logo
allArticlesConferencesPresentations

Creating an IoT-connected Mobile App Compliance Program Leveraging OWASP MASVS

Conference:  OWASP 20th Anniversary Event

2021-09-24

Authors:   Brian Reed

Summary

The presentation discusses the creation of a certification and testing regime for IoT connected mobile apps and VPNs using the 20 years of history and documentation of OWASP.
  • Mobile apps dominate usage in the market and have security vulnerabilities.
  • The OAuth Mobile Project was created to address mobile app security issues.
  • The prevalence of insecure data storage and network connections in mobile apps is similar to cross-site scripting in web apps.
  • The IOXT organization created a standard for certifying the security of IoT devices and expanded to include mobile connected apps.
  • The 20 years of history and documentation of OWASP were used to create a certification and testing regime for IoT connected mobile apps and VPNs.
  • The speaker's company is a financial sponsor of the OAuth Mobile Project and participates in creating tools and standards for mobile app security.
The speaker has been involved in mobile security since the days of Blackberry and has partnered with Apple and Google. Mobile apps have become a significant part of the digital economy, with 130 billion apps downloaded during the pandemic alone. However, 85% of all apps have security vulnerabilities, with insecure data storage and network connections being the most prevalent issues. The OAuth Mobile Project and IOXT were created to address these issues and provide certification and testing regimes for mobile app security.

Abstract

Abstract:​The OWASP MASVS specification is the ultimate guide for mobile app security. In late 2020, Google, NowSecure, Amazon and other IoT device manufacturers as part of the ioXt Alliance partnered to create a mobile app protection profile specifically for security certification of mobile apps connected to IoT devices. From the start, the team of security veterans, who were well versed in the OWASP MASVS, sought to build upon the OWASP community work - with a specific focus on the unique needs of IoT-connected mobile apps. The outcome of this fast work launched in April 2021 with numerous IoT manufacturers already certified. Join this session led by Brooke Davis, Google Android Security Team and Brian Reed, Chief Mobility Officer at NowSecure to learn the inside story about the journey of creating this unique certification program and how to create your own security testing program for mobile apps connected to things.​​​
Materials:
Tags:
IoT
Mobile App Security
OWASP MASVS
Certification
security testing

Post a comment

Related work

“Mobile Wanderlust”! Our journey to Version 2.0!

Conference:  Global AppSec Dublin 2023
Authors: Sven Schleier
2023-02-16

“Mobile Wanderlust”! Our journey to Version 2.0!

Conference:  Global AppSec San Francisco 2022
Authors: Sven Schleier
2022-11-18

Design Pitfalls in Commercial Mini-Programs on Android and iOS

Conference:  BlackHat EU 2020
Authors:
2020-12-09

Removing Secrets to Make Your Mobile Apps More MASVS-Secure

Conference:  Global AppSec Dublin 2023
Authors: Skip Hovsmith
2023-02-16

Revisiting Stealthy Sensitive Information Collection from Android Apps

Conference:  Black Hat Asia 2023
Authors: Guangdong Bai, Qing Zhang, Guangshuai Xia
2023-05-11

Building the Hacker Tracker

Conference:  Defcon 26
Authors:
2018-08-01