search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.57k stars 2.29k forks source link

[UNDER REVIEW] 0x5g - Testing Network Communication (Android) #229

Closed romualdszkudlarek closed 7 years ago

xep624 commented 7 years ago

@romualdszkudlarek what kind of help you need regarding this chapter?

muellerberndt commented 7 years ago

@xep624 we now have a project dashboard where every section goes through a "review" and "editing" step. Network Comm. Android has been flagged as "ready for review" (it's one of the very few sections that are already complete).

xep624 commented 7 years ago

@b-mueller thanks for clarification! If anything should be changed here, just pls let me know.

anantshri commented 7 years ago

Some Comments:

Testing for Unencrypted Sensitive Data on the Network

food for thought: Should we be going all out for full https on mobile also. even if sensitive data is suppose to be sent over https if the url's are recieved from server side initially via http connection a sslstrip kind of attack is possible.

Verifying the TLS Settings

Dynamic analysis only talks about what tools to run. It would make more sense to diffferentiate between them or inform user what to look for in tools output. (I assume some or most are sef explainatory and hence details left out then that needs to be spelled out)

Testing Custom Certificate Stores and SSL Pinning

Static analysis: Is this the only method, what about using something like okhttp and storing sha2 hashes of cert chain in it. We are referencing this in recommendation section are we suggesting anything else is wrong and only this is the correct method?

Verifying that Critical Operations Use Secure Communication Channels

MASVS Standard we are trying to check here is "V5.5 "The app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery."" then why are we considering email and SMS as 2nd factor of authentication or am i missing a point here and we only want to check that 2 different factors are used, no matter what.

muellerberndt commented 7 years ago

Verifying the TLS Settings

Agreed. We need up-to-date recommendations as to what the actual recommended TLS settings are.

Testing Custom Certificate Stores and SSL Pinning

It's the default method. We'll need to add additional howtos for non-standard implementations such as okhttp (actually, I'm starting to see okhttp being used quite often and happen to working on an app that uses it right now, so I can add this). In general, I don't think we we demand that things must be done a particular way, if equivalent solutions exist.

Verifying that Critical Operations Use Secure Communication Channels

This is a bit of a weird requirement. The idea behind it was to require 2 extra factors be combined for things like enrollments. E.g. when the user signs up to a banking app for the first time, they should sent OTPs both via email and SMS to confirm their identify. Obviously this is not feasible in all cases. This will need some more discussion.

anantshri commented 7 years ago

for cert pinning : https://developer.android.com/training/articles/security-config.html#CertificatePinning <- was looking at official documentation and this is another option suggested in it now

muellerberndt commented 7 years ago

@xep624 can you look into the required changes?

xep624 commented 7 years ago

@anantshri thanks for your comments! Here are my replies regarding each of them:

Ad "Testing for Unencrypted Sensitive Data on the Network" - I don't get your point here. SSLstrip attack is remediated in cert pinning section. The point "Testing for Unencrypted Sensitive Data on the Network" should be only focused on sniffing attacks, not on breaking weak SSL configuration.

Ad "Verifying the TLS Settings" - ok, I'll add more info about the output. @b-mueller as a recommendation regarding proper TLS implementation I point to this source https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet - do you think it is not enough? What exactly would you like to add there?

Ad "Testing Custom Certificate Stores and SSL Pinning" - thanks for the link. I'll add this method also https://developer.android.com/training/articles/security-config.html#CertificatePinning.

Ad "Verifying that Critical Operations Use Secure Communication Channels" - I understand it as at least 2 factors for critical operations should be used without differentiating which channel is more secure.

anantshri commented 7 years ago

@xep624 comments below.

regarding "Testing for Unencrypted Sensitive Data on the Network" What i meant was more of a suggestion that should we reword the document to say sensitive or not all outbound / internet bound communication should be over https.

verifying the TLS Settings: if we add the output and how to make sense of that output we should be good on that part. @b-mueller you want anything more on this.

"Verifying that Critical Operations Use Secure Communication Channels" my concern was primarily that we first mark SMS and email as secure channel and then suggest that email should be send to them in combination. But i suppose what we are trying to get to here is that 2 insecure comms in combination can still be a bit more secure.

Hope this helps.