The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
[ ] how which meta-infromation can help (location, etc.) and which events should be covered (auth, change password, hitting important resources, etc.)
[ ] accessing paid content might be interesting in tners of session logging :) no extension at the MASVS required: just extend the MSTG with a hint on payed content. Note: google play chekcouts and appstore imbursements are logged partially, but i was able to circumvent them on some apps, allowing me to unlock stuff. Maybe we should do something about the logging of the content access at least and say something about ensuring that purchases require verification before unlocking them?
[ ] when necessary, actions should be signed for non-repudiation (E.g. payed content access, given consent to T&Cs)
commjoen
commented
5 years ago
From https://github.com/OWASP/owasp-masvs/issues/189: