You are on page 1of 50

OWASP Mobile Application Security Checklist

Based on the OWASP Mobile Application Security Verification Standard 1.0

General Testing Information


Client Name:
Test Location:
Start Date:
Closing Date:
Name of Tester:
Testing Scope

Verification Level

Testing information Android


Application Name:
Google Play Store Link
Filename
Version
MD5 Hash of APK

Testing information iOS


Application Name:
App Store Link
Filename
Version
MD5 Hash of IPA

Client Representatives and Contact Information

Name:
Org:
Title:
Phone:
E-mail:

Name:
Org:
Title:
Phone:
E-mail:
e Application Security Checklist

OWASP Mobile Application Security Verification Standard 1.0

All available functions within the App <AppName>.

After consultation with <Customer> it was decided that only Level 1 requrirements are applicable to <AppName>.

ives and Contact Information


Management Summary

V1: Architecture, Design and Threat Modelling


MASVS Complia
1.00

V2: Data Storage and Privacy V8: Resiliency A

` 0.50

V3: Cryptography Verification 0.00 V7

V4: Authentication and Session Management V6: Platform Inte

V5: Network Communication

Android
P F
V1: Architecture, Design and Threat Modelling 1 0
V2: Data Storage and Privacy 0 0
V3: Cryptography Verification 0 0
V4: Authentication and Session Management 0 0
V5: Network Communication 0 0
V6: Platform Interaction 0 0
V7: Code Quality and Build Settings 0 0
V8: Resiliency Against Reverse Engineering 0 0
MASVS Compliance Score ( / 5)

1
ling
MASVS Compliance Diagram - Android
Android

V8: Resiliency Against Reverse Engineering V2: Data Storage and P

V7: Code Quality and Build Settings V3: Cryptography Verification

V6: Platform Interaction V4: Authentication and Session Manag

Android iOS
NA % P F NA %
6 100.00% 0 0 6 0.00%
5 0.00% 0 0 5 0.00%
0 0.00% 0 0 0 0.00%
5 0.00% 0 0 5 0.00%
3 0.00% 0 0 3 0.00%
0 0.00% 0 0 0 0.00%
0 0.00% 0 0 0 0.00%
12 0.00% 0 0 12 0.00%
MASVS Compliance Score ( / 5)

0
V1: Architecture, Design and Threat Modelling
MASVS Compliance Diagram - iOS
1.00 IOS

V2: Data Storage and Privacy V8: Resiliency Against Reverse Engineering

0.50

ptography Verification 0.00 V7: Code Quality and Build Settings

ntication and Session Management V6: Platform Interaction

V5: Network Communication


ompliance Score ( / 5)

0
ce Diagram - iOS
IOS

Reverse Engineering

Quality and Build Settings

n
Resiliency against Reverse Engineering - Android

8.1

8.2

8.3

8.4

8.5

8.6

8.7

8.8
8.9

8.10

8.11

8.12

Legend
Symbol
Pass
Fail
N/A
Resiliency against Reverse Engineering - Android

Resiliency Against Reverse Engineering Requirements


Impede Dynamic Analysis and Tampering
Verify that the app implements two or more functionally independent methods of root detection and responds to the pre
a rooted device either by alerting the user or terminating the app.
Verify that the app implements multiple functionally independent debugging defenses that, in context of the overall prote
scheme, force adversaries to invest significant manual effort to enable debugging. All available debugging protocols must b
covered (e.g. JDWP and native).
Verify that the app detects, and responds to, tampering with executable files and critical data.
Verify that the app detects the presence of widely used reverse engineering tools, such as code injection tools, hooking
frameworks and debugging servers.
Verify that the app detects, and response to, being run in an emulator using any method.
Verify that the app detects, and responds to, modifications of process memory, including relocation table patches and inje
code.
Verify that the app implements multiple different responses to tampering, debugging and emulation (requirements 8.1 - 8
including stealthy responses that don't simply terminate the app.
Verify that the detection mechanisms trigger responses of different types, including delayed and stealthy responses.
Verify that obfuscation is applied to programmatic defenses, which in turn impede de-obfuscation via dynamic analysis.
Device Binding
Verify that the app implements a 'device binding' functionality when a mobile device is treated as being trusted. Verify tha
device fingerprint is derived from multiple device properties.
Impede Comprehension

Verify that all executable files and libraries belonging to the app are either encrypted on the file level and/or important co
data segments inside the executables are encrypted or packed. Trivial static analysis does not reveal important code or dat

Verify that if the goal of obfuscation is to protect sensitive computations, an obfuscation scheme is used that is both appro
for the particular task and robust against manual and automated de-obfuscation methods, considering currently published
research. The effectiveness of the obfuscation scheme must be verified through manual testing. Note that hardware-base
isolation features are prefered over obfuscation whenever possible.

Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
R Status Testing Procedure

✓ N/A
Testing Advanced Root Detection

✓ N/A
Testing Debugging Defenses
✓ N/A Testing File Integrity Checks
✓ N/A
Testing Detection of Reverse Engineering Tools
✓ N/A Testing Simple Emulator Detection
✓ N/A
Testing Memory Integrity Checks
✓ N/A
Verifying the Variability of Tampering Responses
✓ N/A Testing Detection Mechanisms
✓ N/A Testing Simple Obfuscation

✓ N/A
Testing Device Binding

✓ N/A
Testing Advanced Anti-Emulation

✓ N/A

Testing Advanced Obfuscation


Comment
Mobile Application Security Requirements - Android

ID
V1
1.1
1.2

1.3

1.4
1.5

1.6

1.7

1.8

1.9
1.10
V2

2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11

2.12
V3
3.1
3.2

3.3

3.4
3.5
3.6
V4

4.1
4.2

4.3
4.4
4.5

4.6

4.7
4.8
4.9
4.10

4.11
V5
5.1
5.2

5.3

5.4

5.5
5.6
V6
6.1

6.2

6.3
6.4
6.5

6.6

6.7.
6.8
V7
7.1
7.2
7.3
7.4

7.5
7.6
7.7
7.8

7.9

Legend
Symbol
Pass
Fail
N/A
Mobile Application Security Requirements - Android

Detailed Verification Requirement


Architecture, design and threat modelling
Verify all application components are identified and are known to be needed.
Verify that security controls are never enforced only on the client side, but on the respective remote endpoints.
Verify that a high-level architecture for the mobile app and all connected remote services has been defined and security h
addressed in that architecture.
Verify that data considered sensitive in the context of the mobile app is clearly identified.
Verify all app components are defined in terms of the business functions and/or security functions they provide.
Verify that a threat model for the mobile app and the associated remote services, which identifies potential threats and
countermeasures, has been produced.
Verify that all security controls have a centralized implementation.
Verify that there is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic ke
Ideally, follow a key management standard such as NIST SP 800-57.
Verify that a mechanism for enforcing updates of the mobile app exists.
Verify that security is addressed within all parts of the software development lifecycle.
Data Storage and Privacy
Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials or cry
keys.
Verify that no sensitive data is written to application logs.
Verify that no sensitive data is shared with third parties unless it is a necessary part of the architecture.
Verify that the keyboard cache is disabled on text inputs that process sensitive data.
Verify that the clipboard is deactivated on text fields that may contain sensitive data.
Verify that no sensitive data is exposed via IPC mechanisms.
Verify that no sensitive data, such as passwords or pins, is exposed through the user interface.
Verify that no sensitive data is included in backups generated by the mobile operating system.
Verify that the app removes sensitive data from views when backgrounded.
Verify that the app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after u
Verify that the app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.
Verify that the app educates the user about the types of personally identifiable information processed, as well as security
the user should follow in using the app.
Cryptography
Verify that the app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.
Verify that the app uses proven implementations of cryptographic primitives.
Verify that the app uses cryptographic primitives that are appropriate for the particular use-case, configured with paramet
adhere to industry best practices.

Verify that the app does not use cryptographic protocols or algorithms that are widely considered depreciated for security
Verify that the app doesn't re-use the same cryptographic key for multiple purposes.
Verify that all random values are generated using a sufficiently secure random number generator.
Authentication and Session Management
Verify that if the app provides users with access to a remote service, an acceptable form of authentication such as usernam
authentication is performed at the remote endpoint.
Verify that the remote endpoint uses randomly generated session identifiers, if classical server side session management i
authenticate client requests without sending the user's credentials.
Verify that the remote endpoint uses server side signed tokens, if stateless authentication is used, to authenticate client re
without sending the user's credentials.
Verify that the remote endpoint terminates the existing session when the user logs out.
Verify that a password policy exists and is enforced at the remote endpoint.
Verify that the remote endpoint implements a mechanism to protect against the submission of credentials an excessive nu
times.
Verify that biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Inste
based on unlocking the keychain/keystore.
Verify that sessions are terminated at the remote endpoint or tokens expire after a predefined period of inactivity.
Verify that a second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforce
Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions.
Verify that the app informs the user of all login activities with his or her account. Users are able view a list of devices used
account, and to block specific devices.
Network Communication
Verify that data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.
Verify that the TLS settings are in line with current best practices, as far as they are supported by the mobile operating sys
Verify that the app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certi
by a valid CA are accepted.
Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently do
establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.
Verify that the app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as
and account recovery.
Verify that the app only depends on up to date connectivity- and security libraries.
Platform Interaction
Verify that the app only requires the minimum set of permissions necessary.
Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes data receive
IPC mechanisms such as intents, custom URLs, and network sources.

Verify that the app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly
Verify that the app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly pro
Verify that JavaScript is disabled in WebViews unless explicitly required.
Verify that WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https). Pot
dangerous handlers, such as file, tel and app-id, are disabled.
If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within
package.
Verify that object serialization, if any, is implemented using safe serialization APIs.
Code Quality and Build Settings
Verify that the app is signed and provisioned with valid certificate.
Verify that the app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).
Verify that debugging symbols have been removed from native binaries.
Verify that debugging code has been removed, and the app does not log verbose errors or debugging messages.
Verify that all third party components used by the mobile app, such as libraries and frameworks, are identified, and checke
vulnerabilities.
Verify that the app catches and handles possible exceptions.
Verify that error handling logic in security controls denies access by default.
Verify that in unmanaged code, memory is allocated, freed and used securely.
Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automati
counting, are activated.

Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
Level 1 Level 2 Status

✓ ✓ Pass
✓ ✓

✓ ✓

✓ ✓
✓ N/A

✓ N/A

✓ N/A

✓ N/A

✓ N/A
✓ N/A

✓ ✓

✓ ✓
✓ ✓
✓ ✓
✓ ✓
✓ ✓
✓ ✓
✓ N/A
✓ N/A
✓ N/A
✓ N/A

✓ N/A

✓ ✓
✓ ✓

✓ ✓

✓ ✓

✓ ✓
✓ ✓

✓ ✓
✓ ✓

✓ ✓

✓ ✓

✓ ✓

✓ N/A

✓ N/A
✓ N/A
✓ N/A

✓ N/A

✓ ✓
✓ ✓

✓ ✓

✓ N/A

✓ N/A

✓ N/A

✓ ✓

✓ ✓

✓ ✓

✓ ✓
✓ ✓

✓ ✓

✓ ✓

✓ ✓

✓ ✓
✓ ✓
✓ ✓
✓ ✓

✓ ✓

✓ ✓
✓ ✓
✓ ✓

✓ ✓
Testing Procedure

-
-

-
-
-

-
-

-
-
-

Testing For Sensitive Data in Local Data Storage


Testing For Sensitive Data in Logs
Testing Whether Sensitive Data Is Sent To Third Parties
Testing Whether the Keyboard Cache Is Disabled for Text Input Fields
Testing for Sensitive Data in the Clipboard
Testing Whether Sensitive Data Is Exposed via IPC Mechanisms
Testing for Sensitive Data Disclosure Through the User Interface
Testing for Sensitive Data in Backups
Testing for Sensitive Information in Auto-Generated Screenshots
Testing for Sensitive Data in Memory
Testing the Device-Access-Security Policy

Verifying User Education Controls

Verifying Key Management


Testing for Custom Implementations of Cryptography

Verifying the Configuration of Cryptographic Standard Algorithms

Testing for Insecure and/or Deprecated Cryptographic Algorithms


Testing Random Number Generation
Verifying Key Management

Verifying that Users Are Properly Authenticated


Testing Session Management

Testing Session Management


Testing the Logout Functionality
Testing the Password Policy

Testing Excessive Login Attempts

Testing Biometric Authentication


Testing the Session Timeout
Testing 2-Factor Authentication
Testing Step-up Authentication

Testing User Device Management

Testing for Unencrypted Sensitive Data on the Network


Verifying the TLS Settings

Testing Endpoint Identify Verification

Testing Custom Certificate Stores and SSL Pinning

Verifying that Critical Operations Use Secure Communication Channels


Verifying the Security Provider

Testing App Permissions

Testing Input Validation and Sanitization

Testing Custom URL Schemes


Testing For Sensitive Functionality Exposure Through IPC
Testing JavaScript Execution in WebViews

Testing WebView Protocol Handlers

Testing Whether Java Objects Are Exposed Through WebViews


Testing Object (De-)Serialization

Verifying That the App is Properly Signed


Testing If the App is Debuggable
Testing for Debugging Symbols
Testing for Debugging Code and Verbose Error Logging

Testing 3rd party libraries


Testing Exception Handling
Testing Error Handling in Security Controls
Testing for Memory Management Bugs

Verifying usage of Free Security Features


Comment
Mobile Application Security Requirements - iOS

ID
V1
1.1
1.2

1.3

1.4
1.5

1.6

1.7

1.8

1.9
1.10
V2

2.1
2.2
2.3

2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11

2.12
V3
3.1
3.2

3.3

3.4
3.5
3.6
V4

4.1
4.2

4.3
4.4
4.5

4.6

4.7
4.8
4.9
4.10

4.11
V5
5.1
5.2

5.3

5.4

5.5
5.6
V6
6.1

6.2

6.3
6.4
6.5

6.6

6.7
6.8
V7
7.1
7.2
7.3
7.4

7.5
7.6
7.7
7.8

7.9

Legend
Symbol
Pass
Fail
N/A
Mobile Application Security Requirements - iOS

Detailed Verification Requirement


Architecture, design and threat modelling
Verify all application components are identified and are known to be needed.
Verify that security controls are never enforced only on the client side, but on the respective remote endpoints.
Verify that a high-level architecture for the mobile app and all connected remote services has been defined and security h
addressed in that architecture.
Verify that data considered sensitive in the context of the mobile app is clearly identified.
Verify all app components are defined in terms of the business functions and/or security functions they provide.
Verify that a threat model for the mobile app and the associated remote services, which identifies potential threats and
countermeasures, has been produced.
Verify that all security controls have a centralized implementation.
Verify that there is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic ke
Ideally, follow a key management standard such as NIST SP 800-57.
Verify that a mechanism for enforcing updates of the mobile app exists.
Verify that security is addressed within all parts of the software development lifecycle.
Data Storage and Privacy
Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials or cry
keys.
Verify that no sensitive data is written to application logs.
Verify that no sensitive data is shared with third parties unless it is a necessary part of the architecture.

Verify that the keyboard cache is disabled on text inputs that process sensitive data.
Verify that the clipboard is deactivated on text fields that may contain sensitive data.
Verify that no sensitive data is exposed via IPC mechanisms.
Verify that no sensitive data, such as passwords or pins, is exposed through the user interface.
Verify that no sensitive data is included in backups generated by the mobile operating system.
Verify that the app removes sensitive data from views when backgrounded.
Verify that the app does not hold sensitive data in memory longer than necessary, and memory is cleared explicitly after u
Verify that the app enforces a minimum device-access-security policy, such as requiring the user to set a device passcode.
Verify that the app educates the user about the types of personally identifiable information processed, as well as security
the user should follow in using the app.
Cryptography
Verify that the app does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption.
Verify that the app uses proven implementations of cryptographic primitives.
Verify that the app uses cryptographic primitives that are appropriate for the particular use-case, configured with paramet
adhere to industry best practices.

Verify that the app does not use cryptographic protocols or algorithms that are widely considered depreciated for security
Verify that the app doesn't re-use the same cryptographic key for multiple purposes.
Verify that all random values are generated using a sufficiently secure random number generator.
Authentication and Session Management
Verify that if the app provides users with access to a remote service, an acceptable form of authentication such as usernam
authentication is performed at the remote endpoint.
Verify that the remote endpoint uses randomly generated session identifiers, if classical server side session management i
authenticate client requests without sending the user's credentials.
Verify that the remote endpoint uses server side signed tokens, if stateless authentication is used, to authenticate client re
without sending the user's credentials.
Verify that the remote endpoint terminates the existing session when the user logs out.
Verify that a password policy exists and is enforced at the remote endpoint.
Verify that the remote endpoint implements a mechanism to protect against the submission of credentials an excessive nu
times.
Verify that biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Inste
on unlocking the keychain/keystore.
Verify that sessions are terminated at the remote endpoint or tokens expire after a predefined period of inactivity.
Verify that a second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforce
Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions.
Verify that the app informs the user of all login activities with his or her account. Users are able view a list of devices used
account, and to block specific devices.
Network Communication
Verify that data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.
Verify that the TLS settings are in line with current best practices, as far as they are supported by the mobile operating sys
Verify that the app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certi
by a valid CA are accepted.
Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently do
establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA.
Verify that the app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as
and account recovery.
Verify that the app only depends on up to date connectivity- and security libraries.
Platform Interaction
Verify that the app only requires the minimum set of permissions necessary.
Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes data receive
IPC mechanisms such as intents, custom URLs, and network sources.

Verify that the app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly
Verify that the app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly pro
Verify that JavaScript is disabled in WebViews unless explicitly required.
Verify that WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https). Pot
dangerous handlers, such as file, tel and app-id, are disabled.
If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within
package.
Verify that object serialization, if any, is implemented using safe serialization APIs.
Code Quality and Build Settings
Verify that the app is signed and provisioned with valid certificate.
Verify that the app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).
Verify that debugging symbols have been removed from native binaries.
Verify that debugging code has been removed, and the app does not log verbose errors or debugging messages.
Verify that all third party components used by the mobile app, such as libraries and frameworks, are identified, and checke
vulnerabilities.
Verify that the app catches and handles possible exceptions.
Verify that error handling logic in security controls denies access by default.
Verify that in unmanaged code, memory is allocated, freed and used securely.
Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automati
counting, are activated.

Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
Level 1 Level 2 Status

✓ ✓
✓ ✓

✓ ✓

✓ ✓
✓ N/A

✓ N/A

✓ N/A

✓ N/A

✓ N/A
✓ N/A

✓ ✓

✓ ✓
✓ ✓

✓ ✓

✓ ✓
✓ ✓
✓ ✓
✓ N/A
✓ N/A
✓ N/A
✓ N/A

✓ N/A

✓ ✓
✓ ✓

✓ ✓

✓ ✓

✓ ✓
✓ ✓

✓ ✓
✓ ✓

✓ ✓

✓ ✓

✓ ✓

✓ N/A

✓ N/A
✓ N/A
✓ N/A

✓ N/A

✓ ✓
✓ ✓

✓ ✓

✓ N/A

✓ N/A

✓ N/A

✓ ✓

✓ ✓

✓ ✓

✓ ✓
✓ ✓

✓ ✓

✓ ✓

✓ ✓

✓ ✓
✓ ✓
✓ ✓
✓ ✓

✓ ✓

✓ ✓
✓ ✓
✓ ✓

✓ ✓
Testing Procedure

-
-

-
-
-

-
-

-
-
-

Testing For Sensitive Data in Local Data Storage


Testing For Sensitive Data in Logs
Testing Whether Sensitive Data Is Sent To Third Parties

Testing Whether the Keyboard Cache Is Disabled for Text Input Fields
Testing for Sensitive Data in the Clipboard
Testing Whether Sensitive Data Is Exposed via IPC Mechanisms
Testing for Sensitive Data Disclosure Through the User Interface
Testing for Sensitive Data in Backups
Testing for Sensitive Information in Auto-Generated Screenshots
Testing for Sensitive Data in Memory
Testing the Device-Access-Security Policy

Verifying User Education Controls

Verifying Key Management


Testing for Custom Implementations of Cryptography

Verifying the Configuration of Cryptographic Standard Algorithms

Testing for Insecure and/or Deprecated Cryptographic Algorithms


Testing Random Number Generation
Verifying Key Management

Verifying that Users Are Properly Authenticated


Testing Session Management

Testing the Logout Functionality


Testing the Logout Functionality
Testing the Password Policy

Testing Excessive Login Attempts

Testing Biometric Authentication


Testing the Session Timeout
Testing 2-Factor Authentication
Testing Step-up Authentication

Testing User Device Management

Testing for Unencrypted Sensitive Data on the Network


Verifying the TLS Settings

Testing Endpoint Identify Verification

Testing Custom Certificate Stores and SSL Pinning

Verifying that Critical Operations Use Secure Communication Channels


Verifying the Security Provider

Testing App Permissions

Testing Input Validation and Sanitization

Testing Custom URL Schemes


Testing For Sensitive Functionality Exposure Through IPC
Testing JavaScript Execution in WebViews

Testing WebView Protocol Handlers

Testing Whether Java Objects Are Exposed Through WebViews


Testing Object (De-)Serialization

Verifying That the App is Properly Signed


Testing If the App is Debuggable
Testing for Debugging Symbols
Testing for Debugging Code and Verbose Error Logging

Testing 3rd party libraries


Testing Exception Handling
Testing Error Handling in Security Controls
Testing for Memory Management Bugs

Verifying Compiler Settings


Comment
Resiliency Against Reverse Engineering - iOS

8.1

8.2

8.3

8.4

8.5
8.6

8.7

8.8
8.9

8.10

8.11

8.12

Legend
Symbol
Pass
Fail
N/A
Resiliency Against Reverse Engineering - iOS

Resiliency Against Reverse Engineering Requirements


Impede Dynamic Analysis and Tampering
Verify that the app implements two or more functionally independent methods of root detection and responds to the pre
device either by alerting the user or terminating the app.
Verify that the app implements multiple functionally independent debugging defenses that, in context of the overall prote
force adversaries to invest significant manual effort to enable debugging. All available debugging protocols must be covere
native).
Verify that the app detects, and responds to, tampering with executable files and critical data.
Verify that the app detects the presence of widely used reverse engineering tools, such as code injection tools, hooking fra
debugging servers.
Verify that the app detects, and response to, being run in an emulator using any method.
Verify that the app detects, and responds to, modifications of process memory, including relocation table patches and inje
Verify that the app implements multiple different responses to tampering, debugging and emulation (requirements 8.1 - 8
stealthy responses that don't simply terminate the app.
Verify that the detection mechanisms trigger responses of different types, including delayed and stealthy responses.
Verify that obfuscating transformations and functional defenses are interdependent and well-integrated throughout the ap
Device Binding
Verify that the app implements a 'device binding' functionality when a mobile device is treated as being trusted. Verify tha
fingerprint is derived from multiple device properties.
Impede Comprehension
Verify that all executable files and libraries belonging to the app are either encrypted on the file level and/or important co
segments inside the executables are encrypted or packed. Trivial static analysis does not reveal important code or data.
Verify that if the goal of obfuscation is to protect sensitive computations, an obfuscation scheme is used that is both appro
particular task and robust against manual and automated de-obfuscation methods, considering currently published resear
effectiveness of the obfuscation scheme must be verified through manual testing. Note that hardware-based isolation feat
over obfuscation whenever possible.

Definition
Requirement is applicable to mobile App and implemented according to best practices.
Requirement is applicable to mobile App but not fulfilled.
Requirement is not applicable to mobile App.
R Status Testing Procedure

✓ N/A
Testing Advanced Root Detection

✓ N/A
Testing Debugging Defenses
✓ N/A Testing File Integrity Checks
✓ N/A
Testing Detection of Reverse Engineering Tools
✓ N/A Testing Simple Emulator Detection
✓ N/A Testing Memory Integrity Checks
✓ N/A
Verifying the Variability of Tampering Responses
✓ N/A Testing Detection Mechanisms
✓ N/A Testing Simple Obfuscation

✓ N/A
Testing Device Binding

✓ N/A
Testing Advanced Anti-Emulation

✓ N/A

Testing Advanced Obfuscation


Comment
XLS Version History
Name Version Date
Alexander Antukh (Opera Software) 0.1 1/30/2017
Sven Schleier 0.2 1/31/2017
Abdessamad Temmar 0.3 2/12/2017
Bernhard Mueller 0.8.1 2/14/2017
Sven Schleier 0.9.2 2/15/2017
Bernhard Mueller 0.9.3 4/4/2017
Sven Schleier 0.9.3 7/3/2017
Sven Schleier 0.9.4 8/16/2017
Sven Schleier 1.0 1/13/2018
Comment
Initial draft
Merging of three diffeent templates
Adding Spider Chart
Rework, adding links to Testing Guide
QA (and sync version number with MASVS)
Sync with MASVS (merge 7.9 into 7.8)
Sync with MASVS (update requirements of domain 4 and R)
Sync with MASVS (update requirements of domain 1, 4 and 6)
Sync with MASVS (update requirements of domain 3 and 8)