Mobile Application Security

Transcript

1. 6.53 MOBILE APPLICATION SECURITY OWASP MASVS

2. WHAT IS IT? the official Github Repository of the OWASP

   Mobile Application Security Verification Standard (MASVS) - PDF - Web page - Excel file - YAML 2

3. USE CASE SCENARIO METRIC To provide a security standard against

   which existing mobile apps can be compared by developers and application owners PROCUREMENT To provide a baseline for mobile app security verification. GUIDANCE To provide guidance during all phases of mobile app development and testing. 3

4. GUIDANCE FOR CERTIFYING MOBILE APPS Performing an “open book” review

   testers are granted access to key resources such as architects and developers of the app, project documentation, source code, and authenticated access to endpoints, including access to at least one user account for each role 7/1/20XX Pitch deck title 4

5. HOW NOT TO 7/1/20XX 5

6. HOW TO 7/1/20XX 6

7. VERIFICATION LEVELS 7

8. VERIFICATION LEVELS IN DETAIL MASVS-L1: Standard Security fulfills basic requirements

   in terms of code quality, handling of sensitive data, and interaction with the mobile environment MASVS-L2: Defense-in- Depth handle highly sensitive data MASVS-R: Resiliency Against Reverse Engineering and Tampering The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks, such as tampering, modding, or reverse engineering to extract sensitive code or data 7/1/20XX Pitch deck title 8

9. RECOMMENDED USE MASVS-L1 All mobile apps MASVS-L2 Healthcare, Financial industry

   MASVS L1+R - Mobile apps where Intellectual Property (IP) protection is a business goal - Gaming Industry MASVS L2+R - Financial Industry: Online banking apps that allow the user to move funds, - All mobile apps that, by design, need to store sensitive data on the mobile device, and at the same time must support a wide range of devices and operating system versions. - Apps with in-app purchases if no server-side protection 9

10. THE CLASSICAL TRADE-OFF GOOD UX Equilibrium EXPENSIVE AFFORDABLE BAD UX

    7/1/20XX 10

11. CONTROLS 7/1/20XX 11 Architecture, Design and Threat Modeling Requirements Cryptography

    Requirements Data Storage and Privacy Requirements Authentication and Session Management Requirements Platform Interaction Requirements Network Communication Requirements Resiliency Against Reverse Engineering Requirements Code Quality and Build Setting Requirements

12. LET'S SEE THE CHECKLIST

13. V1: ARCHITECTURE, DESIGN AND THREAT MODELING REQUIREMENTS 7/1/20XX 13 The

    category “V1” lists requirements pertaining to architecture and design of the app. As such, this is the only category that does not map to technical test cases in the OWASP Mobile Testing Guide

14. V2: DATA STORAGE AND PRIVACY REQUIREMENTS 7/1/20XX Pitch deck title

    14 The protection of sensitive data, such as user credentials and private information, is a key focus in mobile security - Personally identifiable information - Highly sensitive data - Any data that must be protected by law or for compliance reasons

15. V3: CRYPTOGRAPHY REQUIREMENTS 7/1/20XX Pitch deck title 15 to ensure

    that the verified application uses cryptography according to industry best practices, including: • Use of proven cryptographic libraries; • Proper choice and configuration of cryptographic primitives; • A suitable random number generator wherever randomness is required.

16. V4: AUTHENTICATION AND SESSION MANAGEMENT REQUIREMENTS 7/1/20XX Pitch deck title

    16 defines some basic requirements regarding how user accounts and sessions are to be managed

17. V5: NETWORK COMMUNICATION REQUIREMENTS 7/1/20XX Pitch deck title 17 to

    ensure the confidentiality and integrity of information exchanged between the mobile app and remote service endpoints

18. V6: PLATFORM INTERACTION REQUIREMENTS 7/1/20XX Pitch deck title 18 ensure

    that the app uses platform APIs and standard components in a secure manner

19. V7: CODE QUALITY AND BUILD SETTING REQUIREMENTS 7/1/20XX Pitch deck

    title 19 to ensure that basic security coding practices are followed in developing the app, and that “free” security features offered by the compiler are activated

20. V8: RESILIENCE REQUIREMENTS 7/1/20XX Pitch deck title 20 This section

    covers defense-in-depth measures recommended for apps that process, or give access to, sensitive data or functionality.

21. THANK YOU 7/1/20XX Pitch deck title 21