Owasp mobile testing guide?

[Javi D R]

Hi

Is there any testing reference document for native applications similar to the testing guide for Internet? (https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents)


Thanks

[Jonathan Carter]

We're actually in the middle of talks around creating something like this similar to the testing guide for web.

--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.

[Javi D R]

Beautiful! Thank you for the update

Regards

[Jonathan Carter]

Just out of curiosity, which platform were you looking for a testing guide for?

[Javi D R]

Both IOS and Android. I assume testing guide would be similar for both devices (eg - back end validation rules, SSO token, etc...). Of course, there would be specific vulnerabilities for IOS/Android, but the most important tests would be generic

My knowledge is not as advanced as yours, but i would like to help a bit with anything i can. 

Thank you!

[Milan Singh Thakur]

Hi Javi,

Guide work is in progress. Any new help is always welcome. Till then just keep following testing methodology given on owasp mobile security project site.

Regards
Milan

[Yair Amit]

Hi Milan,

I'd love to contribute to the Guide's work. Who is leading the work on it?

Best regards,

- Yair

Yair Amit
CTO & Co-founder, Skycure

ya...@skycure.com | +972.54.644.2448

[Milan Singh Thakur]

Hi Yair,

Jonathan is leading it along with others from OWASP mobile security
project team.

There is also a scratchpad for it from where the data for guide will
be pulled. Have a look into it and let us know your inputs.

https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad

Regards
Milan

--
Regards,
Milan Singh Thakur

[Javi D R]

I think i can provide a list of topics to be added here. I will try to send a list today

[Javi D R]

Hi

This is the list i have by now of things to be tested in mobile devices. Let me know if you find it helpful

Verify that the code is obfuscated
Check that there are lock out mechanisms in place
Try to call a webservice/API without having generated an authentication token
Check that inputs that contain sensitive information don’t remember the information previously entered
Check that once you have logged off in an application, when clicking back you can't navigate to the application again (Android only)
Check that when you are inside the application and  click on back, no sensitive information remains in the forms
Try to setup as password something insecure(password, 1111111…).
Check if you cant access to somebody else data bypassing the front end validations (direct webservice/api call)
Check if you cant execute an operation bypassing authorisation (direct webservice/api call)
Check that after logoff, all data is cleared ( SSO tokens, cookies, etc…)
Check that after session timeout you are automatically logged off
Try to inject any script/sql/html... in the inputs of an application
Try to inject any script/sql/html... directly in the back end call (webservice/api)

Thanks

[Milan Singh Thakur]

Thanks Javi...!!

You inputs are appreciated.We will surely take it into consideration.

Meanwhile, please have a look into Scratchpad for 2015

https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad

Regards,

Milan Singh Thakur