• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OWASP Mobile Top 10 Risks
 

OWASP Mobile Top 10 Risks

on

  • 1,410 views

A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/ ...

A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/

OWASP Top 10 Mobile Risks
M1 Insecure Data Storage
M2 Weak Server Side Controls
M3 Insufficient Transport Layer Protection
M4 Client Side Injection
M5 Poor Authorization and Authentication
M6 Improper Session Handling
M7 Security Decisions Via Untrusted Inputs
M8 Side Channel Data Leakage
M9 Broken Cryptography
M10 Sensitive Information Disclosure

Creative Commons - Attribution licensed - Beau Woods - @beauwoods

Statistics

Views

Total Views
1,410
Views on SlideShare
1,373
Embed Views
37

Actions

Likes
1
Downloads
35
Comments
0

1 Embed 37

https://twitter.com 37

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OWASP Mobile Top 10 Risks OWASP Mobile Top 10 Risks Document Transcript

    • 1
    • 2
    • 3
    • 4
    • Path: Collected and uploaded personal information Concur: Stored password in plain text 5
    • Recommendation for future versions • Expand to specific risks 6
    • Google Wallet NFC MITM PayPal failure to validate certificates Apple iOS AppStore MITM led to circumventing purchases 7
    • Recommendation for future versions • Improve or eliminate 8
    • Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assets Audible: Used plaintext password to authenticate and used HTTP GET method OOB: Remember, mobile devices can potentially intercept phone calls, SMS and email 9
    • 10
    • Recommendation for future versions • Improve or eliminate 11
    • Android: Information sent to advertisers http://news.techeye.net/mobile/many- android-apps-send-your-private-information-to-advertisers Apple: Collected and stored mobile tower data; called before US Congress to answer questions Audible: Stored URL with password in logfile, also in GET request stored in web server log Recommendation for future versions • Consider combining with M10 • Consider incorporating the idea of collecting unnecessary but potentially sensitive or private information 12
    • 13
    • Recommendation for future versions • Consider combining with M8 14
    • http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/ 15
    • http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/ 16
    • http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile- application/ 17
    • 18
    • 19