OMTG Inconsistencies

15 views

Skip to first unread message

Bernhard Muller

unread,

Sep 10, 2016, 2:02:36 AM9/10/16

to owasp-mobile...@owasp.org, owasp-mobile-s...@lists.owasp.org

Hi all,

While working on the MASVS requirements I encountered one major inconsistency in the guide. We currently have a whole category for authentication and session management (OMTG-AUTH) which conflicts with Testing Endpoint Identify Verification (OMTG-CLTSRV-002). Notably the OMTG-AUTH category also differs from all other categories in that authentication mostly happens on the remote end, so in most test cases we’re talking about testing the endpoint (web service etc.).

I can think of two ways out of this:

1. Remove OMTG-CTLSRV-002 and keep OMTG-AUTH as a separate category. It could be argued that endpoint authentication is such a central topic to most mobile apps that it warrants its own category (that was the idea in the beginning).

2. Move the test cases that concern authentication at the remote end to OMTG-CTLSRV, and remove the whole OMTG-AUTH category. 7 test cases would go to OMTG-CTLSRV, but those could be merged into two or three. “TouchID implementation” and “Unprotected Activities” would be moved to OMTG-ENV.

Right now I’d be inclined to go with option 2, as it would be more consistent with the rest of the guide. I also think we reduce chapters wherever possible to get something more focused (and something that’s finished in this century).

What do you think?

Cheers,

Bernhard

Bernhard Mueller | Principal Security Consultant

M +65 8716 4370 |

bern...@vantagepoint.sg

https://www.linked.com/in/bernhardm

https://twitter.com/muellerberndt

Vantage Point Security Pte. Ltd

61 Ubi Road 1 | Unit 02 08-09 | Oxley Bizhub | Singapore 408727

Unifying people process and technology to design, develop, deploy and maintain secure applications.

Bernhard Muller

unread,

Sep 10, 2016, 10:23:08 PM9/10/16

to rob southern, owasp-mobile...@owasp.org

At the moment OMTG-AUTH covers mostly session management and service layer. Local authentication APIs are not broadly covered at all except for TouchID, but def. need to be included – probably best to extend the TouchID chapter to cover local authentication frameworks in general.

The question is, how do we require local auth to be used? Are there cases where it is OK to rely on local password authentication or ID providers to unlock the users’ network credentials (for example the Paypal app does this)? Or should we see it as a defense-in-depth measure that can be used to add an additional layer of security?

From: rob southern <rsout...@gmail.com>
Date: Sunday, September 11, 2016 at 3:04 AM
To: Bernhard Mueller <bern...@vantagepoint.sg>
Subject: Re: OMTG Inconsistencies

Auth should prob be its own section like you stated in #1. Would this cover device auth (pin / touch), PW auth to app or ID provider, token and session mgmt, and service layer (server to server) auth?

--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.

Reply all

Reply to author

Forward

0 new messages