MAST

Mobile Application Security Testing
  • The Working Group (WG) Charter is now open for peer review till 25 June 2018 (Pacific Time). Contribute HERE.
  • Subject matter experts are also welcomed to join the MAST WG by submitting your request HERE.
  • Read more about MAST on our CSA Global page HERE.

Mobile Applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. Cloud computing has allowed for the instantaneous utilization of applications which imparts tremendous agility to the enterprise. Accompanying such convenience are risk management challenges due to a lack of transparency, leading to security concerns that include applications.
 
CSA released the Mobile Application Security Testing (MAST) whitepaper in June 2016 which defines a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications. Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security issues of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially malicious functionalities, application collusions, obfuscations, excessive power consumptions and traditional software vulnerabilities. Testing and vetting processes will also cover internal communications such as debug flag and activities, as well as external communications such as Global Positioning System (GPS), Bluetooth, Near Field Communication (NFC) and Global System for Mobile communication (GSM) accesses. Apart from mobile application security testing and vetting, a mobile application security incident response plan will also be developed.

The initiative will aim to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application testing and vetting that helps integrate and introduce quality control and compliance to mobile application development and management.
 
The initiative hopes that more research into mobile application security vetting and testing will help reduce the risk and security threats that organizations and individuals expose themselves to by using mobile applications

Scope
The app security testing and vetting process uses both static and dynamic analysis to analyse the application. The testing and vetting process covers:
  • Permissions
  • Authentication and authorization
  • Exposed communications
  • Data protection (Encryption In Motion, at Rest and In Use, etc)
  • Potentially dangerous functionality
  • Application collusion
  • Code obfuscation
  • Excessive power consumption
  • Auditing and logging
  • Input validation
  • Password management
  • Application configuration
  • Access control
  • Traditional software vulnerabilities

​The testing covers the internal communications such as debug flag and activities and external communication such as GPS, NFC access as well as checking the links that is written in the source code.

In addition to security testing and vetting, the project will also develop processes and procedures for security incidence response pertaining to a mobile breach.

Goals
  • To develop a whitepaper for vetting and certification scheme based off the NIST Special Publication 800-163: Vetting the Security of Mobile Applications;
  • To develop a certification scheme for mobile application security with a maturity model;
  • To develop a vetting scheme (i.e. approval-rejection basis) for mobile applications;
  • To develop resources for addressing potential security issues or an incident during certification period.
Download June 2016 MAST Whitepaper