1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org An Introduction to The OWASP iGoat Project Jason Haddix Jason.haddix@hp.com Education Project

2. OWASP 2 About iGoat  Project Author: Kenneth R. van Wyk (KRVW Associates)Kenneth R. van Wyk  OWASP Page: https://www.owasp.org/index.php/OWASP_iGoat_Project https://www.owasp.org/index.php/OWASP_iGoat_Project  iGoat is a learning tool for iOS developers (and testers) emulating real security vulnerabilities in iPhone, iPad, etc, apps. It was inspired by the WebGoat project, and has a similar conceptual flow to it.

3. OWASP 3 About iGoat  As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.  Similar to WebGoat the user is presented with a series of lessons surrounding numerous vulnerabilities associated with iOS apps. The student exploits each vulnerability to validate its existence, and then he implements a remediation in the lesson's source code.

4. OWASP 4 Lessons  The lessons follow OWASPs classifications of mobile vulnerabilities:

5. OWASP 5 Example Lesson: M1 – Insecure Data Storage

6. OWASP 6 Example Lesson: M1 – Insecure Data Storage

7. OWASP 7 Other Lessons  Data Protection (Transit)  Authentication

8. OWASP  Injection Flaws 8 Other Lessons  Data Protection (Rest)

9. OWASP 9 Demo  Demo Time!

10. OWASP 10 Wrap Up  iGoat is built in a modular way so that if you have experience developing for iOS you can contribute to the project.  Please use the project to further your own knowledge of application security vulnerabilities on iphone.  For questions feel free to contact:  Jason.haddix@hp.com Jason.haddix@hp.com  ken@krvw.com ken@krvw.com