introduction to owasp mobile application security
play

Introduction to OWASP Mobile Application Security Verification - PowerPoint PPT Presentation

Jun 23, 2023 •637 likes •867 views

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

  1. Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 – Jérémy MATOS

  2. whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products and solutions Focus on mobile since 2010 Now software security consultant at my own company http://www.securingapps.com Provide services to build security in software Mobile Web Cloud Internet Of Things Bitcoin/Blockchain @SecuringApps

  3. Introduction Providing mobile apps is required by business Native is often the choice Usability Performance Access to sensors Connectivity issues A traditional web security assessment only applies to webview integrations A mobile application is a fat client and hence has a totally different threat model

  4. Some of the most significant differences Code running client side Real local storage Lots of APIs, including for security (e.g encryption) Mobile OS are sandboxed Much more clear than Same Origin Policy «Trusted» download: applications stores + signature Not a HTML hack XSS and CSRF not issues anymore But access to many user data

  5. What should we check then ? SSL and certificate pinning ? Clear text storage in SQLlite database ? Obfuscation ? Anti-debugging ? Encryption in Trusted Excution Environment (TEE) ? This is the goal of OWASP Mobile Application Security Verification Standard (MASVS) https://github.com/OWASP/owasp-masvs Project leaders: Bernard Mueller & Sven Schleier http://www.vantagepoint.sg/blog

  6. Security Verification levels 1/3

  7. Security Verification levels 2/3 Level 1: Standard Security An application that achieves MASVS level 1 adheres to mobile application security best practices. It fulfills basic requirements in terms of code quality, handling of sensitive data, and interaction with the mobile environment. A testing process must be in place to verify the security controls. This level is appropriate for all mobile applications . Level 2 : Defense-in-Depth Level 2 introduces advanced security controls that go beyond the standard requirements. To fulfill L2, a threat model must exist, and security must be considered during the design phase . The effectiveness of the controls must be verified using white-box testing . This level is appropriate for applications that handle sensitive data , such as mobile banking.

  8. Security Verification levels 3/3 Level 3 : Defense-in-Depth and resiliency Level 3 adds mechanisms that increase the cost of reverse engineering the application. It can be applied to add an additional layer of protection for apps that process sensitive data. Vendors may also opt to implement the L3 requirements as a means of protecting their intellectual property and to prevent tampering with the app. Level 4 : Defense-in-Depth and strong resiliency An application that achieves MASVS level 4 has both state-of-the-art security and strong software protections. Such an application leverages hardware security features or strong obuscation techniques and is highly resilient against attacks and reverse engineering attempts. L4 is applicable to apps that handle highly sensitive data . The L4 controls may also serve as a means of protecting intellectual property or tamper-proofing an app.

  9. Industry specific guidance 1/2

  10. Industry specific guidance 2/2

  11. Detailed verification requirements V1 Architecture, design and threat modelling V2 Data storage and privacy V3 Cryptography verification V4 Authentication and session management V5 Network communication V6 Interaction with the environment V7 Code quality and build setting V8 Resiliency against reverse engineering

  12. V1 Architecture,design & threat modelling At level 1, components of the application are identified and have a reason for being in the app At level 2 and higher, the architecture has been defined and the code adheres to the architecture. Additionally, a threat model exists that identifies potential threats.

  13. V2 Data storage and privacy

  14. V3 Cryptography verification

  15. V4 Authentication and session mgmt

  16. V5 Network communication

  17. V6 Interaction with the environment

  18. V7 Code quality and build setting

  19. V8 Reverse engineering resiliency

  20. OWASP Mobile Top 10 2016 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 Still release candidate. Really alive ? More a classification of issues Provides high level info on what not to do, rather than detailed info of what to do Somehow same categories than MASVS

  21. Conclusion MASVS provides clear guidance of what to check in a mobile application Really interesting definition of security levels And industry specific advice Actionnable Reasonable number of controls Strong security requirements in general Do not hesitate to provide feedback to the project leaders : https://github.com/OWASP/owasp-masvs

  22. Thank you ! Any question contact@securingapps.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh OWASP 200 OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track

751 views • 55 slides
Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German

Introduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera $ whoami Carlos Holguera [olera] Security Engineer working at ESCRYPT GmbH since 2012 Area of expertise:

790 views • 56 slides
OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente

Agenda Application Security OWASP Top 10 OWASP Top Ten meets JSF Andreas Hartmann Application Security Komponente Application Security Startup 04.04.2013 04.04.2013 2 OWASP Top 10 Agenda Application Security Was ist Application Security

234 views • 8 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
with ASP.NET / MVC & OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

with ASP.NET / MVC & OWASP Adnan Masood Sr. System Architect Green Dot Corporation What

Web Application Security with ASP.NET / MVC & OWASP Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security threats using the OWASP Top 10 list

977 views • 69 slides
Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org

Pushing Left, Like a Boss Application Security Foundations Tanya Janca Tanya.Janca@owasp.org OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader @sheHacksPurple About Me Who am I? Im Tanya Janca; Application security evangelist, web

434 views • 30 slides
Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect

Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect

Practical Web Application Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security

839 views • 60 slides
Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New Zealand - Auckland August 2019 Wellhow did I get here? Born and raised in northeastern US Straight to university from high school

700 views • 34 slides
UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is

UC.yber; OWASP Chapter The University of Cincinnati's Official Cybersecurity Chapter What is OWASP? Open Web Application Security Project Non-profit organization focused on improving security of software. They have some GREAT info on

372 views • 9 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security -

Driving OWASP ZAP with Selenium About Me Mark Torrens - Recently moved into Cyber Security - Based in London - Completjng MSc Cyber Security @ University of York - Security Architect for Kainos Mateusz Kalinowski - Java research OWASP

789 views • 23 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our

OWASP Foundation OWASP does not endorse or recommend commercial products or services , allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. OWASP Foundation, NYC Chapter

382 views • 23 slides
Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place

OWASP Summit 2017 Why, how, what, where (v0.9, Jan 2017) Close your eyes Imagine a place where (some of ) the best Application Security and OWASP minds come together to collaborate and work a meeting of minds focused on solving

770 views • 37 slides
Building security from scratch Anthi Gilligan Application Security Engineer - Logitech

Building security from scratch Anthi Gilligan Application Security Engineer - Logitech

From ZERO to HERO Building security from scratch Anthi Gilligan Application Security Engineer - Logitech @AnGreagach Who I am and what I do The state of Infosec The experts Pitfall #1 Pitfall #2 Pitfall #3 Pitfall #4 ENCRYPT

522 views • 16 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods -

SECURE BY DESIGN Security Design Principles for the Rest of Us GOTO London 2016 Eoin Woods - Endava @eoinwoodz 1 BACKGROUND Eoin Woods CTO at Endava (technology services, 3300 people) 10 years in product development - Bull,

453 views • 31 slides
GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager

GANT: A Defense in Depth Approach TF-MSP Wayne Routly Trondheim.no Security Manager September 2013 DANTE connect communicate collaborate Before . connect communicate collaborate Agenda Defence in Depth - A Layered

323 views • 9 slides
Injecting Security Controls into Software Applications Katy Anton Principal Application Security

Injecting Security Controls into Software Applications Katy Anton Principal Application Security

Injecting Security Controls into Software Applications Katy Anton Principal Application Security Consultant About me Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

599 views • 37 slides
Nuclear Safety Standards Committee 41 st Meeting, 21 23 June, 2016 Joint IAEA-ICTP Essential

Nuclear Safety Standards Committee 41 st Meeting, 21 23 June, 2016 Joint IAEA-ICTP Essential

Nuclear Safety Standards Committee 41 st Meeting, 21 23 June, 2016 Joint IAEA-ICTP Essential Knowledge Workshop on Nuclear Power Plant Design Safety Agenda item Title ICTP/Trieste, 9 20 October 2017 Assessment of Defence in Depth Name,

580 views • 38 slides
Design Principles CS461 / ECE422 Spring 2012 1 Overview Simplicity - Less to go wrong -

Design Principles CS461 / ECE422 Spring 2012 1 Overview Simplicity - Less to go wrong -

Design Principles CS461 / ECE422 Spring 2012 1 Overview Simplicity - Less to go wrong - Fewer possible inconsistencies - Easy to understand Restriction - Minimize access - Inhibit communication Saltzer and Schroeder 75 2 Economy of

330 views • 20 slides
Reliable Agent Systems This lecture looks more closely at reliability of agent systems in an open

Reliable Agent Systems This lecture looks more closely at reliability of agent systems in an open

Reliable Agent Systems This lecture looks more closely at reliability of agent systems in an open environment: Why this is difficult but (maybe) important. Two short examples showing how a small change in our formal view alters practice.

262 views • 24 slides

More recommend