmustexist,andsecuritymustbeconsideredduringthedesignphase.Theeffectivenessofthecontrolsmustbeverifiedusingwhite-boxtesting.Thislevelisappropriateforapplicationsthathandlesensitivedata,suchasmobilebanking.

  • Security Verification levels 3/3

    Level 3 : Defense-in-Depth and resiliencyLevel3addsmechanismsthatincreasethecostofreverseengineeringtheapplication.Itcanbeappliedtoaddanadditionallayerofprotectionforappsthatprocesssensitivedata.VendorsmayalsoopttoimplementtheL3requirementsasameansofprotectingtheirintellectualpropertyandtopreventtamperingwiththeapp.

    Level 4 : Defense-in-Depth and strong resiliencyAnapplicationthatachievesMASVSlevel4hasbothstate-of-the-artsecurityandstrongsoftwareprotections.Suchanapplicationleverageshardwaresecurityfeatures orstrongobuscation techniquesandishighlyresilientagainstattacksandreverseengineeringattempts.L4isapplicabletoappsthathandlehighlysensitivedata.TheL4controlsmayalsoserveasameansofprotectingintellectualpropertyortamper-proofinganapp.

  • Industry specific guidance 1/2

  • Industry specific guidance 2/2

  • Detailed verification requirements

    V1 Architecture, design and threat modellingV2 Data storage and privacyV3 Cryptography verificationV4 Authentication and session managementV5 Network communicationV6 Interaction with the environmentV7 Code quality and build settingV8 Resiliency against reverse engineering

  • V1 Architecture,design & threat modelling


  • V2 Data storage and privacy

  • V3 Cryptography verification

  • V4 Authentication and session mgmt

  • V5 Network communication

  • V6 Interaction with the environment

  • V7 Code quality and build setting

  • V8 Reverse engineering resiliency

  • OWASP Mobile Top 10 2016 release candidate. Really alive ?

    More a classification of issuesProvides high level info on what not to do, rather than detailedinfo of what to doSomehow same categories than MASVS

  • Conclusion

    MASVS provides clear guidance of what to check in a mobile applicationReally interesting definition of security levels

    And industry specific adviceActionnableReasonable number of controlsStrong security requirements in general

    Do not hesitate to provide feedback to the project leaders :

  • Thank you !

    Any question

    [email protected]

Search related