初步了解 OWASP 組織所提出針對行動應用程式的安全驗證標準。
OWASP Application Security Verification Standard (ASVS) is to normalize the range in the coverage and level of rigor available in the market when it comes to performing web application security verification.
- To help organization’s develop and maintain secure applications.
- To allow security service/tools providers and consumers to align their requirements and offerings.
An application achieves Level 1 (or Opportunistic) certification if it adequately defends against application security vulnerabilities that are easy to discover.
Verify that the client validates SSL certificates
Verify that unique device ID (UDID) values are not used as security controls.
Verify that the mobile app does not store sensitive data onto shared resources on the device (e.g. SD card or shared folders)
Verify that sensitive data is not stored in SQLite database on the device
An application achieves Level 2 (or Standard) verification if it also adequately defends against prevalent application security vulnerabilities whose existence poses moderate-to-serious risk.
Verify that secret keys or passwords are not hard-coded in the executable.
Verify that the mobile app prevents leaking of sensitive data via autosnapshot feature of iOS.
Verify that the app cannot be run on a jailbroken or rooted device.
Verify that the session timeout is of a reasonable value.
Verify the permissions being requested as well as the resources that it is authorized to access (i.e. AndroidManifest.xml, iOS Entitlements) .
Verify that the application binary has been obfuscated.
Verify that all test data has been removed from the app container (.ipa, .apk, .bar).
Verify that the application does not log sensitive data to the system log or filesystem.
Verify that the application does not enable autocomplete for sensitive text input fields, such as passwords, personal information or credit cards.
An application achieves Level 3 (or Advanced) certification if it also adequately defends against all advanced application security vulnerabilities, and also demonstrates principles of good security design.
Verify that crash logs do not contain sensitive data.
Verify that the mobile app implements certificate pinning to prevent the proxying of app traffic.
Verify no misconfigurations are present in the configuration files (Debugging flags set, world readable/writable permissions) and that, by default, configuration settings are set to their safest/most secure value.
Verify any 3rd-party libraries in use are up to date, contain no known vulnerabilities.
Verify that web data, such as HTTPS traffic, is not cached.
Verify that the query string is not used for sensitive data. Instead, a POST request via SSL should be used with a CSRF token.
Verify that, if applicable, any personal account numbers are truncated prior to storing on the device.
Verify that the application makes use of Address Space Layout Randomization (ASLR).
Verify that data logged via the keyboard (iOS) does not contain credentials, financial information or other sensitive data.
If an Android app, verify that the app does not create files with permissions of MODE_WORLD_READABLE or MODE_WORLD_WRITABLE
Verify that sensitive data is stored in a cryptographically secure manner (even when stored in the iOS keychain).
Verify that anti-debugging and reverse engineering mechanisms are implemented in the app.
Verify that the app does not export sensitive activities, intents, content providers etc. on Android.
Verify that mutable structures have been used for sensitive strings such as account numbers and are overwritten when not used. (Mitigate damage from memory analysis attacks).
Verify that any exposed intents, content providers and broadcast receivers perform full data validation on input (Android).
- Application Security Verification Standard (2014)
- OWASP Mobile Security Project - Top 10 Mobile Risks