Hi everyone,
after one week pause, welcome to the fifth weekly Mobile Security Testing Guide (MSTG)
development update! Let’s summarize the efforts of the
last 2 weeks.
In the last few weeks I started to create an Android App that maps
exactly to the test cases in our new mobile testing guide. I
attached a screenshot that should explain what I mean. Every
button in the screenshot calls an activity that is implemented in
a "bad way" and should help a penetration tester what the code in
the Android App might look like in case it’s vulnerable, but also
to show developers what they should avoid and what the risk might
be.
I made a request for a new OWASP project so we can use this App in
our project. On the long run there will also be an iOS App, but
for now I will focus on the Android App. If someone want's to
start already the iOS App, please reach out to me directly then we
can make it happen. The project will be called "OMTG Hacking
Playground" and hopefully I can give you more details next week,
once all details are sorted out and the official GItHub repo was
created by OWASP.
New content was also created in the last 2 weeks and for the
following test cases a draft is now ready, but at the moment
reviewers are missing that are actually reviewing the content:
- Testing for Sensitive Data sent to 3rd Parties
(OMTG-DATAST-005) – Android
- Testing whether Clipboard is Activated for Sensitive Fields
(OMTG-DATAST-009) - Android
- Testing for Sensitive Data in Screenshots (OMTG-DATAST-010)
- Android
- Testing for Sensitive Data in Application Snapshots
(OMTG-DATAST-IOS-001) - Android
- Testing Endpoint Identity Verification (OMTG-CLTSRV-002) -
iOS
- Testing for Known Vulnerabilities in Third-Party Components
(OMTG-ENV-003) - iOS
- Testing for Code Injection (OMTG-CODING-004) - Android
- Testing for Removal of Metadata from Compiled Code
(OMTP-ADVPROT-001) – Android
If you have time, please put your
name in the review column of our project plan and start review
the test cases.
We had quite a
few updates on the Testing Guide and here is a quick list of the
authors/reviewers that have been active in the last week. I
only counted people who:
- are listed as
authors or reviewers on the project plan AND
- have made
changes to the guide (as seen in the revision history).
Active authors/reviewers:
Sai Sathyanarayan
Rohit Tamma
Sven Schleier
Javi
Let me know if I
left anyone out and thank you all for your time and work.
Thanks and cheers,
Sven