Test your app against Mobile App Security Checklist.
Security is always a major concern for any application and it evolves day by day. So it is always recommended to test the app with all security related test cases and keep it up to date to safeguard it from any security vulnerability.
In this post I am trying to highlight a little bit about OWASP MASVS (Mobile Application Security Verification Standard) and MSTG (Mobile Security Testing Guide). The MASVS establishes baseline security requirements for mobile apps that are very useful for existing apps and also for the development of a new app. MSTG helps us to test and validate our app against security issues and reverse engineering.
The MASVS defines security verification levels:-
MASVS-L1: Standard Security:-
- Taking About : generic security requirements
- Result : Secure app that follows security best practices and doesn’t suffer from common vulnerabilities.
- Recommended for : All mobile apps.
- Taking About : Additional protective controls that can be applied if preventing client-side threats is a design goal.
- Result : Adds additional defense-in-depth controls such as SSL pinning, resulting in an app that is resilient against more sophisticated attacks
- Recommended for : Apps that handle more sensitive data and/or functionality. Like Health-Care Industry, Financial Industry
MASVS-R: Resiliency Against Reverse Engineering and Tampering :-
- Taking About : Client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data.
- Result : Increase the effort needed to obtain the original source code.
- Recommended for : Apps that handle highly sensitive data and may serve as a means of protecting intellectual property or tamper-proofing an app. Like Gaming Industry
Checkout for more details : https://mobile-security.gitbook.io/masvs/0x03-using_the_masvs
iOS security requirements can be divided into:-
- Data Storage and Privacy Requirements
- Cryptography Requirements
- Authentication and Session Management Requirements
- Network Communication Requirements
- Platform Interaction Requirements
- Code Quality and Build Setting Requirements
- Resilience Requirements
In this post we will cover only small part of these requirements and test cases.
Data Storage and Privacy Requirements:-
It covers the protection of sensitive data, such as authentication tokens and private information.
- Testing Local Data Storage
- Checking Logs for Sensitive Data
- Determining Whether Sensitive Data Is Shared with Third Parties
- Finding Sensitive Data in the Keyboard Cache
- Determining Whether Sensitive Data Is Exposed via IPC Mechanisms
- Checking for Sensitive Data Disclosed Through the User Interface
- Testing Backups for Sensitive Data
- Testing Auto-Generated Screenshots for Sensitive Information
- Testing Memory for Sensitive Data
It covers general cryptography best practices and described typical issues that can occur when cryptography is used incorrectly.
- Verifying the Configuration of Cryptographic Standard Algorithms
- Testing Key Management
- Testing Random Number Generation
Authentication and Session Management Requirements:-
It covers local authentication best practices and describes typical issues that can occur while integrating with local authentication like PIN, password or biometric characteristics such as face or fingerprint (Touch ID).
- Testing Local Authentication
Network Communication Requirements:-
It covers network communication best practices and describes typical issues that can occur during the integration with web services.
- App Transport Security
- Testing Custom Certificate Stores and Certificate Pinning
Platform Interaction Requirements:-
It covers usage of platform APIs and standard components in the app.
- Testing App Permissions
- Testing for Sensitive Functionality Exposure Through IPC
- Testing Custom URL Schemes
- Testing iOS WebViews
- Testing WebView Protocol Handlers
- Determining Whether Native Methods Are Exposed Through WebViews
- Testing Object Persistence
- Testing enforced updating
Code Quality and Build Setting Requirements:-
It covers the basic security coding practices that can be followed in development along with “free” security features offered by the compiler.
- Making Sure that the App Is Properly Signed
- Determining Whether the App is Debuggable
- Finding Debugging Symbols
- Finding Debugging Code and Verbose Error Logging
- Checking for Weaknesses in Third Party Libraries
- Testing Exception Handling
- Memory Corruption Bugs
- Make Sure That Free Security Features Are Activated
It covers defense-in-depth measures that are recommended for the apps that process or gives access to sensitive data or functionality like Jailbreak, reverse engineering etc.
- Jailbreak Detection
- Testing Anti-Debugging Detection
- File Integrity Checks
- Testing Reverse Engineering Tools Detection
- Testing Emulator Detection
- Testing Obfuscation
- Device Binding
In this post I am just trying to draw some attention of the developers and QA towards MASVS and MSTG. Since its a very lengthy topic, it won’t be possible to cover all the details in a single post. So I am particularly focusing on listing down the major checklist which can help us to validate our iOS app against major security issues. It will also help the developers to understand and follow the best coding practices while development.
It is not mandatory to follow all the checklists in every app because every mobile app is different. App security depends upon a lot of factors like overall app architecture, business logic, technologies and frameworks used. So we can create our checklist based on the mandatory requirement in app.
GitHub - OWASP/owasp-masvs: The OWASP MASVS (Mobile Application Security Verification Standard) is…
This is the official Github Repository of the OWASP Mobile Application Security Verification Standard (MASVS). The…
GitHub - OWASP/owasp-mstg: The Mobile Security Testing Guide (MSTG) is a comprehensive manual for…
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse…