OWASP Mobile Application Security Testing Guide

Questions and Answers

What is the primary programming language used for developing native apps on iOS?

Python

C#

JavaScript

Objective-C (correct)

Which characteristic is NOT true about native apps?

They can access device components directly.

They are platform-independent. (correct)

They provide the fastest performance.

They adhere to platform-specific design principles.

What is the purpose of the Android NDK?

To create binary libraries that access lower level APIs. (correct)

To develop apps with Python.

To maintain a single code base for both Android and iOS.

To build web apps for mobile browsers.

What is the downside of native apps discussed in the guide?

They target only one specific platform. (B)

Which of the following frameworks allows compiling a single codebase for both Android and iOS?

Cross-platform frameworks (D)

Which of the following provides the default development kit for building native Android apps?

Android SDK (D)

Hybrid apps typically have more flexibility than native apps in which regard?

Cross-platform compatibility. (D)

What does SDK stand for in the context of app development?

Software Development Kit (B)

What is the highest status a company can achieve in the OWASP MAS project?

MAS Advocate (C)

To qualify as an MAS Advocate, a company must satisfy which of the following requirements?

Show adoption, consistent contributions, and promote the project (B)

What type of contributions are considered high-impact for a company aiming to become an MAS Advocate?

Adding/upgrading existing tests and maintaining code samples (B)

Which of the following is NOT a category for validation of an MAS Advocate status?

Financial Contributions (C)

What benefits does a company gain by achieving the MAS Advocate status?

Company logo displayed in main READMEs and acknowledgements in releases (D)

How can a company demonstrate 'Spreading the word' for qualifying as an MAS Advocate?

By conducting public trainings and presentations on the project (C)

What is an example of a content pull request that would be beneficial for the OWASP MAS project?

Adding new tests or upgrading existing ones (C)

Which of the following actions would NOT contribute to continuous high-impact contributions as an MAS Advocate?

Committing occasional code changes (C)

What distinguishes black-box testing from white-box testing?

Black-box testing involves no prior information about the app. (A)

Which type of testing is considered the most common within the security industry?

Gray-box testing (C)

What is a key benefit of conducting white-box testing?

It enables faster testing with more sophisticated test cases. (D)

Which statement about mobile app security tests is true?

They should always include server-side API assessments. (D)

What does gray-box testing provide to testers?

Some accessible information along with discoverable aspects. (D)

In what stage of the software development life cycle is classical security testing typically completed?

Near the end or at production-ready stage. (D)

What is a potential limitation of black-box testing?

It lacks the detailed knowledge of the app's internal workings. (D)

What is the primary purpose of mobile app penetration testing?

To identify security issues before deployment. (B)

What does data 'At rest' refer to?

Data stored in a file or data store (B)

Which type of data is considered sensitive and may lead to financial harm if compromised?

User authentication information (A)

Why is data in an app's memory potentially more vulnerable than data on web servers?

Physical access to mobile devices is more likely than to web servers (D)

What is necessary to detect sensitive data leakage effectively?

A detailed data classification policy (B)

What does 'in transit' data refer to?

Data exchanged between a mobile app and an endpoint (D)

Which aspect of environmental information is crucial in determining the risks associated with an app?

The organization’s goals for the app (C)

Which type of sensitive data includes health information and social security numbers?

Personally Identifiable Information (PII) (B)

Which of the following is NOT a type of sensitive data classification mentioned?

Company branding materials (A)

What is one of the risks associated with organization-specific internal processes?

Business logic vulnerabilities (A)

Which component of architectural information deals with how an app communicates with other resources?

The mobile app (A)

What role do SAST tools play in identifying security vulnerabilities?

They reveal vulnerabilities like SQL Injection using source code. (A)

What is an important aspect of threat modeling in the software development life cycle?

It usually occurs in the early phases of a project. (B)

What limitation should users be aware of when utilizing automatic scanning tools in security testing?

They are programmed to find specific vulnerabilities only. (C)

Which of the following is a secure method for protecting network traffic between an app and its servers?

Utilizing strong cryptographic algorithms like SHA-2 (B)

In which setting is DAST testing usually performed?

Black-box testing without knowledge of the internal workings. (B)

Which of the following influences the decision to detect if an app is running on jailbroken or rooted devices?

Architectural information regarding the mobile app (C)

Study Notes

OWASP Mobile Application Security Testing Guide Overview

• OWASP MAS advocates are companies that significantly contribute to OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG).
• To be recognized as MAS Advocates, companies must demonstrate clear adoption, provide high-impact contributions, and spread awareness through presentations and promotions.
• Benefits for MAS Advocates include logo display on official materials, acknowledgment in releases, and linked blog posts.

Mobile App Definition and Taxonomy

• The term "app" refers to applications on mobile operating systems, including native, hybrid, and web apps.
• Native Apps: Developed using SDKs specific to OS (e.g., Objective-C/Swift for iOS, Java/Kotlin for Android).
• Native apps provide high performance and reliability, adhering to platform-specific design principles.
• Native apps can access device components (camera, sensors) but are limited to single platforms; separate codebases are needed for Android and iOS.

Mobile App Security Testing

• Mobile app security tests are part of broader security assessments, examining both client-server architecture and APIs.
• Two contexts for testing:
  • Classical security tests near the project’s end, identifying issues in near-final products.
  • Continuous security requirements and tests integrated from the software development life cycle.

Testing Principles

• Black-box Testing: Tester has zero information about the app; simulates a real attacker’s experience.
• White-box Testing: Tester has full knowledge of the app (source code, documentation), allowing more sophisticated test cases.
• Gray-box Testing: Combined approach with limited information available, offering a balance in testing scope and cost.
• Sensitive data includes authentication info, Personally Identifiable Information (PII), sensitive technical data, and any data requiring protection by law.

Intelligence Gathering

• Involves collecting environmental (organizational goals, relevant industry, stakeholders) and architectural information (app functionality, OS and network details).
• Understanding external risks aids in identifying potential attack targets.

Mapping the Application

• Security testers map app structure, entry points, features, and data flow.
• Using documentation (architecture diagrams, specifications) facilitates quicker and more effective penetration testing.
• Static Application Security Testing (SAST) tools can identify vulnerabilities in the source code, while Dynamic Application Security Testing (DAST) tools assist black-box testing.
• Manual analysis complements automated tools, as intuition often plays a critical role in security evaluation.
• Threat modeling should be incorporated early in the software development life cycle to support vulnerability identification effectively.

Description

Explore the principles and frameworks outlined in the OWASP Mobile Application Security Testing Guide. This guide provides insights on mobile app taxonomy, the significance of native apps, and the role of MAS Advocates in promoting security standards. Learn about the benefits and contributions of companies in enhancing mobile application security.