OWASP MSTG - Weekly Status Update 20.06.2016

[Sven Schleier]

Hey everyone,

 

This is the second weekly Mobile Security Testing Guide (MSTG) development update!

 

The project is picking up speed and there were some changes to the guide and new content was added. So let’s summarize the efforts of last week.

 

We have now our first two test cases that have the status “Final Version” and were reviewed:

• Testing for Client Side SQL Injection  (OMTG-CODING-003)
• Testing for Sensitive Data in Backups (OMTG-DATAST-ANDROID-004)

 

These two test cases are finished from a technical perspective for now. Of course once we have all the test cases together there will be another review so everything is aligned with the same formatting, wording and structure. So please do not focus on that for now ;-)

 

Besides that we need reviewers. For the following two test cases a draft is now ready, but at the moment reviewers are missing that are actually reviewing the content:

 

• Testing for Sensitive Data sent to 3rd Parties (OMTG-DATAST-005) – Android
• Testing for Removal of Metadata from Compiled Code (OMTP-ADVPROT-001) – Android

 

If you have time, please put your name in the review column of our project plan and review the test cases. We also still need people that focus on iOS test cases.

 

Here are again the links:

 

Mobile Testing Guide can be found here: https://docs.google.com/document/d/132Ose0jdQwN6Z_Fp0VOJtVdGCufIwligwmf6oT0lmK8/edit#

Project Plan can be found here: https://docs.google.com/spreadsheets/d/10hmPgGLMkOz9Gx37S9hnWyyK3bPrXxIm19oelh4AND4/edit#gid=0&fvid=445206711

 

I will now be monitoring our project schedule regularly in order to push these things forward.

 

Here is a quick list of the authors/reviewers that have been active in the last week. I only counted people who:

 

·         are listed as authors or reviewers on the project plan AND

·         have made changes to the guide (as seen in the revision history).

 

 

Android (recently active authors/reviewers):

Anant Shrivastava

Bernhard Müller

Javier Dominguez

Sven Schleier

 

iOS (recently active authors/reviewers):

Bernhard Müller

Javier Dominguez

 

Stephen Corbiaux was working on "Appending C: Testing Cross-Platform Mobile Apps".

Let me know if I left anyone out and thank you all for your time and work.

 

One more thing that was pointed out last week by Anant is how code obfuscation should be addressed when writing a test case. As you all know, every test case has a dynamic and static test section. If the code is obfuscated, e.g. through ProGuard on Android static analysis is difficult and needs some more guidance. To address this issue one section will be created that summarizes what a tester can do in general if code is obfuscated. Every test case in the static analysis section will then reference to this generic guidelines. Therefore we can reduce overhead in the test cases. The static test cases should only focus on steps that can be done if access to source code is possible, either through decompiling or when getting it from the client.

 

Thanks and cheers,

 

Sven 

[Anant Shrivastava]

Hi Sven,

I had some free time so i have done a basic review of the two sections. I don't claim to be an export on these two and hence i am not yet marking myself as a reviewer for them.

-Anant

--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.