ŇȳR App ŐLǙkŹȐ V1.2(ĹĬ) NJȸƄǂ ƩOŎ 107 05 3
App
V1.2( )
107� 05
App
App
104 4 App V1.0
105 10 App V1.1
107 5 App V1.2
i
1. .......................................................................................................................... 1
2. .................................................................................................................. 2
3. .............................................................................................................. 3
3.1. Mobile Application ....................................................... 3
3.2. Application Store .................................................. 3
3.3. Personal Data ........................................................................ 3
3.4. Secure Sensitive Data ............................................... 3
3.5. Password ................................................................................... 3
3.6. Transaction Resource ............................................................ 4
3.7. Session Identification, Session ID .................................... 4
3.8. Server Certificate .............................................................. 4
3.9. Certificate Authority ............................................................. 4
3.10. Malicious Code ............................................................... 4
3.11. Vulnerability ................................................................ 4
3.12. Library ..................................................................................... 4
3.13. Code Injection ..................................................................... 5
3.14. Mobile Operating System ........................................... 5
3.15. Mobile Resource ......................................................... 5
3.16. In-App Update ............................................ 5
3.17. Common Vulnerabilities and Exposures ................. 5
3.18. Weak Cryptographic Algorithm .............................. 5
3.19. Known Vulnerabilities ............................................ 5
3.20. Authentication ..................................................................... 5
3.21. Advanced Encryption Standard .............................. 5
3.22. Triple Data Encryption Standard .................... 6
3.23. Elliptic Curve Cryptography ................................... 6
ii
3.24. Certificate Pinning .............................................................. 6
3.25. Hash ............................................................................................ 6
3.26. Obfuscation ................................................................................. 6
3.27. Using Secure Sensitive Data ......................... 6
3.28. Log File ............................................................................. 6
3.29. Device Identifier ........................................................... 6
3.30. (Cache Files or Temporary Files) .............................................. 7
3.31. Configuration File ................................................................... 7
3.32. Encode ......................................................................................... 7
3.33. Decode ........................................................................................ 7
3.34. Payload ........................................................................................ 7
3.35. Collecting Secure Sensitive Data .................... 7
3.36. Storing Secure Sensitive Data ......................... 7
3.37. Common Vulnerability Scoring System ............. 8
3.38. (Secure Random Number Generator) ....................... 8
3.39. (Secure Domain) ....................................................................... 8
3.40. (Secure Encryption Function) ........................................... 8
4. .................................................................................................................. 9
4.1. ....................................................... 9
4.1.1. .................................................................... 9
4.1.2. ........................................................................ 9
4.1.3. .......................................................................... 11
4.1.4. .............. 11
4.1.5. ...................................................................... 12
4.2. ............................................................. 12
5. ................................................................................................ 14
6. ................................................................................................................ 15
Open Web Application Security Project (OWASP) ............................................ 15
iii
Cloud Security Alliance (CSA) ........................................................................... 15
..................................................................................................................... 15
..................................................................................................................... 15
..................................................................................................................... 15
..................................................................................................................... 16
............................................................................................................. 16
............................................................................................................. 16
............................................................. 17
......................................................................... 23
1
1.
�
Mobile Application, App
App �
103� 6 24
26 」 App
�
� ,
( (
App 107 5 V1.2
App
App App
�
� �
App App 、
� App
2
2.
1 2
, ,
1
2
3
3.
3.1. Mobile Application
。
3.2. Application Store
3.3. Personal Data
International Mobile Equipment Identity, IMEI
International Mobile Subscriber Identity, IMSI
3.4. Secure Sensitive Data
3.3
3.5. Password
4
3.6. Transaction Resource
、) App �
QRcode App
App
App
。 App App 、
3.7. Session Identification, Session ID
3.8. Server Certificate
3.9. Certificate Authority
3.10. Malicious Code
3.11. Vulnerability
3.12. Library
Function
Object Binary code
5
3.13. Code Injection
Command Injection SQL Injection
3.14. Mobile Operating System
3.15. Mobile Resource
3.16. In-App Update
3.17. Common Vulnerabilities and Exposures
CVE
3.18. Weak Cryptographic Algorithm
CVE
3.19. Known Vulnerabilities
CVE
3.20. Authentication
;
3.21. Advanced Encryption Standard
National Institute of Standards and Technology, NIST 2001 AES Advanced Encryption Standard
FIPS PUB 197 2002 AES
6
128 Data Block 128 192 256Key Size AES Round
Number
3.22. Triple Data Encryption Standard
Triple Data Encryption Standard 64
3.23. Elliptic Curve Cryptography
1985 Neal Koblitz Victor Miller
3.24. Certificate Pinning
3.25. Hash
「
3.26. Obfuscation
「
3.27. Using Secure Sensitive Data
3.28. Log File
3.29. Device Identifier
7
International Mobile Equipment Identity, IMEI Mobile Equipment Identifier, MEID International Mobile Subscriber Identity, IMSI Integrated Circuit Card Identifier, ICCID
Media Access Control Address, MAC addressAndroid Identifier, Android ID Android
Advertising ID, AID iOS IFAID Identifier for Advertisers Identifier, IFAIDWindows Phone Device ID
3.30. (Cache Files or Temporary Files)
,
3.31. Configuration File
3.32. Encode
「
3.33. Decode
「
3.34. Payload
3.35. Collecting Secure Sensitive Data
3.36. Storing Secure Sensitive Data
8
3.37. Common Vulnerability Scoring System
CVSS IT
」 National Infrastructure Advisory Council, NIAC Forum of Incident Response and Security Teams,
FIRST 3
3.38. (Secure Random Number Generator)
ANSI X9.17
3.39. (Secure Domain)
:
Facebook Google Twitter OAuth 2.0
3.40. (Secure Encryption Function)
FIPS 140-2 Annex A
9
4.
4.1.
4.1.1.
4.1.1.1.
;
4.1.1.2.
4.1.1.3.
4.1.2.
4.1.2.1.
10
4.1.2.2.
4.1.2.3.
4.1.2.4.
4.1.2.5.
11
4.1.2.6.
4.1.3.
4.1.3.1.
4.1.3.2.
4.1.4.
4.1.4.1.
4.1.4.2.
,
12
4.1.5.
4.1.5.1.
4.1.5.2.
4.1.5.3.
4.1.1.
4.1.5.4.
4.2.
;
4.2.1.
。
4.2.2.
13
Web Service
4.2.2.1. Webview
Webview
Webview
14
5.
。
15
6.
Open Web Application Security Project (OWASP)
[1] Mobile App Security Checklist 0.9.3
https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide,
2017
Cloud Security Alliance (CSA)
[2] Mobile Application Security Testing Initiative,
https://www.csaapac.org/mast.html, 2016
[3] Vetting the Security of Mobile ApplicationsApp, NIST Special Publication 800-
163, http://dx.doi.org/10.6028/NIST.SP.800-163, 2015
[4] Cryptographic Algorithm Validation Program (CAVP),
http://csrc.nist.gov/groups/STM/cavp/, NIST
[5] Cryptographic Module Validation Program (CMVP),
http://csrc.nist.gov/groups/STM/cmvp/, NIST
[6] Government Mobile and Wireless Security Baseline, Federal CIO Council,
https://cio.gov/wp-content/uploads/downloads/2013/05/Federal-Mobile-Security-
Baseline.pdf, 2013
[7] Smartphone Secure Development Guidelines,
https://www.enisa.europa.eu/publications/smartphone-secure-development-
guidelines-2016, ENISA, 2017
16
[8] , YD/T 2407-2013, 2013
[9] , YD/T 2408-2013, 2013
[10] Security Guideline for using Smartphones and Tablets - Advantages for work
style innovation - [Version 1],
https://www.jssec.org/dl/guidelines2012Enew_v1.0.pdf, JSSEC, 2011
[11] ISO/IEC 27001:2013 (Information security management)
[12] ISO/IEC 20000:2011 (Information technology - Service management)
[13] ISO/IEC 19790:2012 (Information technology - Security techniques - Security
requirements for cryptographic modules)
[14] ISO/IEC 15408:2009 (Information technology - Security techniques - Evaluation
criteria for IT security)
[15] ISO/IEC 14598:2001 (Information technology - Software product evaluation)
[16] ISO/IEC TR 9126-4:2004 (Software engineering - Product quality)
[17] 104 12 30
[18] , 105 3 2
17
。 OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013
[ 3] 4.1.1.1.
N/A Executive Summary 9. Secure software
distribution 5.5.2
4.1.1.2.
N/A Executive Summary 9. Secure software
distribution 5.5.4
4.1.1.3.
N/A Executive Summary 9. Secure software
distribution 5.5.4
4.1.2.1.
N/A 4. Mobile App
Evaluation - Privacy and Personally Identifiable Information
1. Identify and protect sensitive data
5.5.4
4.1.2.2.
V2.1: Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials or cryptographic keys
4. Mobile App Evaluation - Privacy and Personally Identifiable Information
1. Identify and protect sensitive data
5.5.4
5.6.2
18
OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013 [ 3]
4.1.2.3.
V2.1: Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials or cryptographic keys
4. Mobile App Evaluation - Protect Sensitive Data
1. Identify and protect sensitive data on the mobile device
5.6.3
4.1.2.4.
V2.6: Verify that no sensitive data is exposed via IPC mechanisms
4. Mobile App Evaluation - Protect Sensitive Data
4. Ensure sensitive data protection in transit
5.5.4
5.6.2
4.1.2.5.
V2.3: Verify that no sensitive data is shared with third parties unless it is a necessary part of the architecture
4. Mobile App Evaluation - Preserve Privacy
1. Identify and protect sensitive data on the mobile device
5.6.2
4.1.2.6.
V2.1: Verify that system credential storage facilities are used appropriately to store sensitive data, such as user credentials
N/A 1. Identify and protect sensitive data on the mobile device
5.6.4
19
OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013 [ 3]
or cryptographic keys
4.1.3.1. V4.9: Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions
N/A 8. Protect paid resources 5.5.4
4.1.3.2. V4.9: Verify that step-up authentication is required to enable actions that deal with sensitive data or transactions
N/A 8. Protect paid resources 5.5.4
4.1.4.1.
V4.1 : Verify that if the app provides users with access to a remote service, an acceptable form of authentication such as username/password authentication is performed at the remote endpoint
4. Mobile App Evaluation - Privacy and Personally Identifiable Information
3. Handle authentication and authorization factors securely on the device correctly
5.6.2
20
OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013 [ 3]
4.1.4.2. V5.4: Verify that the app either uses its own certificate store, or pins the endpoint certificate or public key, and subsequently does not establish connections with endpoints that offer a different certificate or key, even if signed by a trusted CA
4. Mobile App Evaluation – Network Events
2. User authentication, authorization and session management
5.5.4
4.1.5.1. 。
、
V1.7: Verify that a threat model for the mobile app and the associated remote services, which identifies potential threats and countermeasures, has been produced
4. Mobile App Evaluation: Malicious Functionality Malware Detection Communication with Known Disreputable Sites Libraries Loaded
6. Secure data integration with third party code 10. Handle runtime code interpretation
5.5.4
4.1.5.2.
V7.2: Verify that the app has been built in
4. Mobile App Evaluation – Classes
N/A 5.5.4
21
OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013 [ 3]
release mode, with settings appropriate for a release build (e.g. non-debuggable)
Loaded
4.1.5.3.
V1.2: Verify all third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities
4. Mobile App Evaluation: Native Methods Libraries Loaded
6. Secure data integration with third party code
5.5.4
4.1.5.4.
V6.2: Verify that all inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources
4. Mobile App Evaluation – Input Validation
10. Handle runtime code interpretation
5.5.4
22
OWASP NIST [ 1] ENISA [ 2] YD/T 2407-2013 [ 3]
4.2.2.1. Webview
N/A N/A N/A N/A
[ 1] Vetting the Security of Mobile ApplicationsApp, NIST Special Publication 800-163, http://dx.doi.org/10.6028/NIST.SP.800-163, 2015 [ 2] Smartphone Secure Development Guidelines, https://www.enisa.europa.eu/publications/smartphone-secure-development-guidelines-2016, ENISA, 2017 [ 3] , YD/T 2407-2013, 2013
23
4.1.1.1. 1 2
4.1.1.2. 3
4 4.1.1.3. 5
6 4.1.2.1. 7
4.1.2.2. 8
9 、
、 10 、
4.1.2.3. 11
12 13
24
14
15
16
17 、 18
4.1.2.4. 19
4.1.2.5. 20
21
4.1.2.6. 22
4.1.3.1. 23
4.1.3.2. 24 25
25
4.1.4.1. 26 ,
4.1.4.2. 27 、
28 , 29
30
4.1.5.1. 。 、
31 、 32
4.1.5.2. 33 ,
4.1.5.3. 34
4.1.1. 4.1.5.4. 35
4.2.2.1. Webview 36 Webview
37 Webview