Objection - more consistence in the guide

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.65k stars 2.3k forks source link

Objection - more consistence in the guide #1838

Open sushi2k opened 3 years ago

sushi2k commented 3 years ago

Describe the issue

Similiar to Frida (https://mobile-security.gitbook.io/mobile-security-testing-guide/general-mobile-app-testing-guide/0x04c-tampering-and-reverse-engineering#frida) objection should be described in the generic tampering section and then only what is relevant for iOS and Andorid in the specific chapters to avoid redundancies and link to it.

Objection is described here:

Whatever is redundant should be moved to here, for example after Frida https://mobile-security.gitbook.io/mobile-security-testing-guide/general-mobile-app-testing-guide/0x04c-tampering-and-reverse-engineering#frida.

Optional: Testcase or section Describe the testcase or section which has the issue.

Optional: Additional context Add any other context about the issue here.

karolpiateknet commented 3 years ago

I can do that :)

lwierzbicki commented 3 years ago

The same applies to House (with that limitation it only supports Android). I can combine this into one PR with issue #1679 and this one.

lwierzbicki commented 3 years ago

As a matter of fact, when I look at https://mobile-security.gitbook.io/mobile-security-testing-guide/general-mobile-app-testing-guide/0x04c-tampering-and-reverse-engineering#frida I see that the following case should applied as well to:

Passionfruit
Objection
RMS (which is under #1679 )
House
fridump
r2frida
jnitrace
and other frida tools which are mentioned in the guide.

Additionally, it can be combined with the statement if something is written down on tools page we should just reference it (and not repeat in the MSTG).

cpholguera commented 3 years ago

PR #1843 is bringing all the tool descriptions to one unique place. The rest of the guide will then reference back there whenever a tool is used consistently. Example from 0x04c (part of the PR as well):

Substrate, [Frida](0x08-Testing-Tools.md#frida), and [Xposed](0x08-Testing-Tools.md#xposed) are the most widely used hooking and code injection frameworks in the mobile industry.

This will have tremendous advantages including:

no more duplicates
we can start deriving data such as where are which tools being used in which chapter/section, most/less used tools, etc. all being generated automatically after each PR merge (we're preparing the scripts for thst already)
etc.

Maybe you can help us adding any missing links or moving any remaining tools after that PR is merged. What do you think about this new approach?

lwierzbicki commented 3 years ago

@cpholguera finally long awaited commit :) Very good work.

Regarding objection, I would trim a bit and maybe give more references to documentation (like, do we really need a cheat-sheet like using objection for android?). My main concern is maintenance cost here (especially when this chapter is going to grow). I would rather replace that non related usage in 0x08 to samples in actual test cases. What do you think about that?

cpholguera commented 3 years ago

Hey @lwierzbicki I totally agree, that's the way to go. Thanks for the suggestion ;)

cpholguera commented 3 years ago

hi @lwierzbicki I've sent you an invitation, I was wondering why I couldn't assign you any issues until now. That should make it ;)