Paco
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
have done this based on the Top 10 risks,(https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks)
This is pure web. It’s sad that this ever works. It works plenty often. But this is not a mobile app problem.This is not part of native code for a mobile app, but it is still part of a mobile application. In fact, this is the most exploited vulnerability -M1: Weak Server Side Controls
It is. It is not exclusive for mobile, but mobile apps also have authentication process. In fact, it is M5 - M5: Poor Authorization and Authentication
> Try to setup as password something insecure(password, 1111111…).
Nope. That is anything but mobile. That has nothing to do with mobile.
Maybe… if you’re checking app local storage on the device. I suspect it is more important to check that the server has really killed the session. Which, again, is important but not a mobile concern.You have a good point here. Both are important. But what i mean is, for example, that if the device is stolen and SSO token is not killed, you can continue the execution from the previous user
Testing for XSS and SQL injection are standard web things. JavaScript, JSON, SQL, and HTML injection are pretty much a non-issue for most mobile apps (webviews being the notable exception). Most injections are not a test of the mobile code, but rather a test of the server code.Agree this is not as important as in web application, but it is still M7 - M7: Client Side Injection
On Jun 23, 2015, at 8:58 AM, Paco Hope <pa...@owasp.org> wrote:Primary principle: if you would change Android or iOS code to fix it, it is a mobile issue. If you can find the problem without owning the correct kind of mobile device, it isn’t a mobile problem. If you don’t need to have the binary installed on a device (or a simulator) to exploit the problem, then it isn’t a mobile problem.
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
-- Jim Manico Global Board Member OWASP Foundation https://www.owasp.org Join me at AppSecUSA 2015!
So amazing. The day im waiting for
Hi David,
We having plan to add it in upcoming versions along with NFC and other mobile tech.
Alpha Release Date: 25-Aug-2015-- The AppSec Approach
Reg
Milan
I certainly didn’t intend to imply that IoT and mobile were the same, nor did I mean to imply that 2 big projects should be merged. Just that if someone wants to talk about security of health care devices, my opinion is that the conversation is a better fit for some OWASP IoT project than a mobile project.
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
--
Thanx Javi...
Yes Jonathan, i have made the link on OWASP Mobile page.
Indeed we need to publicize the alpha release of guide and gather feedback...
I have posted the release date information on LinkedIn in multiple groups.
I rarely use Twitter. I think we would need you and our team to spread the word even further.
I have posted the release date information on LinkedIn in multiple groups.
I rarely use Twitter. I think we would need you and our team to spread the word even further.
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
Hi Claudia,
Below is the information i have posted on LinkedIn:
The most awaited OWASP Mobile Security Testing Guide is coming soon...!!
The alpha version is already out. Check the link below to download it.
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Guide_Development_Project
Let us know your feedback at mi...@owasp.org..!!
Regards
Milan
Yeah...!!
Spread the word as much as possible.
Thanx Javi...
--
https://www.facebook.com/groups/owaspfoundation/permalink/839140172873324/
43 likes 5 commentsJust realized I only posted to the FB group. Here's a link to the FB page, just now:
Thanx Claudia...!!
This will surely catch attention of people :)
Regards
Milan
Thanx Jonathan... will include it in beta and final release.
https://drive.google.com/file/d/0BxOPagp1jPHWczhwYjRQNzZIekU/view?usp=sharing
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
-- _______________________________________________________________ C|EH, C|HFI, Master of Computer Science Security Advisor and Consultant, Penetration Tester Manav...@gmail.com +601112274183 sinamanavi.wordpress.com
Hi David,
We are looking for references that we can add in our guide which should help a Newbie to become an advanced penetration tester for Mobile security.
Topics which are focused on understanding mobile architecture, forensics, malware analysis, advanced reverse engineering and out of the box things can be useful.
Thanks to All the Active and Silent contributors.
Now this is what We call The Owasp Mobile Team effort. :)
Special thanks to OWASP Mobile Team.
We still have long way to go.
Regards
Milan
--
Hi Dewhurst Team,
You can surely contribute...
Feel free to ping me.
Yes, we have not included SSL pinning. Can you help us with a writeup on it?
Details for SSL pinning are available on OWASP Mobile Security page.
We can add it in final release.
Regards
Milan
Thanx Javi...
I think we should start preparation for cheat sheets for advanced pentest on Mobile based technology.
Regards
Milan
Sure Javi...
Anyone else from our Team wanna share hacks based on mobility? It can be related to any technology related to mobility platform.
Regards
Milan
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
Hi Ryan,
I dont think OWASP has any objection on reposting stuff from mailing-list/Owasp-site, till the time a reference to OWASP is made :)
Also dont let this stuff become proprietary material.. We are all about free knowledge :)
Regards
Milan
--
Hi Ryan,
It would be better to use Google drive for now. Adding stuff to GitHub so late will require lot of time to be invested. Instead we can use that time in fine tuning the Guide.
Am sure for upcoming projects we can use GitHub from start :)
Regards
Milan
On wiki...It would be too much content to add and manage.
But let me look into it. I will create a wiki page for it.
Hi Ryan,
Your writeup on certificate pinning is great.
It is definitely going to be part of final release.
I will add you to shared drive.
--
---------------------------------
Thanks & Best regards,
LE QUOC BAO
Application Security Researcher
Email: whiteha...@gmail.com
Mobile: 0915840284
Skype: whitehat.panda
Hi Bao,
This is good and enlightening stuff on certificate pinning.
Will add you to drive, so that you can go thru current guide and add your inputs to it.
Right Anant...
Let's do it collaboratively... :)
--