OWASP MSTG - #5 Weekly Status Update 18.07.2016

[Sven Schleier]

Hi everyone,

after one week pause, welcome to the fifth weekly Mobile Security Testing Guide (MSTG) development update! Let’s summarize the efforts of the last 2 weeks.

In the last few weeks I started to create an Android App that maps exactly to the test cases in our new mobile testing guide. I attached a screenshot that should explain what I mean. Every button in the screenshot calls an activity that is implemented in a "bad way" and should help a penetration tester what the code in the Android App might look like in case it’s vulnerable, but also to show developers what they should avoid and what the risk might be.
 
I made a request for a new OWASP project so we can use this App in our project. On the long run there will also be an iOS App, but for now I will focus on the Android App. If someone want's to start already the iOS App, please reach out to me directly then we can make it happen. The project will be called "OMTG Hacking Playground" and hopefully I can give you more details next week, once all details are sorted out and the official GItHub repo was created by OWASP.

New content was also created in the last 2 weeks and for the following test cases a draft is now ready, but at the moment reviewers are missing that are actually reviewing the content:

• Testing for Sensitive Data sent to 3rd Parties (OMTG-DATAST-005) – Android
• Testing whether Clipboard is Activated for Sensitive Fields (OMTG-DATAST-009) - Android
  
• Testing for Sensitive Data in Screenshots (OMTG-DATAST-010) - Android
  
• Testing for Sensitive Data in Application Snapshots (OMTG-DATAST-IOS-001) - Android
  
• Testing Endpoint Identity Verification (OMTG-CLTSRV-002) - iOS
• Testing for Known Vulnerabilities in Third-Party Components (OMTG-ENV-003) - iOS
  
• Testing for Code Injection (OMTG-CODING-004) - Android
• Testing for Removal of Metadata from Compiled Code (OMTP-ADVPROT-001) – Android

If you have time, please put your name in the review column of our project plan and start review the test cases.

We had quite a few updates on the Testing Guide and here is a quick list of the authors/reviewers that have been active in the last week. I only counted people who:

• are listed as authors or reviewers on the project plan AND
• have made changes to the guide (as seen in the revision history).

Active authors/reviewers:
Sai Sathyanarayan
Rohit Tamma
Sven Schleier
Javi


Let me know if I left anyone out and thank you all for your time and work.

Thanks and cheers,

Sven