Tuesday, February 26, 2013

OWASP iGoat Project:

Thanks to iGoat lead developer, Sean Eidemiller, it gives me great pleasure to announce the immediate release of OWASP iGoat version 2.0! See the project web site at: 


for more information, or go directly to the source repository to download at:


The OWASP iGoat tool is a stand-alone iOS app (distributed solely in source code) designed to introduce iOS developers to many of the security pitfalls that plague poorly-written apps. Like its namesake, OWASP's WebGoat tool, iGoat is intended to teach software developers about these issues by stepping them through a series of exercises, each of which focuses on a single aspect of iOS security.

OWASP iGoat is an ideal tool to use in a classroom setting to teach iOS developers (and technically minded IT Security staff with at least some exposure to object oriented programming).

Exercises include many typical problem issues (and their solutions) including:
- Securing sensitive data in transit
- Securing sensitive data at rest
- Securely connecting to back-end authentication services
- Side channel data leakage (e.g., system screen shots, cut-and-paste, and keystroke logging via the autocorrection feature)
- Making use of the system keychain to store small amounts of consumer-grade sensitive data

New to version 2.0:

- iGoat is now a true Universal app, so it builds and runs on iPhones, iPod Touches, as well as iPads. Full screen views are supported on all of these devices. (It also runs on the iPhone simulator included with XCode, of course -- which is ideal for a classroom environment.)

- A few "behind the scenes" improvements were made to the iGoat platform itself, making it easier to work with and develop new exercises. These include:
  o Storyboards for main screen navigation.
  o ARC support for object memory management.

- General code clean-ups.


To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. iGoat was built for Mountain Lion, but should run fine on any OS X newer than Snow Leopard. We recommend the latest XCode and built iGoat using XCode version 4.6. Similarly, iGoat was built on iOS 6.1, but should be backwards compatible with at least version 5.x. 

We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well!


Ken van Wyk
OWASP iGoat Project Leader

No comments: