Hi guys,

I found that there is a misinformation on Intent framework under topic Android 0x04a. link

Intent messaging is a framework for asynchronous communication built on top of binder.
...
Although intents facilitate communication between components in several ways, there are three fundamental use cases:

• Explicit intents specify the component to start by name (the fully-qualified class name).

Intent types were given here instead of uses cases. Below is the use cases written in Android Developer manual. source

• Starting an activity
  An Activity represents a single screen in an app. You can start a new instance of an Activity by passing an Intent to startActivity(). The Intent describes the activity to start and carries any necessary data.
  If you want to receive a result from the activity when it finishes, call startActivityForResult(). Your activity receives the result as a separate Intent object in your activity's onActivityResult() callback. For more information, see the Activities guide.
• Starting a service
  A Service is a component that performs operations in the background without a user interface. With Android 5.0 (API level 21) and later, you can start a service with JobScheduler. For more information about JobScheduler, see its API-reference documentation.
  For versions earlier than Android 5.0 (API level 21), you can start a service by using methods of the Service class. You can start a service to perform a one-time operation (such as downloading a file) by passing an Intent to startService(). The Intent describes the service to start and carries any necessary data.
  If the service is designed with a client-server interface, you can bind to the service from another component by passing an Intent to bindService(). For more information, see the Services guide.
• Delivering a broadcast
  A broadcast is a message that any app can receive. The system delivers various broadcasts for system events, such as when the system boots up or the device starts charging. You can deliver a broadcast to other apps by passing an Intent to sendBroadcast() or sendOrderedBroadcast().

Hello,

I think there is an overlap between the following testcases :

OMTG-CODE-007: Test Input Validation
OMTG-CODE-005: Test Exception Handling

I suggest that we keep only OMTG-CODE-005 because OMTG-CODE-007 may lead to other test cases (XSS or SQLi for example).

What do you think ?

Show how to set up Frida and demonstrate core functionality.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md#user-content-dynamic-instrumentation-with-frida

A sentence reads "change its behavior in some way a debugger is attached". Is a "in case" or "if" statement missing?

I don't understand the meaning of the sentence "Every App has due to the sandboxing it's own web cache and stores it's own cookies, if WebViews are used", to be clarified.

In chapter 0x4, a sentence reads "with no of assessing its effectiveness". Is "reason" missing, making the sentence "with no reason of assessing its effectiveness" ?

When reading "Debug build" / "Code obfuscation from ProGuard is not applied" in "Basic Security Testing" (Android), I get the impression that ProGuard is enabled by default in Android Studio, or performed by default in any other IDE. While reading https://developer.android.com/studio/build/shrink-code.html, this does not seem to be true.

More detailed explanation on code obfuscation VS reverse engineering could be added, or a link to chapter 0x5b (same as the current one???) could be added in case it provides enough information on this topic.

Could it be worth adding C++ to C? NDK is supporting both languages, and the sentence could be "as a C or C++ binary by using the Android NDK" (cf https://developer.android.com/ndk/guides/index.html)

In chapter "Basic Security Testing on iOS", sentence "(don't worry, we're all script kiddies in some areas)" : even if I would agree, this may not be relevant in a guide meant to become the worldwide reference in the field of mobile testing. This could be removed.

In "Basic Security Testing" (Android), 't' should appear instead of 'd' in "One App should be build..."

Provide instructions for jailbreaking the latest iOS versions.

The following sentence ends without examples at the end (colons with empty content) : "The OWASP Reverse Engineering and Code Modification Prevention Project [1] lists the following potential threats associated with reverse engineering and tampering:"

Hi guys,

Here's an issue for discussion - see also MASVS issue #75.

OMTG-DATAST-003: Test for Sensitive Data in Cloud Storage

This only talks about backup to the cloud via the default OS facilities. However the requirement in the MASVS is "No sensitive data is synced with cloud storage", which pertains to any form of cloud storage. We should probably do two things:

1. Make the requirement more specific in the MASVS. It doesn't make sense to forbid all kinds of cloud storage? Are we talking about third-party clouds like AWS, or about what exactly?

2. Adapt the test case in the MSTG to fit the revised requirement.

There's a couple of other requirements that we need to review, please have a look at the remaining feedback in MASVS issue #75. as well @sushi2k @litsnarf

Under the heading "Why should I bother?" of the following page: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06-Reverse-Engineering-and-Tampering.md
the second reason states "To enhance static analysis in black-box security testing". IMHO this is ambiguous. Static analysis is generally associated with white-box or gray-box testing, because it looks at the source- or byte-code. On the other hand, black-box testing is simply feeding inputs to the app and observing outputs. Is there a page with a definition of black-box testing in the MSTG?

In "Basic Security Testing" (iOS), the 'the' word is repeated twice: "Such blatant tampering of course invalidates the the code signature".

This section lacks content.

Florian and Johannes, the authors of this presentation, have agreed to port the content to the MSTG (need to follow up with them).

In "Basic Security Testing" (iOS), as OWASP is vendor neutral, unfortunately company names (other than Apple in that case) may not be cited. However, "vantagepoint" is mentioned several times. Should it be changed to something neutral? :-)

The logic is the same for "sg" (Singapore).

In the guide we created in Google Docs we had also references to CWE and the OWASP Mobile Top 10. I think we should continue this, to reference properly to a common vulnerability type or weakness if one is applicable to the test case. I just put it in the test case I am migrating right now from Google Docs to GitHub.
What do you guys think?

Migrate content from our blog article:

http://www.vantagepoint.sg/blog/84-verifying-mobile-app-security-using-the-owasp-checklist

To this section:

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x03-Overview.md#using-the-owasp-mobile-security-testing-guide

Maybe I misunderstood, but unless it means something else than "obfuscable", this latter term should be preferred for clarity in the sentence "by constructing an un-obfuscatable family of programs" as it is used everywhere else.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05a-Platform-Overview.md

In line 454, the current sentence reads 'Many major versions of the Android operating system are still actively used and are outta there.'. What does 'are outta there' mean? Is it to express the idea that this kind of vulnerability are still part of many Android versions? Or does it have any other meaning?

Hi guys.

This test case is inserted inside the Data Storage, but I think is more adequate to move it to the Network Communication.

What do you think?

Show static binary analysis using "UnCrackable for iOS Level 1" as an example

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md#user-content-static-analysis

Basic tutorial on setting up Substrate & writing and deploying tweaks.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md#user-content-hooking-with-mobilesubstrate

A sentence reads "As an example, an app may an operating system API to prevent debuggers from attaching to the process". To be clarified.

In Basic Security Testing (iOS), 2 letters are inverted, leading to a funny wording : "Thanks to Apple's confusing provisioning and code signing system, re-singing an app".

Also, the term "confusing" may not be the right one. A more explicit one could be useful.

The iOS Platform overview is orphaned - needs proper structure & content.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06a-Platform-Overview.md

Hi guys, we have CWE and Top 10 references in both OWASP-DATAST and OWASP-DATAST-Android sections. Can we keep these in the generic section only to avoid redundancies.

In "The injection process can be implemented in various ways*" (star '*' sign):

• is there a missing reference? (but I did not find any element it could refer to in the rest of the chapter...)
• is this a typo and has to be removed?
• ...?

In "Basic Security Testing' (iOS), the following statement may be true, but not that supportive : "If something goes wrong (which it usually does)". Could it be replaced by something more positive (or removed)?

In chapter "Basic Security Testing on iOS", "disabling Apple's code code signing mechanisms" : 'code' is appearing twice in a sequence.

In "Basic Security Testing" (Android), 'App' should be replaced with 'application' (with a lower case 'a') throughout the whole chapter.

Describe Installation and Basic Usage of Cycript

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md#user-content-cycript-and-cynject

This chapter is located in /Document/Testcases/0x00_OMTG-DATAST.md From what I understood it should be placed in the root of the /Document folder.

A sentence reads "or change its behavior in some way a debugger is attached". Is a "if" or "when" statement missing?

The text states that "Burp Suite (Professional)" should be used for traffic interception. In my experience, the free version can easily do the job, no need to use the professional (paid) version. Moreover, as much as possible OWASP should not do any commercial promotion.

Proposal: limit to the free version and remove "(Professional") from the sentence "This can be achieved by using an interception proxy like Burp Suite (Professional) or ..."

In chapter "Basic Security Testing" (Android), "it's" shall be replaced by "its" ("and will illustrate also it's limitations")

In "Basic Security Testing" (iOS), a 't' letter has set free in "re-singing an app is more challenging t than one..."

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md#user-content-environment-and-toolset

Section lacks content. Add description of the OWASP Top 10, and how it maps to the MASVS / MSTG.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x03-Overview.md#mobile-application-threats

The beginning of "Setting Up Your Testing Environment" / "Preparation" is great, but in my mind puts too much emphasis on the fact a good level of security may render security testing tedious. While this is true, maybe a more balanced message could be given, as the guide should not provide reasons to lessen the security level provided to an app (unfortunately, too often people take advantage of bad reasons to forget implementing security...).

Maybe, as stated later in the chapter, better say that the testing team should work with developers to get a dedicated version of the app where some controls are not implemented or may be bypassed more easily (or, in the same way, work with the IT team to get a dedicated testing network, or any other solution for a testing environnement).

Describe steps to set up Frida + the most important functions.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06c-Reverse-Engineering-and-Tampering.md#user-content-frida

I am afraid people may not all be familiar with End to End encryption; as such, I suggest to change "E2E" to something more understandable by general readers, like "End2End" or "End to End".

In my understanding, adb shells are running as root by default (and it seems we share the same understanding from the content of the paragraph). Maybe this notion has to be clarified to avoid confusion.

OWASP Mobile Top 10 2016 was published. As we're still using the 2014 version, we should update the references in all test cases to the 2016 version.

This section lacks content and needs more detail.

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04-Testing-Processes-and-Techniques.md#analysis-techniques

As I did not really understand the meaning, I did not want to change directly the source, but it seems that there is one useless 'that' statement in "which did not go that down that well with Saurik.". I guess it should better be "which did not go down that well with Saurik."

The same referenced documents can be found 4 times in the document (see below). It should appear only once, in the "References" section at the bottom of the chapter (which, in turn, shall be separate from other sections).

References
[1] Meyer's Recipe for Tomato Soup - http://www.finecooking.com/recipes/meyers-classic-tomato-soup.aspx
[2] Another Informational Article - http://www.securityfans.com/informational_article.html