Projects/OWASP Mobile Security Project—Security Testing Guide is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license.

OWASP Mobile Security Project: Security Testing Guide

Introduction

A major priority of the OWASP Mobile Security Project is to help standardize and disseminate mobile application testing methodologies. While specific techniques exist for individual platforms, a general mobile threat model can be used to assist test teams in creating a mobile security testing methodology for any platform. The outline which follows describes a general mobile application testing methodology which can be tailored to meet the security tester’s needs. It is high-level in some places, and over time will be customized on a per-platform basis.

This guide is targeted towards application developers and security testers. Developers can leverage this guide to ensure that they are not introducing the security flaws described within the guide. Security testers can use it as a reference guide to ensure that they are adequately assessing the mobile application attack surface. The ideal mobile assessment combines dynamic analysis, static analysis, and forensic analysis to ensure that the majority of the mobile application attack surface is covered.

On some platforms, it may be necessary to have root user or elevated privileges in order to perform all of the the required analysis on devices during testing. Many applications write information to areas that cannot be accessed without a higher level of access than the standard shell or application user generally has. For steps that generally require elevated privileges, it will be stated that this is the case.

This guide is broken up into three sections:

How To Use This Resource

In this current draft release, the guide is a work in progress. We need additional contributors to help fill in the blanks. If you think something is missing (there certainly is), add it.

As this guide is not platform specific, you will need to know the appropriate techniques and tools for your target platform. The OWASP Mobile Security Project has also developed a number of other supporting resources that you may be able to leverage for your needs.

The steps required to properly test an Android application are very different than the steps to properly test an iOS application. Likewise, Windows Phone is very different from the other platforms. Mobile security testing requires a diverse skillset over many differing operating systems and a critical ability to analyze various types of source code.

In many cases, a mobile application assessment will require coverage in all three areas identified within this testing reference. A dynamic assessment will benefit from an initial thorough attempt at information gathering, some level of static analysis against the application’s binary, and a forensic review of the data created and modified by the application’s runtime behavior.

Please use this guide in an iterative fashion, where work in one area may require revisiting previous testing steps. As an example, after completing a transaction you may need to perform additional forensic analysis on the device to ensure that sensitive data is removed as expected and not cached in an undesired fashion. As you learn more about the application at runtime, you may wish to examine additional parts of the code to determine the best way to evade a specific control. Likewise, during static analysis, it may be helpful to populate the application with certain data in order to prove or refute the existence of a security flaw.

In the future, contributors to the testing guide should consider adding entries under each section relevant to a specific platform. Over time, OWASP contributors will write platform-specific guides and expand upon this body of knowledge.

If a specific area of interest is not covered in this guide, please feel free to take either of the following actions:

Collaboration on building the guide is being performed within Google Docs.

Information Gathering

As a result of this initial information gathering exercise, the tester will be better prepared for the future testing phases. The sad truth is, testers (i.e., developers, QA, and security) often fail to take the time to learn the target application and supporting infrastructure, opting to dive in blind, possibly losing valuable time and missing possible attack vectors. Without a solid understanding of how the application should work as well as the technologies in use, the tester will not be able to identify when the application behaves in a manner that it shouldn’t.

Prerequisites of this phase may require specific operating systems, platform-specific software development kits (SDKs), rooted or jailbroken devices, and the ability to man-in-the-middle secure communications (i.e., HTTPS) and bypass invalid certificate checks.

Static Analysis

There are two primary ways static analysis will generally be performed on a mobile application:

In scenarios where the primary goal is to identify programmatic examples of security flaws, your best bet is to review pure source code as opposed to reverse engineering compiled software. For source code reviews, it is highly beneficial to have access to either a development or production instance of any web services. This includes both source code and a working test environment to perform the assessment within in order to expedite understanding of the code.

Getting Started

Authentication

Authorization

Session Management

Data Storage

Transport Layer Protection

Information Disclosure

Web Application Issues