Hi everybody,
welcome to the ninth OWASP Mobile Security Testing Guide (MSTG) development update! Let’s summarize the efforts of the last weeks.
I finally had time to put some content in the OWASP Wiki for the Hacking Playground, which is now an official OWASP project. Have a look and let me know what you think, feedback is highly appreciated:
https://www.owasp.org/index.php?title=OWASP_OMTG_Hacking_Playground
Source code is available on GitHub:
https://github.com/OWASP/OMTG-Hacking-Playground
If you have broken/vulnerable Android or iOS Apps that you can share, we can also collect them here so it really get's a mobile hacking playground. The project goal is to have an Android App (which I already started) and iOS App that maps to the test cases of the OMTG.
For the following content/test cases a draft is now ready, but at the moment reviewers are missing that are actually reviewing the content:
Testing Android Apps - Static Analysis
Testing for Sensitive Data Disclosure in Local Storage (OMTG-DATAST-004) - Android
Testing for Sensitive Data sent to 3rd Parties (OMTG-DATAST-005) – Android
Testing whether Clipboard is Activated for Sensitive Fields (OMTG-DATAST-009) - Android
Testing for Sensitive Data in Screenshots (OMTG-DATAST-010) - Android
Testing for Sensitive Data in Application Snapshots (OMTG-DATAST-IOS-001) - Android
Testing for Hardcoded Secrets (OMTG-CRYPTO-001) - iOS
Testing for Known Vulnerabilities in Third-Party Components (OMTG-ENV-003) - iOS
Testing for Code Injection (OMTG-CODING-004) - Android
Testing for Removal of Metadata from Compiled Code (OMTP-ADVPROT-001) – Android
If you have time, please put your name in the review column of our project plan and start review the test cases.
We had quite a few updates on the Testing Guide and here is a quick list of the authors/reviewers that have been active in the last few weeks. I only counted people who:
are listed as authors or reviewers on the project plan AND
have made changes to the guide (as seen in the revision history).
Active authors/reviewers:
Bernhard Müller
Pragati Singh
Dennis Titze
Alvaro Zamora
Javi
David Fern
Thanks for your support and cheers,
Alvaro Zamora /net9969/