Merge pull request #1395 from OWASP/release_notes_113_oss

Release notes 113 oss
OWASP · Aug 2, 2019 · 8ff17cb · 8ff17cb
2 parents 189123f + 92aa82a
commit 8ff17cb
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,41 @@
 
 This document is automatically generated at {{gitbook.time}}
 
+## 1.1.3 (WIP)
+
+- Updated contributorlist, with 2 new co-authors.
+- Translated various parts into Japanese.
+- A large restructuring of the general testing, platform specific testing and reverse-engineering chapters.
+- Updated description of many tools: Adb, Angr, APK axtractor, Apkx, Burp Suite, Drozer, ClassDump(Z/etc), Clutch, Drozer, Frida, Hopper, Ghidra, IDB, Ipa Installer, iFunBox, iOS-deploy, KeychainDumper, Mobile-Security-Framework, Nathan, Needle, Objection, Magisk, PassionFruit, Radare 2, Tableplus, SOcket CAT, Xposed, and others.
+- Updated most of the iOS hacking/verification techniques using iOS 12 or 11 as a base instead of iOS 9/10.
+- Removed tools which were no longer updated, such as introspy-Android and AndBug.
+- Added missing MASVS references from version 1.1.4: v1.X, V3.5, V5.6, V6.2-V6.5, V8.2-V8.6.
+- Rewrote device-binding explanation and testcases for Android.
+- Added parts on testing unmanaged code in Objective-C, Java, and C/C++.
+- Applied many spelling, punctuation and style-related fixes.
+- Updated many cryptography related parts.
+- Added testaces for upgrade-mechanism verification for apps.
+- Updated Readme, Code of Conduct, Contribution guidelines, verification, funding link, and generation scripts.
+- Added ISBN as the book is now available at Hulu.
+- Added various fixes for the .epub format.
+- Added testcases on Android and iOS backup verification.
+- Improved key-attestation related explanation for Android.
+- Restructured OWASP Mobile Wiki.
+- Removed Yahoo Weather app and simplified reference on using SQL injection.
+- Improve explanation for iOS app sideloading to include various available methods.
+- Added explanation on using ADB and device shell for Android.
+- Added explanation on using device shell for iOS.
+- Provided comparison for using emulators/simulators and real devices for iOS/Android.
+- Fixed Uncrackable Level 3 for Android.
+- Improved explanation on how to exfiltrate data and apps on iOS 12 and Android 8.
+- Improved/updated explanation on SSL-pinning.
+- Added list of adopters of the MASVS/MSTG.
+- Updated English, Japanese, French and Spanish checklists to be compatible with MSTG 1.1.2.
+- Added a small write-up on Adiantum for Google.
+- Added MSTG-ID to the paragraphs to create a link between MSTG paragraphs and MASVS requirements.
+- Added review criteria for Android instant apps and guidance for app-bundle evaluation.
+- Clarified the differences between various methods of dynamic analysis.
+
 ## 1.1.2 12 May 2019
 
 - Added missing mappings for MASVS V1.X.

diff --git a/Document/0x04h-Testing-Code-Quality.md b/Document/0x04h-Testing-Code-Quality.md
@@ -171,7 +171,7 @@ Sergey Bobrov was able to take advantage of this in the following [HackerOne rep
 
   ```kotlin
   val i = Intent()
-  i.component = ComponentName("com.quora.android", 
+  i.component = ComponentName("com.quora.android",
   "com.quora.android.ActionBarContentActivity")
   i.putExtra("url", "http://test/test")
   i.putExtra("html", "XSS PoC <script>alert(123)</script>")

diff --git a/Document/0x05a-Platform-Overview.md b/Document/0x05a-Platform-Overview.md
@@ -54,28 +54,29 @@ Android supports device encryption from 2.3.4 version and it has undergone some
 
 ##### Full-Disk Encryption
 
-Android 5.0 and above support full-disk encryption. This encryption uses a single key protected by the users' device password to encrypt and decrypt the userdata partition. This kind of encryption is now considered deprecated and file-based encryption should be used whenever possible. Full-disk encryption has drawbacks, such as not being able to receive calls or not having operative alarms after a reboot if the user does not enter his password. 
+Android 5.0 and above support full-disk encryption. This encryption uses a single key protected by the users' device password to encrypt and decrypt the userdata partition. This kind of encryption is now considered deprecated and file-based encryption should be used whenever possible. Full-disk encryption has drawbacks, such as not being able to receive calls or not having operative alarms after a reboot if the user does not enter his password.
 
 ##### File-Based Encryption
 
 Android 7.0 supports file-based encryption. File-based encryption allows different files to be encrypted with different keys so they can be deciphered independently. Devices which support this type of encryption support Direct Boot as well. Direct Boot enables the device to have access to features such as alarms or accessibility services even if the user does not enter his password.
 
-##### Adiantum 
+##### Adiantum
 
 AES is used on most modern Android devices for storage encryption. Actually, AES has become such a widely used algorithm that the most recent processor implementations have a dedicated set of instructions to provide hardware accelerated encryption and decryption operations, such as ARMv8 with its Cryptography Extensions or x86 with AES-NI extension.
 However, not all devices are capable of using AES for storage encryption in a timely fashion. Especially low-end devices running Android Go. These devices usually use low-end processors, such as the ARM Cortex-A7 which don't have hardware accelerated AES.
 
 Adiantum is a cipher construction designed by Paul Crowley and Eric Biggers at Google to fill the gap for that set of devices which are not able to run AES at least at 50 MiB/s. Adiantum relies only on additions, rotations and XORs; these operations are natively supported on all processors. Therefore, the low-end processors can encrypt 4 times faster and decrypt 5 times faster than they would if they were using AES.
 
-Adiantum is a composition of other ciphers: 
+Adiantum is a composition of other ciphers:
+
 - NH: A hashing function.
 - Poly1305: A message authentication code (MAC).
 - XChaCha12: A stream cipher.
 - AES-256: A single invocation of AES.
 
 Adiantum is a new cipher but it is secure, as long as ChaCha12 and AES-256 are considered secure. Its designers didn't create any new cryptographic primitive, instead they relied on other well-known and thoroughly studied primitives to create a new performant algorithm.
 
-Adiantum is available for Android 9 and higher versions. It is natively supported in Linux kernel 5.0 and onwards, while kernel 4.19, 4.14 & 4.9 need patching. 
+Adiantum is available for Android 9 and higher versions. It is natively supported in Linux kernel 5.0 and onwards, while kernel 4.19, 4.14 & 4.9 need patching.
 Android does not provide an API to application developers to use Adiantum; this cipher is to be taken into account and implemented by ROM developers or device vendors, which want to provide full disk encryption without sacrificing performance on low-end devices. At the moment of writing there is no public cryptographic library that implements this cipher to use it on Android applications.
 It should be noted that AES runs faster on devices having the AES instruction set. In that case the use of Adiantum is highly discouraged.
 

diff --git a/Document/0x05b-Basic-Security_Testing.md b/Document/0x05b-Basic-Security_Testing.md
@@ -951,7 +951,7 @@ You can print the class names and their methods with the r2 command `ic` (_infor
 ```shell
 [0x000009c8]> ic
 ...
-0x0000073c [0x00000958 - 0x00000abc]    356 class 5 Lsg/vantagepoint/uncrackable1/MainActivity 
+0x0000073c [0x00000958 - 0x00000abc]    356 class 5 Lsg/vantagepoint/uncrackable1/MainActivity
                                                                             :: Landroid/app/Activity;
 0x00000958 method 0 pC   Lsg/vantagepoint/uncrackable1/MainActivity.method.<init>()V
 0x00000970 method 1 P    Lsg/vantagepoint/uncrackable1/MainActivity.method.a(Ljava/lang/String;)V

diff --git a/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md b/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md
@@ -82,7 +82,7 @@ Gobjdump is part of [binutils](https://www.gnu.org/s/binutils/ "Binutils") and c
 
 Make sure that debugging symbols are stripped when the application is being built for production. Stripping debugging symbols will reduce the size of the binary and increase the difficulty of reverse engineering. To strip debugging symbols, set `Strip Debug Symbols During Copy` to `YES` via the project's build settings.
 
-A proper [Crash Reporter System](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/AnalyzingCrashReports/AnalyzingCrashReports.html "Crash Reporter System) is possible because the system doesn't require any symbols in the application binary.
+A proper [Crash Reporter System](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/AnalyzingCrashReports/AnalyzingCrashReports.html "Crash Reporter System") is possible because the system doesn't require any symbols in the application binary.
 
 #### Dynamic Analysis