Hey everyone,
This is the second weekly Mobile Security Testing Guide (MSTG) development update!
The project is picking up speed and there were some changes to the guide and new content was added. So let’s summarize the efforts of last week.
We have now our first two test cases that have the status “Final Version” and were reviewed:
These two test cases are finished from a technical perspective for now. Of course once we have all the test cases together there will be another review so everything is aligned with the same formatting, wording and structure. So please do not focus on that for now ;-)
Besides that we need reviewers. For the following two test cases a draft is now ready, but at the moment reviewers are missing that are actually reviewing the content:
If you have time, please put your name in the review column of our project plan and review the test cases. We also still need people that focus on iOS test cases.
Here are again the links:
Mobile Testing Guide can be found here: https://docs.google.com/document/d/132Ose0jdQwN6Z_Fp0VOJtVdGCufIwligwmf6oT0lmK8/edit#
Project Plan can be found here: https://docs.google.com/spreadsheets/d/10hmPgGLMkOz9Gx37S9hnWyyK3bPrXxIm19oelh4AND4/edit#gid=0&fvid=445206711
I will now be monitoring our project schedule regularly in order to push these things forward.
Here is a quick list of the authors/reviewers that have been active in the last week. I only counted people who:
· are listed as authors or reviewers on the project plan AND
· have made changes to the guide (as seen in the revision history).
Android (recently active authors/reviewers):
Anant Shrivastava
Bernhard Müller
Javier Dominguez
Sven Schleier
iOS (recently active authors/reviewers):
Bernhard Müller
Javier Dominguez
Stephen Corbiaux was working on "Appending C: Testing Cross-Platform Mobile Apps".
Let me know if
I left anyone out and thank you all for your time and work.
One more thing that was pointed out last week by Anant is how code obfuscation should be addressed when writing a test case. As you all know, every test case has a dynamic and static test section. If the code is obfuscated, e.g. through ProGuard on Android static analysis is difficult and needs some more guidance. To address this issue one section will be created that summarizes what a tester can do in general if code is obfuscated. Every test case in the static analysis section will then reference to this generic guidelines. Therefore we can reduce overhead in the test cases. The static test cases should only focus on steps that can be done if access to source code is possible, either through decompiling or when getting it from the client.
Thanks and cheers,
Sven
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.