Summary

Overview

General Mobile App Testing Guide

Android Testing Guide

iOS Testing Guide

Appendix

Foreword

Mobile Application Security Testing Guide

Frontispiece

About the OWASP Mobile Security Testing Guide

Copyright and License

Acknowledgements

Authors

Co-Authors

Top Contributors

Contributors

Reviewers

Editors

Others

Older Versions

Overview

Introduction to the OWASP Mobile Security Testing Guide

Key Areas in Mobile Application Security

The OWASP Mobile AppSec Verification Standard

Navigating the Mobile Security Testing Guide

General Testing Guide

Mobile App Taxonomy

Native App

Web App

Hybrid App

Progressive Web App

What's Covered in the Mobile Testing Guide?

Mobile App Security Testing

Principles of Testing

Security Testing and the SDLC

References

Tampering and Reverse Engineering

Why You Need It

Basic Tampering Techniques

Static and Dynamic Binary Analysis

Advanced Techniques

Mobile App Authentication Architectures

Stateful vs. Stateless Authentication

Verifying that Appropriate Authentication is in Place

Testing Authentication

Testing Stateful Session Management

Testing Stateless (Token-Based) Authentication

User Logout and Session Timeouts

Testing OAuth 2.0 Flows

Login Activity and Device Blocking

References

Testing Network Communication

Intercepting HTTP(S) Traffic

Intercepting Traffic on the Network Layer

Verifying Data Encryption on the Network

Making Sure that Critical Operations Use Secure Communication Channels

References

Cryptography for Mobile Apps

Key Concepts

Identifying Insecure and/or Deprecated Cryptographic Algorithms

Common Configuration Issues

Cryptographic APIs on Android and iOS

Testing Code Quality

Injection Flaws

Memory Corruption Bugs

Cross-Site Scripting Flaws

References

Testing Application Security on Android

Android Platform Overview

Android Security Architecture

Android Application Structure

Signing and Publishing Process

Setting up a Testing Environment for Android Apps

Testing Methods

Tampering and Reverse Engineering on Android

What You Need

Enabling Developer Mode

Building a Reverse Engineering Environment for Free

Reverse Engineering

Tampering and Runtime Instrumentation

Binary Analysis Frameworks

Customizing Android for Reverse Engineering

Data Storage on Android

Testing Local Storage for Sensitive Data

Testing Logs for Sensitive Data

Determining Whether Sensitive Data is Sent to Third Parties

Determining Whether the Keyboard Cache Is Disabled for Text Input Fields

Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms

Checking for Sensitive Data Disclosure Through the User Interface

Testing Backups for Sensitive Data

Finding Sensitive Information in Auto-Generated Screenshots

Checking Memory for Sensitive Data

Testing the Device-Access-Security Policy

References

Android Cryptographic APIs

Verifying the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

Testing Key Management

References

Local Authentication on Android

Testing Confirm Credentials

Testing Biometric Authentication

References

Android Network APIs

Testing Endpoint Identify Verification

Testing Custom Certificate Stores and Certificate Pinning

Testing the Network Security Configuration settings

Testing Default Network Security Configuration

Testing the Security Provider

Android Platform APIs

Testing App Permissions

Testing Custom URL Schemes

Testing for Sensitive Functionality Exposure Through IPC

Testing JavaScript Execution in WebViews

Testing WebView Protocol Handlers

Determining Whether Java Objects Are Exposed Through WebViews

Testing for Fragment Injection

Testing Object Persistence

References

Code Quality and Build Settings of Android Apps

Making Sure That the App is Properly Signed

Determining Whether the App is Debuggable

Finding Debugging Symbols

Finding Debugging Code and Verbose Error Logging

Testing for Injection Flaws

Testing Exception Handling

Make Sure That Free Security Features Are Activated

References

Checking for Weaknesses in Third Party Libraries

Android Anti-Reversing Defenses

Testing Root Detection

Testing Anti-Debugging

Testing File Integrity Checks

Testing The Detection of Reverse Engineering Tools

Testing Emulator Detection

Testing Run Time Integrity Checks

Testing Device Binding

Testing Obfuscation

References

Testing Application Security on iOS

iOS Platform Overview

iOS Security Architecture

Software Development on iOS

Apps on iOS

Setting up a Testing Environment for iOS Apps

Jailbreaking an iOS Device

Static Analysis

Dynamic Analysis of Jailbroken Devices

Method Tracing with Frida

Monitoring Console Logs

Setting up a Web Proxy with Burp Suite

Network Monitoring/Sniffing

Tampering and Reverse Engineering on iOS

Swift and Objective-C

Reverse Engineering iOS Apps

Dynamic Analysis on Non-Jailbroken Devices

Method Tracing with Frida

Patching React Native Applications

Data Storage on iOS

Testing Local Data Storage

Checking Logs for Sensitive Data

Determining Whether Sensitive Data Is Sent to Third Parties

Finding Sensitive Data in the Keyboard Cache

Determining Whether Sensitive Data Is Exposed via IPC Mechanisms

Checking for Sensitive Data Disclosed Through the User Interface

Testing Backups for Sensitive Data

Testing Auto-Generated Screenshots for Sensitive Information

Testing Memory for Sensitive Data

References

iOS Cryptography APIs

iOS Cryptography Libraries

Random Number Generation on iOS

References

Local Authentication on iOS

Testing Local Authentication

References

iOS Network APIs

App Transport Security

Testing Custom Certificate Stores and Certificate Pinning

iOS Platform APIs

Testing Custom URL Schemes

Testing WebView Protocol Handlers

Testing iOS WebViews

References

Code Quality and Build Settings for iOS Apps

Making Sure that the App Is Properly Signed

Finding Debugging Symbols

Finding Debugging Code and Verbose Error Logging

Testing Exception Handling

Make Sure That Free Security Features Are Activated

References

Checking for weaknesses in third party libraries

iOS Anti-Reversing Defenses

Jailbreak Detection

Anti-Debugging Checks

File Integrity Checks

Device Binding

References

Appendix

Testing Tools

Mobile Application Security Testing Distributions

Static Source Code Analysis

All-in-One Mobile Security Frameworks

Tools for Android

Tools for iOS

Tools for Network Interception and Monitoring

Interception Proxies

IDEs

Suggested Reading

Mobile App Security

Reverse Engineering