1. OWASP Mobile Top 10
(M7 & M8)
M7 – Client Side Injection.
M8 – Security Decisions via Untrusted Inputs.
By : Shivang Desai
2. Who am I ?
● Shivang Desai (@5h1vang)
● Researcher at Zscaler Inc.
● Open Source enthusiast
● Small efforts to contribute :
– THC-Hydra [Release 7.6] (Kali Linux)
– OWASP Mobile
– Referenced in “The Mobile Application Hacker's Handbook”
– https://github.com/shivang1989
3. Next 30 min...
● Understanding client-side injection
● Understanding Security Decisions via untrusted Inputs
● What's their impact ?
● Prevention tips !
4. Understanding M7
Client Side Injection
• next image of client and server
• Then, mobile app and OS and backend
• Hybrid vs native apps
• Hybrid == client-server
• Native == second image (mobiel-OS-backend)
5. Understanding M7
Client Side Injection
● The name says it all : “Client-Side”
● Myth : Client-Side Injection == SQL injection
● Few types of client side injections :
– Sql Injection
– Cross Site Scripting
– Local File Injection
– XML Injection
– Binary Code Injection
8. Prevention !
● ALWAYS consider input data as malicious.
● Sanitize and/or Escape untrusted data.
● Use Prepared Statements. (SQL injection)
● Minimize the sensitive native capabilities tied to hybrid web
functionality. (As seen in WebView vuln just now)
● Input Validation (Local File Inclusion):
– Input validation for NSFileManager calls.
– Disable File System Access for any WebView
(webview.getSettings().setAllowFileAccess(false);)
9. Understanding M8
Security Decisions via Untrusted Inputs.
● Decisions based on weak parameters like cookies, hidden form fields,
Intents, URL schemes etc.
● Client Side Injection is one of the attack vector, along with Malicious
apps
● Main causes:
– Developer thinks values (cookies, environment variables, and hidden form
fields) cannot be modified
– Developer thinks client cannot manipulate and update application code
– Lack of proper encryption and/or encoding during client-server
interaction
10. Abusing iOS : URL Scheme
● URL Scheme is basically URL Protocol Handler
● Used mainly by browser to call internal apps (Eg: Safari
calling dialer app)
– <iframe src="tel:1-408-555-5555"></iframe>
Problem ?????
11. Abusing URL Scheme (iOS)
What's the problem ?
● Consider victim had opened skype in past and device has
cached the credentials.
● Attacker embeds iframe in his/her site
– <iframe src="skype://14085555555?call"></iframe>
● User visits the malicious site
● And boom...!
● Masque attack used URL scheme
hijacking
12. Abusing Android : Intents
What is Intent ?
● Intents acts as mechanism used:
– to start an Activity
– as a broadcast to inform interested programs
– as a way to communicate with background services
– to access data through ContentProviders
– as a callback to handle events like returning results or
errors asynchronously
13. Abusing Android : Intents
Types of Intent Vulnerbilities
● Two types of Intent Vulnerabilities
(1) Intent interception
● Intercept the generated intents (Broadcast events)
(2) Intent Spoofing
● Generate a spoofed intent and target the victim
14. Abusing Android : Intents
(PayPal Case Study)
● Android SDK comes along with a small tool called “am”
● Paypal Target Activity : SendMoneyActivity
– am start
-a android.intent.action.SENDTO
-d mailto:shiv@ng.com
--es com.paypal.android.p2pmobile.Amount 9.99
--ei com.paypal.android.p2pmobile.ParamType 42
-n com.paypal.android.p2pmobile/.activity.SendMoneyActivity
16. Prevention !
● Check caller’s permissions at input boundaries
● Prompt the user for additional authorization before allowing
● Where permission checks cannot be performed, ensure
additional steps required to launch sensitive actions