Mobile Application Security Testing Guide

Frontispiece

About the OWASP Mobile Security Testing Guide

Copyright and License

Acknowledgements

Older Versions

Introduction to the OWASP Mobile Security Testing Guide

What Makes Mobile Security Testing Different?

Key Areas in Mobile AppSec

Local Data Storage

Communication with Trusted Endpoints

Authentication and Session Management

Interaction with the Mobile Platform

Code Quality and Exploit Mitigation

Anti-Tampering and Anti-Reversing

The OWASP Mobile AppSec Verification Standard, Checklist and Testing Guide

Organization of the Mobile Security Testing Guide

General Testing Guide

Mobile App Taxonomy

Mobile App

Native App

Web App

Hybrid App

Mobile App Security Testing

Preparation - Defining The Baseline

Vulnerability Analysis

Eliminating Common False Positives

Tampering and Reverse Engineering

Why You Need It

Basic Tampering Techniques

Static and Dynamic Binary Analysis

Advanced Techniques

Security Testing in the Software Development Lifecycle

Agile and DevOps

General Considerations

SDLC Overview

Security Testing in the SDLC

Team management

Security Testing in DevOps Environments

References

Testing Application Security on Android

Android Platform Overview

Android Architecture and Security Mechanisms

Understanding Android Apps

Signing and Publishing Process

How Apps Communicate - Android IPC

References

Basic Security Testing on Android

Setting Up Your Testing Environment

Testing Methods

References

Tampering and Reverse Engineering on Android

What You Need

Building a Reverse Engineering Environment For Free

Reverse Engineering

Tampering and Runtime Instrumentation

Binary Analysis Frameworks

Customizing Android for Reverse Engineering

References

Testing Data Storage on Android

Testing for Sensitive Data in Local Storage

Testing for Sensitive Data in Logs

Testing Whether Sensitive Data is Sent to Third Parties

Testing Whether the Keyboard Cache Is Disabled for Text Input Fields

Testing for Sensitive Data in the Clipboard

Testing Whether Sensitive Data Is Exposed via IPC Mechanisms

Testing for Sensitive Data Disclosure Through the User Interface

Testing for Sensitive Data in Backups

Testing for Sensitive Information in Auto-Generated Screenshots

Testing for Sensitive Data in Memory

Testing the Device-Access-Security Policy

Verifying User Education Controls

Testing Cryptography in Android Apps

Verifying the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

Testing Local Authentication in Android Apps

Testing Biometric Authentication

Testing Network Communication in Android Apps

Testing Endpoint Identify Verification

Testing Custom Certificate Stores and SSL Pinning

Testing Platform Interaction on Android

Testing App Permissions

Testing Input Validation and Sanitization

Testing Custom URL Schemes

Testing For Sensitive Functionality Exposure Through IPC

Testing JavaScript Execution in WebViews

Testing WebView Protocol Handlers

Testing for Local File Inclusion in WebViews

Testing Whether Java Objects Are Exposed Through WebViews

Testing Object (De-)Serialization

Testing Root Detection

Testing Code Quality and Build Settings of Android Apps

Verifying That the App is Properly Signed

Testing If the App is Debuggable

Testing for Debugging Symbols

Testing for Debugging Code and Verbose Error Logging

Testing Exception Handling

Testing for Memory Bugs in Unmanaged Code

Verify That Free Security Features Are Activated

Testing Anti-Reversing Defenses on Android

Testing Root Detection

Testing Anti-Debugging

Testing File Integrity Checks

Testing Detection of Reverse Engineering Tools

Testing Emulator Detection

Testing Runtime Integrity Checks

Testing Device Binding

Testing Obfuscation

Testing Application Security on iOS

iOS Platform Overview

The iOS Security Architecture

Software Development on iOS

Understanding iOS Apps

References

Basic Security Testing on iOS

Foreword on Swift and Objective-C

Setting Up Your Testing Environment

Jailbreaking iOS

Preparing your test environment

Typical iOS Application Test Workflow

Static Analysis

Dynamic Analysis

Setting up Burp

Bypassing Certificate Pinning

References

Tampering and Reverse Engineering on iOS

Environment and Toolset

Jailbreaking iOS

Reverse Engineering iOS Apps

Tampering and Instrumentation

References

Testing Data Storage on iOS

Testing Local Data Storage

Testing for Sensitive Data in Logs

Testing Whether Sensitive Data Is Sent to Third Parties

Testing for Sensitive Data in the Keyboard Cache

Testing for Sensitive Data in the Clipboard

Testing Whether Sensitive Data Is Exposed via IPC Mechanisms

Testing for Sensitive Data Disclosure Through the User Interface

Testing for Sensitive Data in Backups

Testing For Sensitive Information in Auto-Generated Screenshots

Testing for Sensitive Data in Memory

Testing the Device-Access-Security Policy

Verifying User Education Controls

Testing Cryptography in iOS Apps

Verifying the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

Testing Local Authentication in iOS Apps

Testing Biometric Authentication

Testing Network Communication in iOS Apps

Testing Endpoint Identity Verification

Testing App Transport Security

Testing Custom Certificate Stores and SSL Pinning

Testing Platform Interaction on iOS

Testing App permissions

Testing Input Validation and Sanitization

Testing Custom URL Schemes

Testing for Sensitive Functionality Exposed Through IPC

Testing JavaScript Execution in WebViews

Testing WebView Protocol Handlers

Testing for Local File Inclusion in WebViews

Testing Whether Java Objects Are Exposed Through WebViews

Testing Object (De-)Serialization

Testing Jailbreak Detection

Testing Code Quality and Build Settings of iOS Apps

Verifying that the App is Properly Signed

Testing If the App is Debuggable

Testing for Debugging Symbols

Testing for Debugging Code and Verbose Error Logging

ifdef DEBUG

endif

Testing Exception Handling

Testing for Memory Bugs in Unmanaged Code

Verify That Free Security Features Are Activated

Testing Anti-Reversing Defenses on iOS

Testing Jailbreak Detection

Testing Anti-Debugging

Testing File Integrity Checks

Testing Detection of Reverse Engineering Tools

Testing Runtime Integrity Checks

Testing Device Binding

Testing Obfuscation

Appendix

Mobile Application Security Testing Guide

Frontispiece

About the OWASP Mobile Security Testing Guide

Copyright and License

Acknowledgements

Older Versions

Introduction to the OWASP Mobile Security Testing Guide

What Makes Mobile Security Testing Different?

Key Areas in Mobile AppSec

Local Data Storage

Communication with Trusted Endpoints

Authentication and Session Management

Interaction with the Mobile Platform

Code Quality and Exploit Mitigation

Anti-Tampering and Anti-Reversing

The OWASP Mobile AppSec Verification Standard, Checklist and Testing Guide

Organization of the Mobile Security Testing Guide

General Testing Guide

Mobile App Taxonomy

Mobile App

Native App

Web App

Hybrid App

Mobile App Security Testing

Preparation - Defining The Baseline

Vulnerability Analysis

Eliminating Common False Positives

Tampering and Reverse Engineering

Why You Need It

Basic Tampering Techniques

Static and Dynamic Binary Analysis

Advanced Techniques

Security Testing in the Software Development Lifecycle

Agile and DevOps

General Considerations

SDLC Overview

Security Testing in the SDLC

Team management

Security Testing in DevOps Environments

References

Testing Application Security on Android

Android Platform Overview

Android Architecture and Security Mechanisms

Understanding Android Apps

Signing and Publishing Process

How Apps Communicate - Android IPC

References

Basic Security Testing on Android

Setting Up Your Testing Environment

Testing Methods

References

Tampering and Reverse Engineering on Android

What You Need

Building a Reverse Engineering Environment For Free

Reverse Engineering

Tampering and Runtime Instrumentation

Binary Analysis Frameworks

Customizing Android for Reverse Engineering

References

Testing Data Storage on Android

Testing for Sensitive Data in Local Storage

Testing for Sensitive Data in Logs

Testing Whether Sensitive Data is Sent to Third Parties

Testing Whether the Keyboard Cache Is Disabled for Text Input Fields

Testing for Sensitive Data in the Clipboard

Testing Whether Sensitive Data Is Exposed via IPC Mechanisms

Testing for Sensitive Data Disclosure Through the User Interface

Testing for Sensitive Data in Backups

Testing for Sensitive Information in Auto-Generated Screenshots

Testing for Sensitive Data in Memory

Testing the Device-Access-Security Policy

Verifying User Education Controls

Testing Cryptography in Android Apps

Verifying the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

Testing Local Authentication in Android Apps

Testing Biometric Authentication

Testing Network Communication in Android Apps

Testing Endpoint Identify Verification

Testing Custom Certificate Stores and SSL Pinning

Testing Platform Interaction on Android

Testing App Permissions

Testing Input Validation and Sanitization

Testing Custom URL Schemes

Testing For Sensitive Functionality Exposure Through IPC

Testing JavaScript Execution in WebViews

Testing WebView Protocol Handlers

Testing for Local File Inclusion in WebViews

Testing Whether Java Objects Are Exposed Through WebViews

Testing Object (De-)Serialization

Testing Root Detection

Testing Code Quality and Build Settings of Android Apps

Verifying That the App is Properly Signed

Testing If the App is Debuggable

Testing for Debugging Symbols

Testing for Debugging Code and Verbose Error Logging

Testing Exception Handling

Testing for Memory Bugs in Unmanaged Code

Verify That Free Security Features Are Activated

Testing Anti-Reversing Defenses on Android

Testing Root Detection

Testing Anti-Debugging

Testing File Integrity Checks

Testing Detection of Reverse Engineering Tools

Testing Emulator Detection

Testing Runtime Integrity Checks

Testing Device Binding

Testing Obfuscation

Testing Application Security on iOS

iOS Platform Overview

The iOS Security Architecture

Software Development on iOS

Understanding iOS Apps

References

Basic Security Testing on iOS

Foreword on Swift and Objective-C

Setting Up Your Testing Environment

Jailbreaking iOS

Preparing your test environment

Typical iOS Application Test Workflow

Static Analysis

Dynamic Analysis

Setting up Burp

Bypassing Certificate Pinning

References

Tampering and Reverse Engineering on iOS

Environment and Toolset

Jailbreaking iOS

Reverse Engineering iOS Apps

Tampering and Instrumentation

References

Testing Data Storage on iOS

Testing Local Data Storage

Testing for Sensitive Data in Logs

Testing Whether Sensitive Data Is Sent to Third Parties

Testing for Sensitive Data in the Keyboard Cache

Testing for Sensitive Data in the Clipboard

Testing Whether Sensitive Data Is Exposed via IPC Mechanisms

Testing for Sensitive Data Disclosure Through the User Interface

Testing for Sensitive Data in Backups

Testing For Sensitive Information in Auto-Generated Screenshots

Testing for Sensitive Data in Memory

Testing the Device-Access-Security Policy

Verifying User Education Controls

Testing Cryptography in iOS Apps

Verifying the Configuration of Cryptographic Standard Algorithms

Testing Random Number Generation

Testing Local Authentication in iOS Apps

Testing Biometric Authentication

Testing Network Communication in iOS Apps

Testing Endpoint Identity Verification

Testing App Transport Security

Testing Custom Certificate Stores and SSL Pinning

Testing Platform Interaction on iOS

Testing App permissions

Testing Input Validation and Sanitization

Testing Custom URL Schemes

Testing for Sensitive Functionality Exposed Through IPC

Testing JavaScript Execution in WebViews

Testing WebView Protocol Handlers

Testing for Local File Inclusion in WebViews

Testing Whether Java Objects Are Exposed Through WebViews

Testing Object (De-)Serialization

Testing Jailbreak Detection

Testing Code Quality and Build Settings of iOS Apps

Verifying that the App is Properly Signed

Testing If the App is Debuggable

Testing for Debugging Symbols

Testing for Debugging Code and Verbose Error Logging

ifdef DEBUG

endif

Testing Exception Handling

Testing for Memory Bugs in Unmanaged Code

Verify That Free Security Features Are Activated

Testing Anti-Reversing Defenses on iOS

Testing Jailbreak Detection

Testing Anti-Debugging

Testing File Integrity Checks

Testing Detection of Reverse Engineering Tools

Testing Runtime Integrity Checks

Testing Device Binding

Testing Obfuscation

Appendix

Remote Authentication and Authorization

Verifying that Users Are Properly Authenticated

Testing JSON Web Token (JWT)

Testing Session Management

Testing the Logout Functionality

Testing the Password Policy

Testing Excessive Login Attempts

Testing the Session Timeout

Testing 2-Factor Authentication

Testing Step-up Authentication

Testing User Device Management

Testing Network Communication

Testing for Unencrypted Sensitive Data on the Network

Verifying the TLS Settings

Verifying that Critical Operations Use Secure Communication Channels

Cryptography for Mobile Apps

Testing for Custom Implementations of Cryptography

Testing for Insecure and/or Deprecated Cryptographic Algorithms

If symmetric encryption or MACs are used, test for hard coded secret keys

Testing for Insecure Cryptographic Algorithm Configuration

Testing for Usage of ECB Mode

Testing if anything but a KDF (key-derivation function) is used for storing passwords

Test if user-supplied credentials are not directly used as key material

Test if sensitive data is integrity protected

Test if encryption provides data integrity protection

Assessing Software Protection Schemes

Assessing the Threat Model and Software Protection Architecture

The Assessment Process

Design Review

Black-box Resilience Testing

Obfuscation Effectiveness Assessment

Key Questions

Overall Effectiveness of Programmatic Defenses

Assessing Obfuscation

Obfuscation Controls in the MASVS

Obfuscation Effectiveness

Background and Caveats

Academic Research on Obfuscation Metrics

Experimental Data

The Device Binding Problem

References

Testing Tools

Mobile Application Security Testing Distributions

Static Source Code Analysis

All-in-One Mobile Security Frameworks

Tools for Android

Tools for iOS

Tools for Network Interception and Monitoring

Interception Proxies

IDEs

Suggested Reading

Basic Knowledge

Mobile App Security

Reverse Engineering

Foreword

Summary

Overview

General Testing Guide

Android Testing Guide

iOS Testing Guide

Appendix

Remote Authentication and Authorization

Verifying that Users Are Properly Authenticated

Testing JSON Web Token (JWT)

Testing Session Management

Testing the Logout Functionality

Testing the Password Policy

Testing Excessive Login Attempts

Testing the Session Timeout

Testing 2-Factor Authentication

Testing Step-up Authentication

Testing User Device Management

Testing Network Communication

Testing for Unencrypted Sensitive Data on the Network

Verifying the TLS Settings

Verifying that Critical Operations Use Secure Communication Channels

Cryptography for Mobile Apps

Testing for Custom Implementations of Cryptography

Testing for Insecure and/or Deprecated Cryptographic Algorithms

If symmetric encryption or MACs are used, test for hard coded secret keys

Testing for Insecure Cryptographic Algorithm Configuration

Testing for Usage of ECB Mode

Testing if anything but a KDF (key-derivation function) is used for storing passwords

Test if user-supplied credentials are not directly used as key material

Test if sensitive data is integrity protected

Test if encryption provides data integrity protection

Assessing Software Protection Schemes

Assessing the Threat Model and Software Protection Architecture

The Assessment Process

Design Review

Black-box Resilience Testing

Obfuscation Effectiveness Assessment

Key Questions

Overall Effectiveness of Programmatic Defenses

Assessing Obfuscation

Obfuscation Controls in the MASVS

Obfuscation Effectiveness

Background and Caveats

Academic Research on Obfuscation Metrics

Experimental Data

The Device Binding Problem

References

Testing Tools

Mobile Application Security Testing Distributions

Static Source Code Analysis

All-in-One Mobile Security Frameworks

Tools for Android

Tools for iOS

Tools for Network Interception and Monitoring

Interception Proxies

IDEs

Suggested Reading

Basic Knowledge

Mobile App Security

Reverse Engineering

Foreword

Summary

Overview

General Testing Guide

Android Testing Guide

iOS Testing Guide

Appendix