OWASP AppSec Research 2013

Smartphones and Tablets increasingly become part of our everyday life. Apps of all kinds assist us with work and personal activities. Beside the additional benefits of these Apps, the extended use of mobile devices is currently also one of the biggest threats for sensitive business data and user privacy. Due to their mobility smartphones and tablets are exposed to additional risks: they are connected to public and insecure networks, they are easily lost or stolen and location services can be misused to track users. In addition to that IT managers and developers usually do not care too much about security for mobile devices yet and focus on trendy solutions and usability. But this carefreeness is risky because attackers are aware of the lack of security measures for many mobile Apps, too. 
As for most software security and privacy should be considered during all stages of mobile app development. In particular it should be verified and approved before the release or installation. But an adopted approach for the specific requirements of testing the security of mobile Apps was not available a short time ago. This led to the decision to develop such a method and resulted in a “Mobile Security Testing Guide”. This guide incorporates existing models for penetration testing and extends and adopts them to meet the requirements for security evaluation of mobile Apps. It includes platform-independent standard procedures and offers flexible options to adapt it to the needs of the penetration tester or customer. 
This presentation will give an overview of the “Mobile Security Testing Guide”, outline differences and similarities to a conventional penetration test and shows with examples how to apply it in practice.