Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First Update to MAS and MASTG #2179

Merged
merged 4 commits into from
Aug 24, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/ISSUE_TEMPLATE/bug-report-app.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: 🪲📲 Bug in MSTG crackmes / challenges Apps
description: Create a report to help us improve the MSTG.
name: 🪲📲 Bug in MASTG crackmes / challenges Apps
description: Create a report to help us improve the MASTG.
title: "[Bug] "
labels: ["bug"]

Expand Down
6 changes: 3 additions & 3 deletions .github/ISSUE_TEMPLATE/bug-report.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: 🪲📘 Bug report / error in MSTG report
description: Create a report to help us improve the MSTG.
name: 🪲📘 Bug report / error in MASTG report
description: Create a report to help us improve the MASTG.
title: "[Bug] "
labels: ["bug"]

Expand All @@ -18,7 +18,7 @@ body:
- type: input
id: chapter
attributes:
label: MSTG Chapter
label: MASTG Chapter
description: Which chapter contains the bug?
placeholder: e.g. 0x05f-Testing-Local-Authentication.md line 30
validations:
Expand Down
14 changes: 7 additions & 7 deletions .github/ISSUE_TEMPLATE/make-donation.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: 💲 Donate to the OWASP Mobile Security Project
description: Thanks for donating to the MSTG project!
name: 💲 Donate to the OWASP Mobile Application Security Project
description: Thanks for donating to the MAS project!
title: "💲🎉 New Donation"
labels: ["org", "donation"]
assignees:
Expand Down Expand Up @@ -56,17 +56,17 @@ body:
description: Which Donator Package would you like to request?
options:
- Standard Donation / No package (Donation < USD 500)
- Good Samaritan (USD 500; 1 year; 1 paperback MSTG)
- Honourable Benefactor (USD 2000 / 8 Available; 2 years; 3 paperback MSTGs)
- God Mode Donator (USD 4000 / 5 Available; 3 years; 5 paperback MSTGs)
- Good Samaritan (USD 500; 1 year; 1 paperback MASTG)
- Honourable Benefactor (USD 2000 / 8 Available; 2 years; 3 paperback MASTGs)
- God Mode Donator (USD 4000 / 5 Available; 3 years; 5 paperback MASTGs)
validations:
required: true

- type: dropdown
id: paperback
attributes:
label: 📘 MSTG Paperback Copies
description: Would you like to receive the paperback copies of the MSTG as indicated in your Donation Package?
label: 📘 MASTG Paperback Copies
description: Would you like to receive the paperback copies of the MASTG as indicated in your Donation Package?
options:
- 🌱 No, please save the money for the project and help the environment and climate.
- 📮 Yes, please send them to me.
Expand Down
8 changes: 4 additions & 4 deletions .github/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@ changelog:
labels:
- "ignore-for-release"
categories:
- title: 🧪 MSTG Test Cases
- title: 🧪 MASTG Test Cases
labels:
- "tests"
- title: 📖 MSTG Testing Fundamentals
- title: 📖 MASTG Testing Fundamentals
labels:
- "fundamentals"
- title: MSTG Testing Techniques
- title: MASTG Testing Techniques
labels:
- "techniques"
- title: 🪄 MSTG Testing Tools
- title: 🪄 MASTG Testing Tools
labels:
- "tools"
- title: 🐞 Errata Corrections
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/build-website.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,17 +14,17 @@ jobs:
python-version: 3.x
- run: pip install -r requirements.txt

- run: mkdir docs/MSTG
- run: mkdir docs/MSTG/General
- run: mkdir docs/MSTG/Android
- run: mkdir docs/MSTG/iOS
- run: mv Document/0x0*.md docs/MSTG
- run: mv docs/MSTG/0x04*.md docs/MSTG/General
- run: mv docs/MSTG/0x05*.md docs/MSTG/Android
- run: mv docs/MSTG/0x06*.md docs/MSTG/iOS
- run: mkdir docs/MASTG
- run: mkdir docs/MASTG/General
- run: mkdir docs/MASTG/Android
- run: mkdir docs/MASTG/iOS
- run: mv Document/0x0*.md docs/MASTG
- run: mv docs/MASTG/0x04*.md docs/MASTG/General
- run: mv docs/MASTG/0x05*.md docs/MASTG/Android
- run: mv docs/MASTG/0x06*.md docs/MASTG/iOS
- run: mv Document/Images/ docs/assets/Images/
- run: sed -i "s#<img src=\"Images/#<img src=\"../../assets/Images/#g" docs/MSTG/*.md
- run: sed -i "s#<img src=\"Images/#<img src=\"../../../assets/Images/#g" docs/MSTG/*/*.md
- run: sed -i "s#<img src=\"Images/#<img src=\"../../assets/Images/#g" docs/MASTG/*.md
- run: sed -i "s#<img src=\"Images/#<img src=\"../../../assets/Images/#g" docs/MASTG/*/*.md

- run: mkdir docs/MASVS
- run: mkdir docs/assets/Images/MASVS
Expand Down
46 changes: 23 additions & 23 deletions .github/workflows/docgenerator.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ on:

jobs:

Generate-MSTG-Documents:
Generate-MASTG-Documents:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Expand All @@ -33,8 +33,8 @@ jobs:
- name: Upload Artifacts
uses: actions/upload-artifact@v2
with:
name: OWASP_MSTG-${{env.VERSION}}
path: OWASP_MSTG-${{env.VERSION}}*
name: OWASP_MASTG-${{env.VERSION}}
path: OWASP_MASTG-${{env.VERSION}}*

Generate-Checklists:
runs-on: ubuntu-latest
Expand All @@ -48,21 +48,21 @@ jobs:
- name: Listing repo recursive
run: ls -lR

- name: Set MSTG_VERSION to env
# run: echo "MSTG_VERSION=$(git describe --tags `git rev-list --tags --max-count=1`)" >> $GITHUB_ENV
run: echo "MSTG_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-mstg/tags | jq '.[0].name' | sed 's/\"//g')" >> $GITHUB_ENV
- name: Set MASTG_VERSION to env
# run: echo "MASTG_VERSION=$(git describe --tags `git rev-list --tags --max-count=1`)" >> $GITHUB_ENV
run: echo "MASTG_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-mstg/tags | jq '.[0].name' | sed 's/\"//g')" >> $GITHUB_ENV

- name: Set DEV VERSION if it's not a tag
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
run: echo "MSTG_VERSION=${{env.MSTG_VERSION}}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
run: echo "MASTG_VERSION=${{env.MASTG_VERSION}}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV

- name: Confirm MSTG Current Tag
run: echo ${{env.MSTG_VERSION}}
- name: Confirm MASTG Current Tag
run: echo ${{env.MASTG_VERSION}}

- name: Get MSTG Current Commit ID
run: echo "MSTG_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Confirm MSTG Current Commit ID
run: echo ${{env.MSTG_COMMIT}}
- name: Get MASTG Current Commit ID
run: echo "MASTG_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Confirm MASTG Current Commit ID
run: echo ${{env.MASTG_COMMIT}}

- name: Get Latest MASVS Release Tag
run: echo "MASVS_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-masvs/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_ENV
Expand All @@ -79,7 +79,7 @@ jobs:

- name: Get MASVS Current Commit ID
run: cd tools/scripts/owasp-masvs && echo "MASVS_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Confirm MSTG Current Commit ID
- name: Confirm MASTG Current Commit ID
run: echo ${{env.MASVS_COMMIT}}

- name: Listing of scripts directory
Expand All @@ -91,14 +91,14 @@ jobs:
- name: Show openpyxl Version
run: pip3 show openpyxl

- name: Convert MSTG Testing Chapters to HTML
- name: Convert MASTG Testing Chapters to HTML
run: . tools/scripts/mstg_to_html.sh

- name: List MSTG HTML
- name: List MASTG HTML
run: ls -l tools/scripts/generated/html/

- name: Export YAML, enhance with MSTG and generate Excel
run: cd tools/scripts && ./gen_all_excel.sh ${{env.MSTG_VERSION}} ${{env.MSTG_COMMIT}} ${{env.MASVS_VERSION}} ${{env.MASVS_COMMIT}}
- name: Export YAML, enhance with MASTG and generate Excel
run: cd tools/scripts && ./gen_all_excel.sh ${{env.MASTG_VERSION}} ${{env.MASTG_COMMIT}} ${{env.MASVS_VERSION}} ${{env.MASVS_COMMIT}}

- name: Upload Enhanced MASVS YAML
uses: actions/upload-artifact@v2
Expand All @@ -114,12 +114,12 @@ jobs:

release:
runs-on: ubuntu-latest
needs: [Generate-MSTG-Documents, Generate-Checklists]
needs: [Generate-MASTG-Documents, Generate-Checklists]
if: startsWith(github.ref, 'refs/tags/') && (github.actor == 'cpholguera' || github.actor == 'sushi2k')
steps:
- uses: actions/download-artifact@v2
- name: List Downloaded document (sampling of download-artifact)
run: ls -l OWASP_MSTG*
run: ls -l OWASP_MASTG*

- name: print working directory
run: pwd
Expand All @@ -134,9 +134,9 @@ jobs:
generate_release_notes: true
discussion_category_name: Announcements
files: |
OWASP_MSTG-*/OWASP_MSTG-*.pdf
OWASP_MSTG-*/OWASP_MSTG-*.epub
OWASP_MSTG-*/OWASP_MSTG-*.docx
OWASP_MASTG-*/OWASP_MASTG-*.pdf
OWASP_MASTG-*/OWASP_MASTG-*.epub
OWASP_MASTG-*/OWASP_MASTG-*.docx
Checklists/*.xlsx
Enhanced-MASVS-YAML-Files/*.yaml
env:
Expand Down
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,6 @@ OWASP_MSTG-SNAPSHOT-*
logs
*.pdf
*.docx
*.epub
*.epub
docs/MASVS
docs/MASTG
6 changes: 3 additions & 3 deletions CITATION.cff
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# YAML 1.2
---
abstract: "The MSTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS)."
abstract: "The MASTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS)."
authors:
-
family-names: Holguera
Expand All @@ -26,8 +26,8 @@ keywords:
- "iOS security"
- "mobile pentesting"
license: "CC-BY-SA-4.0"
message: "If you use the MSTG, please cite it using these metadata."
message: "If you use the MASTG, please cite it using these metadata."
repository-code: "https://github.com/OWASP/owasp-mstg/"
title: "OWASP Mobile Security Testing Guide"
title: "OWASP Mobile Application Security Testing Guide"
version: "1.2"
...
10 changes: 5 additions & 5 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,15 @@ Project maintainers have the right and responsibility to remove, edit, or reject

## Disclaimer

The MSTG and its materials are conceived for educational and research purposes only, or if you are a professional security tester that is analyzing mobile apps with approval of the app owner (e.g. as part of a penetration test or a bug bounty program).
The OWAPS MAS and its materials are conceived for educational and research purposes only, or if you are a professional security tester that is analyzing mobile apps with approval of the app owner (e.g. as part of a penetration test or a bug bounty program).

Refrain from violating the laws in your country by carefully consulting them before executing any tests against mobile apps when utilizing the MSTG materials.
Refrain from violating the laws in your country by carefully consulting them before executing any tests against mobile apps when utilizing the OWAPS MAS materials.

The MSTG project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.
The OWAPS MAS project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.

Neither OWASP, the MSTG project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.
Neither OWASP, the OWAPS MAS project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.

The intention of the MSTG is not to encourage hacking or malicious activities! Instead, the goal of the project is to document different attacks against mobile apps and its risk, and offer ways to reduce or mitigate that risk.
The intention of the OWAPS MAS project is not to encourage hacking or malicious activities! Instead, the goal of the project is to document different attacks against mobile apps and its risk, and offer ways to reduce or mitigate that risk.

## Scope

Expand Down
22 changes: 11 additions & 11 deletions Crackmes/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ This app holds a secret inside. Can you find it?

- Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
- Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
- Maintained by the OWASP MSTG leaders.
- Maintained by the OWASP MAS leaders.

#### Installation

Expand Down Expand Up @@ -40,7 +40,7 @@ This app holds a secret inside. May include traces of native code.
- Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
- Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
- Special thanks to Michael Helwig for finding and fixing an oversight in the anti-tampering mechanism.
- Maintained by the OWASP MSTG leaders.
- Maintained by the OWASP MAS leaders.

#### Installation

Expand All @@ -66,7 +66,7 @@ The crackme from hell!
- Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
- Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
- Special thanks to Eduardo Novella for testing, feedback and pointing out flaws in the initial build(s).
- Maintained by the OWASP MSTG leaders.
- Maintained by the OWASP MAS leaders.

#### Installation

Expand Down Expand Up @@ -104,9 +104,9 @@ $ adb install r2pay-v0.9.apk
```

#### Versions
- `v0.9` - Release for `OWASP MSTG`.
- `v0.9` - Release for OWASP MAS.
- Source code is available and the compilation has been softened in many ways to make the challenge easier and more enjoyable for newcomers.
- `v1.0` - Release for `R2con CTF 2020`.
- `v1.0` - Release for R2con CTF 2020.
- No source code is available and many extra protections are in place.

#### Solutions R2pay v0.9
Expand All @@ -123,7 +123,7 @@ A brand new Android app sparks your interest. Of course, you are planning to pur

- Objective: Generate a valid serial key that is accepted by this app.
- Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
- Maintained by the OWASP MSTG leaders.
- Maintained by the OWASP MAS leaders.

#### Installation

Expand Down Expand Up @@ -156,7 +156,7 @@ This app holds a secret inside. Can you find it?

- Objective: A secret string is hidden somewhere in this binary. Find a way to extract it. The app will give you a hint when started.
- Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller")
- Maintained by the OWASP MSTG leaders.
- Maintained by the OWASP MAS leaders.

#### Installation

Expand All @@ -177,7 +177,7 @@ This app holds a secret inside - and this time it won't be tampered with!

- Objective: Find the secret code - it is related to alcoholic beverages.
- Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
- Maintained by the OWASP MSTG leaders.
- Maintained by the OWASP MAS leaders.

Note: Due to its anti-tampering the app won't run correctly if the main executable is modified and/or re-signed. You'll need to trust the developer run it the standard way on a non-jailbroken device (General Settings -> Profile & Device Management) and to verify the solution.

Expand All @@ -192,10 +192,10 @@ Note: The IPA is signed with an Enterprise distribution certificate. You'll need
- [Solution by Ryan Teoh](http://www.ryantzj.com/cracking-owasp-mstg-ios-crackme-the-uncrackable.html "Solution by Ryan Teoh").
- [Solution by Pietro Oliva](https://0xsysenter.github.io/ios/reversing/arm64/mobile/ipa/frida/instrumentation/crackme/2021/02/08/ios-apps-reverse-engineering-solving-crackmes-part-2.html "Solution by Pietro Oliva").

## MSTG Hacking Playground
## MASTG Hacking Playground

Did you enjoy working with the Crackmes? There is more! Go to [the MSTG Hacking Playground](https://github.com/OWASP/MSTG-Hacking-Playground "MSTG-playground") and find out!
Did you enjoy working with the Crackmes? There is more! Go to [the MASTG Hacking Playground](https://github.com/OWASP/MSTG-Hacking-Playground "MASTG-playground") and find out!

## Issues with the Crackmes

If the app does not boot, or if there is another bug: file an issue at this repository or at [the one you should not go to (SPOILER ALERT!)](https://github.com/OWASP/mstg-crackmes "OWASP MSTG Crackmes").
If the app does not boot, or if there is another bug: file an issue at this repository or at [the one you should not go to (SPOILER ALERT!)](https://github.com/OWASP/mstg-crackmes "OWASP MASTG Crackmes").
4 changes: 2 additions & 2 deletions Document/0x01-Foreword.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ If you have feedback or suggestions, or want to contribute, create an issue on G

On a beautiful summer day, a group of ~7 young men, a woman, and approximately three squirrels met in a Woburn Forest villa during the OWASP Security Summit 2017. So far, nothing unusual. But little did you know, within the next five days, they would redefine not only mobile application security, but the very fundamentals of book writing itself (ironically, the event took place near Bletchley Park, once the residence and work place of the great Alan Turing).

Or maybe that's going too far. But at least, they produced a proof-of-concept for an unusual security book. The Mobile Security Testing Guide (MSTG) is an open, agile, crowd-sourced effort, made of the contributions of dozens of authors and reviewers from all over the world.
Or maybe that's going too far. But at least, they produced a proof-of-concept for an unusual security book. The Mobile Application Security Testing Guide (MASTG) is an open, agile, crowd-sourced effort, made of the contributions of dozens of authors and reviewers from all over the world.

Because this isn't a normal security book, the introduction doesn't list impressive facts and data proving importance of mobile devices in this day and age. It also doesn't explain how mobile application security is broken, and why a book like this was sorely needed, and the authors don't thank their beloved ones without whom the book wouldn't have been possible.

We do have a message to our readers however! The first rule of the OWASP Mobile Security Testing Guide is: Don't just follow the OWASP Mobile Security Testing Guide. True excellence at mobile application security requires a deep understanding of mobile operating systems, coding, network security, cryptography, and a whole lot of other things, many of which we can only touch on briefly in this book. Don't stop at security testing. Write your own apps, compile your own kernels, dissect mobile malware, learn how things tick. And as you keep learning new things, consider contributing to the MSTG yourself! Or, as they say: "Do a pull request".
We do have a message to our readers however! The first rule of the OWASP Mobile Security Testing Guide is: Don't just follow the OWASP Mobile Security Testing Guide. True excellence at mobile application security requires a deep understanding of mobile operating systems, coding, network security, cryptography, and a whole lot of other things, many of which we can only touch on briefly in this book. Don't stop at security testing. Write your own apps, compile your own kernels, dissect mobile malware, learn how things tick. And as you keep learning new things, consider contributing to the MASTG yourself! Or, as they say: "Do a pull request".

<img src="Images/summit-team.jpg" width="100%" />
Loading