Introduction to OWASP Mobile Application Security
Verification Standard (MASVS)OWASP Geneva
12/12/2016 – Jérémy MATOS
whois securingapps
Developer backgroundSpent last 10 years working between Geneva and Lausanne on security products and solutions
Focus on mobile since 2010Now software security consultant at my own company
http://www.securingapps.comProvide services to build security in software
MobileWebCloudInternet Of ThingsBitcoin/Blockchain @SecuringApps
Introduction
Providing mobile apps is required by businessNative is often the choice
UsabilityPerformanceAccess to sensorsConnectivity issues
A traditional web security assessment only applies to webviewintegrationsA mobile application is a fat client and hence has a totallydifferent threat model
Some of the most significant differences
Code running client sideReal local storageLots of APIs, including for security (e.g encryption)
Mobile OS are sandboxedMuch more clear than Same Origin Policy
«Trusted» download: applications stores + signature
Not a HTML hackXSS and CSRF not issues anymore
But access to many user data
What should we check then ?
SSL and certificate pinning ?Clear text storage in SQLlite database ?Obfuscation ?Anti-debugging ?Encryption in Trusted Excution Environment (TEE) ?
This is the goal of OWASP Mobile Application Security VerificationStandard (MASVS)
https://github.com/OWASP/owasp-masvsProject leaders: Bernard Mueller & Sven Schleier
http://www.vantagepoint.sg/blog
Security Verification levels 1/3
Security Verification levels 2/3
Level 1: Standard SecurityAnapplicationthatachievesMASVSlevel1adherestomobileapplicationsecuritybestpractices.Itfulfillsbasicrequirementsintermsofcodequality,handlingofsensitivedata,andinteractionwiththemobileenvironment.Atestingprocessmustbeinplacetoverifythesecuritycontrols.Thislevelisappropriateforallmobileapplications.
Level 2 : Defense-in-DepthLevel2introducesadvancedsecuritycontrolsthatgobeyondthestandardrequirements.TofulfillL2,athreatmodelmustexist,andsecuritymustbeconsideredduringthedesignphase.Theeffectivenessofthecontrolsmustbeverifiedusingwhite-boxtesting.Thislevelisappropriateforapplicationsthathandlesensitivedata,suchasmobilebanking.
Security Verification levels 3/3
Level 3 : Defense-in-Depth and resiliencyLevel3addsmechanismsthatincreasethecostofreverseengineeringtheapplication.Itcanbeappliedtoaddanadditionallayerofprotectionforappsthatprocesssensitivedata.VendorsmayalsoopttoimplementtheL3requirementsasameansofprotectingtheirintellectualpropertyandtopreventtamperingwiththeapp.
Level 4 : Defense-in-Depth and strong resiliencyAnapplicationthatachievesMASVSlevel4hasbothstate-of-the-artsecurityandstrongsoftwareprotections.Suchanapplicationleverageshardwaresecurityfeatures orstrongobuscation techniquesandishighlyresilientagainstattacksandreverseengineeringattempts.L4isapplicabletoappsthathandlehighlysensitivedata.TheL4controlsmayalsoserveasameansofprotectingintellectualpropertyortamper-proofinganapp.
Industry specific guidance 1/2
Industry specific guidance 2/2
Detailed verification requirements
V1 Architecture, design and threat modellingV2 Data storage and privacyV3 Cryptography verificationV4 Authentication and session managementV5 Network communicationV6 Interaction with the environmentV7 Code quality and build settingV8 Resiliency against reverse engineering
V1 Architecture,design & threat modelling
Atlevel1,componentsoftheapplicationareidentifiedandhaveareasonforbeingintheappAtlevel2andhigher,thearchitecturehasbeendefinedandthecodeadherestothearchitecture.Additionally,athreatmodelexiststhatidentifiespotentialthreats.
V2 Data storage and privacy
V3 Cryptography verification
V4 Authentication and session mgmt
V5 Network communication
V6 Interaction with the environment
V7 Code quality and build setting
V8 Reverse engineering resiliency
OWASP Mobile Top 10 2016
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10Still release candidate. Really alive ?
More a classification of issuesProvides high level info on what not to do, rather than detailedinfo of what to doSomehow same categories than MASVS
Conclusion
MASVS provides clear guidance of what to check in a mobile applicationReally interesting definition of security levels
And industry specific adviceActionnableReasonable number of controlsStrong security requirements in general
Do not hesitate to provide feedback to the project leaders :https://github.com/OWASP/owasp-masvs