introduction to mobile security testing - owaspintroduction to mobile security testing approaches...
TRANSCRIPT
![Page 1: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/1.jpg)
Introduction to Mobile Security Testing
Approaches and Examples using OWASP MSTG
OWASP German Day 20.11.2018
Carlos Holguera
![Page 2: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/2.jpg)
$ whoami
Security Engineer working at ESCRYPT GmbH since 2012
Area of expertise: – Mobile & Automotive Security Testing
– Security Testing Automation
Carlos Holguera [olˈɣera]
@grepharder
![Page 3: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/3.jpg)
Index
1 Why?2 From the Standard to the Guide3 Vulnerability Analysis4 Information Gathering 6 Penetration Testing7 Final Demos
![Page 4: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/4.jpg)
1 Why?
![Page 5: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/5.jpg)
Why?
Trustworthy sources?
Right Methodology?
Latest Techniques?
MASVS is the WHAT
MSTG is the HOW
Online videos, articles,
trainings ??
![Page 6: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/6.jpg)
2 From the Standard to the Guide
![Page 7: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/7.jpg)
From the Standard to the Guide
![Page 8: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/8.jpg)
From the Standard to the GuideOWASP Mobile Application Security Verification Standard
Read it on GitBookOpen on GitHub
![Page 9: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/9.jpg)
From the Standard to the GuideOWASP Mobile Application Security Verification Standard
How? MSTG
OS agnostic
![Page 10: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/10.jpg)
From the Standard to the GuideOWASP Mobile Application Security Verification Standard
Get from GitHubfork & customize
dep. on target
![Page 11: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/11.jpg)
From the Standard to the GuideOWASP Mobile Security Testing Guide
Read it on GitBookOpen on GitHub
![Page 12: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/12.jpg)
From the Standard to the GuideOWASP Mobile Security Testing Guide
MASVS Refs. on each chapter
GitHub Search or clone & grep
![Page 13: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/13.jpg)
3 Vulnerability Analysis
![Page 14: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/14.jpg)
Vulnerability Analysis
Static Analysis (SAST)
Manual Code Review
grep& line-by-line examination
expert code reviewer proficient in both language and frameworks
Automatic Code Analysis
Speed up the review Predefined set of rules or industry best
practices False positives! A security professional
must always review the results. False negatives! Even worse …
Dynamic Analysis (DAST)
Testing and evaluation of apps
Real-time execution Manual Automatic
Examples of checks
disclosure of data in transit authentication and authorization issues server configuration errors.
Recommendation: SAST + DAST + security professional
![Page 15: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/15.jpg)
Vulnerability Analysis
* OWASP, Mobile Security Testing Guide, 2018 (0x05d-Testing-Data-Storage.html)What to verify & how.
Incl. References toMASVS Requirements
Based on MASVS
![Page 16: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/16.jpg)
The MSTG Hacking
Playground App
Vulnerability AnalysisDemo App
Open on GitHub
![Page 17: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/17.jpg)
Example: Android original source code
Vulnerability AnalysisManual Code Review
![Page 18: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/18.jpg)
Example: Android decompiled source code
Vulnerability AnalysisManual Code Review
![Page 19: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/19.jpg)
Vulnerability AnalysisManual Code Review
Example: iOS original source code
* OWASP iGoat A Learning Tool for iOS App Pentesting and Security, 2018 (iGoat)
![Page 20: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/20.jpg)
Vulnerability AnalysisManual Code Review
Example: iOS disassembled “source code”
![Page 21: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/21.jpg)
Vulnerability AnalysisAutomatic Code Analysis
Example: Static Analyzer
must be always evaluated by a professional
![Page 22: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/22.jpg)
4 Information Gathering
![Page 23: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/23.jpg)
Information Gathering
Information Gathering
Identifies
General Information
Sensitive Information
… on the target that is publically available. E.g.
about the OS and its APIs
Evaluates the risk by understanding
Existing Vulnerabilities Existing Exploits
… especially from third party software.
![Page 24: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/24.jpg)
Information Gathering
* OWASP, Mobile Security Testing Guide, 2018 (0x05a-Platform-Overview.html)
![Page 25: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/25.jpg)
Information Gathering
Example: Open OMTG_DATAST_011_Memory.java and observe the decryptString implementation.
![Page 26: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/26.jpg)
Information Gathering
Let me google
that for you…
![Page 27: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/27.jpg)
Information Gathering
Got all original crypto code inclusive crypto params.
![Page 28: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/28.jpg)
5 Penetration Testing
![Page 29: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/29.jpg)
Penetration Testing
Preparation
Coordination with the client
Define scope / focus
Request source code
Release and debug apps
Understand customer worries
Identifying Sensitive Data
at rest: file in use: address space
in transit: tx to endpoint, IPC
Intelligence Gathering
Environmental info
Goals and intended use (e.g. Flashlight)
What if compromised?
Architectural Info
Runtime protections (jailbreak,
emulator..?) Which OS (old versions?)
Network Security Secure Storage (what, why, how?)
![Page 30: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/30.jpg)
Penetration Testing
Mapping
Based on all previous information
UNDERSTAND the target
LIST potential vulnerabilities DRAW sensitive data flow
DESIGN a test plan, use MASVS
Complement with automated scanning and manually exploring the app
Exploitation
Exploit the vulnerabilities identified during the previous phase
Use the MSTG Find the true positives
Reporting
Essential to the client Not so fun?
It makes you the bad guy Security not integrated early enough in
the SDLC?
![Page 31: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/31.jpg)
* OWASP, Mobile Security Testing Guide, 2018 (0x04b-Mobile-App-Security-Testing.html)
Penetration Testing
![Page 32: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/32.jpg)
Penetration Testing is conducted in four phases*
* NIST, Technical Guide to Information Security Testing and Assessment, 2008
Penetration Testing
![Page 33: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/33.jpg)
However
Multiple attack vectors Multiple steps Different combinations give different full attack vectors
So penetration testing usually looks more like this …
Penetration Testing
![Page 34: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/34.jpg)
Download the app
Read the logs
Dex to jar
What do you want?
Inspect the code
The plain text?
get smali
Replicate crypto operations in java
debug
unpack it
Patch smali
hooking
decompile
It’s android, be happy!
The plain text
Re-package
Re-sign
Re-install
javac
run
Find stuff: keys, cipherText, classes
Make the app debuggable
googlelogcat
Penetration TestingDemo Spoiler
![Page 35: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/35.jpg)
Penetration TestingTechniques
decompilation
disassembly
code injection
binary patchingdebugging
dynamic binary instrumentation
fuzzing
traffic dump
traffic interception
man-in-the-middle
method tracing tampering
hooking
root detection
![Page 36: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/36.jpg)
Penetration Testing
One for Android,one for iOS. All happy
![Page 37: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/37.jpg)
* OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)
Penetration Testing
![Page 38: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/38.jpg)
* OWASP, Mobile Security Testing Guide, 2018 (0x05c-Reverse-Engineering-and-Tampering.html)
Penetration Testing
![Page 39: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/39.jpg)
Penetration TestingExample Scenario Automotive-Mobile Testing
Bluetooth
Mobile Apps
CAN
04 FX XX XX XX XF FF
03 2X XX XX XX X5 55
03 2X XX XX XX X5 55
04 FX XX XX XX XF FF
![Page 40: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/40.jpg)
6 Demo 1 Mobile Penetration Testing
Let‘s decrypt that encrypted string!
![Page 41: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/41.jpg)
Demo 1App: MSTG-Hacking-Playground (011_MEMORY)
![Page 42: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/42.jpg)
Demo 1
Download the app
Read the logs
Dex to jar
What do you want?
Inspect the code
The plain text?
get smali
Replicate crypto operations in java
debug
unpack it
Patch smali
hooking
decompile
It’s android, be happy!
The plain text
Re-package
Re-sign
Re-install
javac
run
Find stuff: keys, cipherText, classes
Make the app debuggable
googlelogcat
![Page 43: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/43.jpg)
Demo 1
Download the app
Dex to jar
What do you want?
Inspect the code
The plain text?
unpack it
hooking
decompile
It’s android, be happy!
The plain text
Find stuff: keys, cipherText, classes
![Page 44: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/44.jpg)
Demo 1
![Page 45: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/45.jpg)
Demo 1
![Page 46: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/46.jpg)
6 Demo 2 Mobile Penetration Testing
Let‘s get the crypto keys!
![Page 47: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/47.jpg)
Demo 2App: MSTG-Hacking-Playground (001_KEYSTORE)
![Page 48: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/48.jpg)
Download the app
Dex to jar
What do you want?
Inspect the code
The crypto keys
get smali
debug
unpack it
Patch smali
hooking
decompile
It’s android, be happy!
The crypto keys
Re-package
Re-sign
Re-install
Find stuff: keys, classes
Make the app debuggable
Demo 2
![Page 49: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/49.jpg)
Download the app
Dex to jar
What do you want?
Inspect the code
The crypto keys
unpack it
hooking
decompile
It’s android, be happy!
The crypto keys
Find stuff: keys, classes
Demo 2
![Page 50: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/50.jpg)
Demo 2
![Page 51: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/51.jpg)
Demo 2
![Page 53: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/53.jpg)
Takeaways
Read the MSTG
Use the MASVS
Play with Crackmes
grepharder
Learn
Learn
Contribute!
Have fun :)
![Page 54: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/54.jpg)
ReferencesRTFMSTG
![Page 55: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/55.jpg)
OWASP Mobile Security Testing Guide
https://mobile-security.gitbook.io/mobile-security-testing-guidehttps://github.com/OWASP/owasp-mstg
OWASP Mobile Application Security Verification Standard
https://mobile-security.gitbook.io/masvs/https://github.com/OWASP/owasp-masvs
OWASP iGoat - A Learning Tool for iOS App Pentesting and Security
https://github.com/OWASP/igoat
OWASP MSTG-Hacking-Playground Android App
https://github.com/OWASP/MSTG-Hacking-Playground
OWASP MSTG Crackmes
https://github.com/OWASP/owasp-mstg/tree/master/Crackmes
References
![Page 56: Introduction to Mobile Security Testing - OWASPIntroduction to Mobile Security Testing Approaches and Examples using OWASP MSTG OWASP German Day 20.11.2018 Carlos Holguera](https://reader030.vdocuments.us/reader030/viewer/2022033123/5e8936e7910fb574dd44a3ad/html5/thumbnails/56.jpg)
Thank you, any questions?