Mobile applications vulnerabilities testing model

Вантажиться...
Ескіз

Дата

2020

Науковий керівник

Назва журналу

Номер ISSN

Назва тому

Видавець

Institute of Special Communication and Information Protection of National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”

Анотація

The process of testing vulnerabilities of mobile software applications has been analysed. This is due to the need to prevent violations of confidentiality, integrity and availability of information. Individual users and the state as a wholebenefit from the preservation of these properties. However, in practice this is mostly neglected, and attention is paid to the functional testing. While the known approaches of testing vulnerabilities of the mobile software applications are focused on thestudy of certain aspects: either a server or a client. At the same time, the applicability of the international standards of testing vulnerabilities in mobile software applications has been established. A characteristic feature of their guidelines is the focus on OWASP methodology. It determines the rating of the most critical vulnerabilities, standard and test scenarios, tools for determining the level of security. They are summed up in OWASP Mobile TOP 10, OWASP MASVS, and OWASP MSTG recommendations. According to OWASP MSTG, vulnerabilities in mobile software apps are tested using OWASP MASVS. There are three parts in these documents, which are the following: general, Android, iOS. Also, these documents define common scenarios for each level of testing vulnerabilities in mobile software applications, as stated in MASVS. The level of security of mobile software applications is determined based on the results of the tests, namely: the test has been passed, the test has not been passed, and the test is not used for the mobile software application. However, the practical use of OWASP methodology is complicated by the focus on the client side of mobile software applications, the subjectivity of the choice of stages and their sequence. To prevent these limitations, a model for testing vulnerabilities in mobile software applications has been developed. A dependency graph is used to codify this procedure.This allows you to determine the stages of testing vulnerabilities in both client and server parts. In addition,it helps you to explain which testing stages to choose, their order, and the appropriate tools. This justification is accomplished by building a dependency relationship between them. An example of its formulation is “the execution of the next stage is preceded by the execution of the previous one”. The obtained results are demonstrated in the example of SSL pinning vulnerability testing.

Опис

Ключові слова

mobileapplication, vulnerability, MASVS, OWASP, Android, vulnerabili tiestesting model, dependencygraph, мобільний програмний застосунок, уразливість, модель тестування уразливостей, граф залежностей

Бібліографічний опис

Antonishyn, M. Mobile applications vulnerabilities testing model / Mykhailo Antonishyn // Information Technology and Security. – 2020. – Vol. 8, Iss. 1 (14). – Pp. 49–57. – Bibliogr.: 18 ref.