Your SlideShare is downloading. ×
OWASP Mobile Top 10 Risks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP Mobile Top 10 Risks

1,619
views

Published on

A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/ …

A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/

OWASP Top 10 Mobile Risks
M1 Insecure Data Storage
M2 Weak Server Side Controls
M3 Insufficient Transport Layer Protection
M4 Client Side Injection
M5 Poor Authorization and Authentication
M6 Improper Session Handling
M7 Security Decisions Via Untrusted Inputs
M8 Side Channel Data Leakage
M9 Broken Cryptography
M10 Sensitive Information Disclosure

Creative Commons - Attribution licensed - Beau Woods - @beauwoods

Published in: Technology, Business

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,619
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
85
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. Path: Collected and uploaded personal information Concur: Stored password in plain text 5
  • 6. Recommendation for future versions • Expand to specific risks 6
  • 7. Google Wallet NFC MITM PayPal failure to validate certificates Apple iOS AppStore MITM led to circumventing purchases 7
  • 8. Recommendation for future versions • Improve or eliminate 8
  • 9. Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assets Audible: Used plaintext password to authenticate and used HTTP GET method OOB: Remember, mobile devices can potentially intercept phone calls, SMS and email 9
  • 10. 10
  • 11. Recommendation for future versions • Improve or eliminate 11
  • 12. Android: Information sent to advertisers http://news.techeye.net/mobile/many- android-apps-send-your-private-information-to-advertisers Apple: Collected and stored mobile tower data; called before US Congress to answer questions Audible: Stored URL with password in logfile, also in GET request stored in web server log Recommendation for future versions • Consider combining with M10 • Consider incorporating the idea of collecting unnecessary but potentially sensitive or private information 12
  • 13. 13
  • 14. Recommendation for future versions • Consider combining with M8 14
  • 15. http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/ 15
  • 16. http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/ 16
  • 17. http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile- application/ 17
  • 18. 18
  • 19. 19