OWASP Top 10 Mobile Risks

800 views
738 views

Published on

OWASP Mobile Security Project: Top 10 Risks
M1 Insecure Data Storage
M2 Weak Server Side Controls
M3 Insufficient Transport Layer Protection
M4 Client Side Injection
M5 Poor Authorization and Authentication
M6 Improper Session Handling
M7 Security Decisions Via Untrusted Inputs
M8 Side Channel Data Leakage
M9 Broken Cryptography
M10 Sensitive Information Disclosure

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
800
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Path: Collected and uploaded personal informationConcur: Stored password in plain text http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/Similar flaws in other applicationsUstream: Stored password in plain text http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile-application/Bambuser: Stored password in plain text http://stratigossecurity.com/2012/10/03/security-advisory-bambuser-mobile-application/
  • Recommendation for future versionsExpand to specific risks
  • Google Wallet NFC MITMPayPal failure to validate certificatesApple iOSAppStore MITM led to circumventing purchases
  • Recommendation for future versionsImprove or eliminate
  • Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assetsAudible: Used plaintext password to authenticate and used HTTP GET methodOOB: Remember, mobile devices can potentially intercept phone calls, SMS and emailRecommendation for future versionsCombine with M6
  • Recommendation for future versionsCombine with M5
  • Recommendation for future versionsImprove or eliminate
  • Android: Information sent to advertisers http://news.techeye.net/mobile/many-android-apps-send-your-private-information-to-advertisersApple: Collected and stored mobile tower data; called before US Congress to answer questionsAudible: Stored URL with password in logfile, also in GET request stored in web server logRecommendation for future versionsConsider combining with M10Consider incorporating the idea of collecting unnecessary but potentially sensitive or private information
  • Recommendation for future versionsConsider combining with M8
  • OWASP Top 10 Mobile Risks

    1. 1. OWASP Mobile Top 10 OWASP Korea Day 2013 July 13, 2013 Beau Woods http://beauwoods.com @beauwoods OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License.
    2. 2. 2 Mobile Elements ClientPlatformHardwareNetworkServer ApplicationApplication 2
    3. 3. 3 Mobile Considerations Use models Always on Always connected Omnipresent Capabilities Communications Limited resources Highly variable Hardware Extensive RF & SSD Highly variable Not upgradable Platform Highly variable Limited options Variable security Mobile Devices Use models Frequently off Disconnected Location-bound Capabilities Many resources Robust platform Well documented Hardware Limited RF & HDD Highly variable Highly upgradable Platform Standardized Well understood Robust security Traditional Devices 3
    4. 4. 4 OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure 4 Alpha Documentation Mobile Security Project Top 10 Risks Top 10 Controls Threat Model Testing Guide Tools Secure Development
    5. 5. 5 M1 Insecure Data Storage Sensitive data Authentication data Regulated information Business-specific information Private information Examples Recommendations Business must define, classify, assign owner & set requirements Acquire, transmit, use and store as little sensitive data as possible Inform and confirm data definition, collection, use & handling Protections 1. Reduce use and storage 2. Encrypt or hash 3. Platform-specific secure storage with restricted permissions Mobile Controls 1, 2 & 7 5
    6. 6. 6 M2 Weak Server Side Controls OWASP Top 10 Web Application Risks 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Mobile App Servers RESTful API SOAP Web Service Web XML Recommendations Always validate input Don’t trust the client Harden mobile app servers & services Beware information disclosure Understand host & network controls Perform integrity checking regularly Mobile Controls 5 & 6
    7. 7. 7 M3 Insufficient Transport Layer Protection ExamplesImpact Expose authentication data Disclosure other sensitive information Injection Data tampering Recommendations Use platform-provided cryptographic libraries Force strong methods & valid certificates Test for certificate errors & warnings Use pre-defined certificates, as appropriate Encrypt sensitive information before sending All transport, including RFID, NFC, Bluetooth Wifi, Carrier Avoid HTTP GET method Mobile Controls 3
    8. 8. 8 M4 Client Side Injection Impact App or device compromise Abuse resources or services (SMS, phone, payments, online banking) Extract or inject data Man-in-the-Browser (MITB) Recommendations Always validate input Don’t trust the server Harden mobile app clients Beware information disclosure Perform integrity checking regularly Mobile Controls 9
    9. 9. 9 M5 Poor Authorization and Authentication ExamplesImpacts Account takeover Confidentiality breach Fraudulent transactions Recommendations Use appropriate methods for the risk Use unique identifiers as additional (not primary) factors Differentiate between client vs. server authentication Ensure out-of-band methods are truly OOB (this is hard) Hardware-independent identifiers Most common methods Account name Password Oauth HTTP Cookies Stored passwords Unique tokens Mobile Controls 4
    10. 10. 10 M6 Improper Session Handling Recommendations Allow revocation of device/password Use strong tokens and generation methods Consider appropriate session length (longer than web) Reauthenticate periodically or after focus change Store and transmit session tokens securely Mobile Controls 4 Impacts Account takeover Confidentiality breach Fraudulent transactions Most common methods Oauth HTTP Cookies Stored passwords Unique tokens
    11. 11. 11 M7 Security Decisions via Untrusted Inputs Description Reliance on files, settings, network resources or other inputs which may be modified. Recommendations Validate settings and files with checksums Validate all inputs Encrypt communications Ensure trusted data sources Examples DNS settings Cookies Configuration files Network injection Mobile malware URL calls
    12. 12. 12 M8 Side Channel Data Leakage Side channel data Caches Keystroke logging (by platform) Screenshots (by platform) Logs Recommendations Consider server-side leakage Reduce client-side logging Consider mobile-specific private information Consider platform-specific data capture features Securely cache data (consider SSD limitations) Examples Mobile Controls 1, 2, 3, 6 & 7
    13. 13. 13 M9 Broken Cryptography ExamplesCryptography …is not encoding …is not obfuscation …is not serialization …is best left to the experts Recommendations Use only well-vetted cryptographic libraries Understand one-way vs. two-way encryption Use only well-vetted cryptographic libraries (not a typo) Use only platform-provided cryptographic storage Use only well-vetted cryptographic libraries (still not a typo) Protect cryptographic keys fanatically Use only well-vetted cryptographic libraries (seriously - always do this) “The only way to tell good cryptography from bad cryptography is to have it examined by experts.” -Bruce Schneier Mobile Controls 1, 2 & 3
    14. 14. 14 M10 Sensitive Information Disclosure Side application data API or encryption keys Passwords Sensitive business logic Internal company information Debugging or maintenance information Recommendations Store sensitive application data server-side Avoid hardcoding information in the application Use platform-specific secure storage areas
    15. 15. 15 Case Study M1 Insecure Data Storage • Account number & passcode stored in flat text file Risks & mitigating factors • Passcode not used for other systems • App contained and accessed sensitive and private information
    16. 16. 16 Case Study M5 Poor Authorization & Authentication • Account name and password in plain text • Used HTTP GET method (logged to server) M8 Side Channel Data Leakage • Logged password to client and server M9 Broken Cryptography • First attempt to fix issue obfuscated password Risks & mitigating factors • Same password used for web application • Password reuse likely • Stored password securely
    17. 17. 17 DIY Vulnerability Discovery • Explore files on mobile devices and backups • Search for passwords • Sniff network connections • Downgrade SSL OWASP Resources • WebScarab • GoatDroid • iGoat • MobiSec • iMas • Mobile Testing Guide
    18. 18. 18 Beau Woods http://beauwoods.com @beauwoods

    ×