← Older revision
Revision as of 01:26, 17 January 2017
Line 69:
Line 69:
'''Mentors:'''
'''Mentors:'''
t.b.d.
t.b.d.
+
+
== OWASP Mobile Hacking Playground ==
+
+
The OWASP Mobile Hacking Playground (https://github.com/OWASP/OMTG-Hacking-Playground) is part of the OWASP Mobile universe, which consists at the moment of the following projects:
+
+
* Mobile Application Security Verification (MASVS). The MASVS is a list of security requirements for mobile applications that can be used by architects, developers, testers, security professionals, and consumers to define what a secure mobile application is. (https://github.com/OWASP/owasp-masvs)
+
* Mobile Security Testing Guide (MSTG). The OWASP MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for dynamic and static security tests, and to help ensure completeness and consistency of the tests. (https://github.com/OWASP/owasp-mstg)
+
+
In order to give also practical guidance to developers, security researches and penetration testers of mobile Apps, a hacking playground was created with the goal to create different mobile App’s that contain different vulnerabilities that map to the MSTG test cases. Every test case described in the MSTG will therefore be implemented in an Android and iOS App. This has two advantages:
+
+
* A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
+
* Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the OMTG.
+
+
It is also encouraged to use the App(s) for education purpose during trainings and workshops.
+
+
+
=== Creation of Android Code Samples ===
+
+
'''Brief Explanation:'''
+
+
An Android App that maps to the MSTG test cases is already created. This App contains mostly test cases that are related to data storage on an Android device. In order to close the gap to the MSTG more test cases need to be added that show "bad practices" that lead to vulnerabilites, but also the latest security best practices to demonstrate how vulnerabilites can be mitigated.
+
+
For examples of implemented test cases, see the Wiki of the Mobile Hacking Playground: https://github.com/OWASP/OMTG-Hacking-Playground/wiki/Android-App
+
+
+
'''Expected Results:'''
+
+
The following categories and their test cases are not fully added to the Android App:
+
+
* Cryptography (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x08-V3-Cryptography_Verification_Requirements.md)
+
* Authentication and Session Management (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x09-V4-Authentication_and_Session_Management%20Requirements.md)
+
* Network Communication (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x10-V5-Network_communication_requirements.md)
+
* Environmental Interaction (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x11-V6-Interaction_with_the_environment.md)
+
* Code Quality (https://github.com/OWASP/owasp-masvs/blob/master/Document/0x12-V7-Code_quality_and_build_setting_requirements.md)
+
+
For some of the testcases this also includes creating an endpoint on server side in order to fully understand the test case and possible security concerns.
+
+
As not all missing test cases can be implemented during the GSOC a subset of them will be defined with the student together.
+
+
+
+
''' Getting started: '''
+
Here are a few suggestion on how to get started.
+
* Check the Mobile Hacking Playground Android App, browse through the code and Wiki to get an understanding of what a test case look likes.
+
* Browse through the MASVS and check the different areas and their defined requirements.
+
* Read about Security vulnerabilites and best practices for Android in areas you are interested in (e.g. Cryptography).
+
+
'''Knowledge Prerequisites:'''
+
General interest in Mobile and Security. Basic knowledge of Android and Java.
+
+
+
'''Mentors:''' [mailto:sven.schleier@owasp.org Sven Schleier] - OWASP Mobile Security Testing Guide and Mobile Hacking Playground Project Leader
+
+
+
== OWASP Hackademic Challenges SAMPLE ENTRY==
== OWASP Hackademic Challenges SAMPLE ENTRY==