iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
- Brief introduction to the problem.
- Verify the problem by exploiting it.
- Brief description of available remediations to the problem.
- Fix the problem by correcting and rebuilding the iGoat program.
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.
Page - https://www.owasp.org/index.php/OWASP_iGoat_Tool_Project
Project Leader - Swaroop Yermalkar (@swaroopsy)
Twitter - (@OWASPiGoat)
Lead Developer - Anthony Gonsalves
-
Reverse Engineering
- String Analysis
-
Data Protection (Rest)
- Local Data Storage (SQLite)
- Plist Storage
- Keychain Usage
- NSUserDefaults Storage
-
Data Protection (Transit)
- Server Communication
- Public Key Pinning
-
Authentication
- Remote Authentication
-
Side Channel Data Leaks
- Device Logs
- Cut-and-Paste
- Backgrounding
- Keystroke Logging
-
Tamepring
- Method Swizzling
-
Injection Flaws
- SQL Injection
- Cross Site Scripting
-
Broken Cryptography
-
Key Management
- You can add new exercises
- Testing iGoat and checking if any issues
- Suggest us new attacks
- Writing blogs / article about iGoat
- Spreading iGoat :)
To contribute to iGoat project, please contact Swaroop ( [email protected] or @swaroopsy )
- Anthony Gonsalves
- Junard Lebajan (@junard)
- Ken van Wyk
- Jonathan Carter
- Heefan
- Bernhard Mueller
- Sagar Popat
- Chandrakant Nial
- masbog
- Cheena Kathpal
- Matt Tesauro