An overview of MSTG and MASVS and how usable it is for small teams and small but nicely protected projects from the perspective of iOS Software Engineer.
trainings for all team members • Requirements phase: Risk evaluation • Design phase: Security design review, threat modeling • Implementation phase: Security best practices for particular language and platform • Validation phase: Security testing • Release and maintenance: Vulnerability management, responding to incidents OWASP S-SDLC: https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project
are added by request from the client • Client requests third party security audit closer to UAT or release date • Even if security features are planned, their implementation is of a lower priority comparing to UI/UX
PROS • Allows low security awareness in the team • Safes time if you need to deserve clients trust • More time for development equals longer contract with client CONS • Huge refactoring including networking and UI/UX right before the release • Decreasing the whole product quality • Increasing security risks (band aid security)
SECURITY TESTING AND REVERSE ENGINEERING. IT DESCRIBES TECHNICAL PROCESSES FOR VERIFYING THE CONTROLS LISTED IN THE OWASP MOBILE APPLICATION VERIFICATION STANDARD (MASVS). OWASP MSTG: https://github.com/OWASP/owasp-mstg
Description Level 4.1 If the app provides users access to a remote service, some form of authentication, such as username/password authentication, is performed at the remote endpoint. L1 4.4 The remote endpoint terminates the existing session when the user logs out. L1 4.7 Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire. L1 4.9 A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. L2 4.11 The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices. L2
SETTINGS REQUIREMENTS Description Level 7.1 The app is signed and provisioned with a valid certificate, of which the private key is properly protected. L1 7.2 The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable). L1 7.4 Debugging code has been removed, and the app does not log verbose errors or debugging messages. L1 7.5 All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities. L2
NETWORK COMMUNICATION • CRYPTOGRAPHY IN MOBILE APPS • TESTING CODE QUALITY • TAMPERING AND REVERSE ENGINEERING • TESTING USER EDUCATION OWASP MSTG: https://github.com/OWASP/owasp-mstg
• Something the user knows: password, PIN, pattern, etc. • Something the user has: SIM-card, OTP (one time password) generator, hardware token, etc. • A biometric property: fingerprint, retina, voice, etc. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04e-Testing-Authentication-and-Session-Management.md • 2FA (2-Factor Authentication): • OTP by SMS or phone call • Hardware or software token • Push notifications in combination with PKI (public key infrastructure) and local authentication • Supplementary Authentication: • Geolocation • IP address • Time of the day • Device ID
Client generates public and private keys on user registration, registers public key with backend, saves private key to Keychain. • Backend sends transaction data to the client to be authorized. • Client unlocks Keychain, gets private key, signs the transaction and sends it back to backend. • Backend verifies it with public key.
• Local authentication should always be enforced at a remote endpoint or based on cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process.
EXAMPLE David Linder Don’t Touch Me That Way https://youtu.be/XhXIHVGCFFM • Don’t • Rely on bool output • Forget to configure Touch ID • Do • Use Touch ID to get data from Keychain • Combine it with user password
Intercepting network traffic: Burp Suite, Charles Proxy, OWASP ZAP • Check data encryption in the network, SSL/TLS pinning • MASVS V5.5: The app doesn’t rely on a single insecure communication channel (e-mail or SMS) for critical operations such as enrollment and account recovery. • Pay attention to new technologies https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04f-Testing-Network-Communication.md
insecure/deprecated algorithms • Prevent configuration issues: weak key or random number generators, insufficient key length, etc • Do not use symmetric encryption with hard-coded keys • Keep the keys in secured storage (Keychain, Keystore) or obfuscate/encrypt them https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md
V6.2: All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and networks sources. • Injection attacks • Memory corruption bugs • XSS attacks on WebView https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md
PROJECT REQUIREMENTS • We want a WebView in our app to register user with a third- party service. • Please, disable JavaScript on it. • You need to send a POST request with parameters when user opens the WebView. https://stackoverflow.com/questions/26253133/cant-set- headers-on-my-wkwebview-post-request https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md
ENGINEERING • Reverse engineering is a process of analyzing the compiled app to extract information about its source code. • Tampering is a process of changing mobile app to affect its behavior. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md
Separate sandbox for each application • Single distribution source • Sideloads are allowed only with Xcode or Enterprise program • iOS users tend to update their iOS version to the latest one while downgrading is questionable. • New UDID of iPhone XS, XS Max, XR
APPS MANAGING JAILBREAK DEVICES After identifying and fixing vulnerability, Apple releases an update. Later on they stop signing the old iOS version that makes it impossible to downgrade. Define upgrading strategies • Use several devices to upgrade with every major release and wait for jailbreak availability https://canijailbreak.com/ https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06b-Basic-Security-Testing.md
• Make sure to use Keychain • Make sure to wipe Keychain • Do not store sensitive data in .plists • Need to store more data – use encrypted DBs https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md
AND REVERSE ENGINEERING • Objective-C allows method invocations to be changed at run time, making hooking into app functions easy. https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md
detection • File-based checks • Permissions checks • Attempting to open Cydia and other malicious apps https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md
checks • ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process. If a debugger attempts to attach, the process will terminate • sysctl used to retrieve info about current process, including info if the process is being debugged • Checking signature • Checking device binding https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md
JAILBREAK DETECTION AND ANTI-REVERSING DEFENCES? USE RELIABLE THIRD PARTY SOLUTIONS! Overview of Solution Providers https://nmgprod.s3.amazonaws.com/media/filer_public/8f/ 72/8f7224ef-9143-4f4b-b3a0-2d38c05e879d/ guide_mobile_payments_security_101.pdf