OWASP Mobile Top 10 Risks

1,893
-1

Published on

A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/

OWASP Top 10 Mobile Risks
M1 Insecure Data Storage
M2 Weak Server Side Controls
M3 Insufficient Transport Layer Protection
M4 Client Side Injection
M5 Poor Authorization and Authentication
M6 Improper Session Handling
M7 Security Decisions Via Untrusted Inputs
M8 Side Channel Data Leakage
M9 Broken Cryptography
M10 Sensitive Information Disclosure

Creative Commons - Attribution licensed - Beau Woods - @beauwoods

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,893
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
93
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OWASP Mobile Top 10 Risks

  1. 1. 1
  2. 2. 2
  3. 3. 3
  4. 4. 4
  5. 5. Path: Collected and uploaded personal information Concur: Stored password in plain text 5
  6. 6. Recommendation for future versions • Expand to specific risks 6
  7. 7. Google Wallet NFC MITM PayPal failure to validate certificates Apple iOS AppStore MITM led to circumventing purchases 7
  8. 8. Recommendation for future versions • Improve or eliminate 8
  9. 9. Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assets Audible: Used plaintext password to authenticate and used HTTP GET method OOB: Remember, mobile devices can potentially intercept phone calls, SMS and email 9
  10. 10. 10
  11. 11. Recommendation for future versions • Improve or eliminate 11
  12. 12. Android: Information sent to advertisers http://news.techeye.net/mobile/many- android-apps-send-your-private-information-to-advertisers Apple: Collected and stored mobile tower data; called before US Congress to answer questions Audible: Stored URL with password in logfile, also in GET request stored in web server log Recommendation for future versions • Consider combining with M10 • Consider incorporating the idea of collecting unnecessary but potentially sensitive or private information 12
  13. 13. 13
  14. 14. Recommendation for future versions • Consider combining with M8 14
  15. 15. http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/ 15
  16. 16. http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/ 16
  17. 17. http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile- application/ 17
  18. 18. 18
  19. 19. 19

×