N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T
OWASP MOBILE TOP 10 – 2014
INTRODUCTION
OWASP MOBILE TOP-10
• Security project maintained by OWASP.
• Intended audience –
• developers,
• security professionals,
...
2012 2014
M1: Insecure Data Storage M1: Weak Server Side Controls
M2: Weak Server Side Controls M2: Insecure Data Storage
...
M1 – WEAK SERVER SIDE CONTROLS
• Attack vectors generally leading to traditional
OWASP Top-10.
• SQL Injection, CSRF, etc....
M2 – INSECURE DATA STORAGE
• Cardinal rule of Mobile Apps –
• Not to store Data
• Local files on Device.
• SQLite Db files...
M3 – INSUFFICIENT TRANSPORT LAYER
PROTECTION
• Clear text transport Protocols
• Certificate verification
• Weak cipher sui...
M4 – UNINTENDED DATA LEAKAGE
• Platform cache storage
• Clipboard data
• Debug Logs
• Screenshots, etc.
M5 – POOR AUTHORIZATION AND
AUTHENTICATION
• Usability leading to short and poor A&A schemas
• Spoofable values used for a...
M6 – BROKEN CRYPTOGRAPHY
• Less processing speed on devices
• Usage of weak cryptographic algorithms to avoid system delay...
M7 – CLIENT SIDE INJECTION
• SQLite Injection
• Intent sniffing in Android
• JavaScript Injection
• Local File Inclusions
...
M8 – SECURITY DECISIONS VIA
UNTRUSTED INPUTS
• Inter Process Communication
• Data on clipboards /pasteboards
• Platform sp...
M9 – IMPROPER SESSION HANDLING
• Application Backgrounding
• Inadequate session Timeouts
• Cookie based session management
M10 – LACK OF BINARY PROTECTIONS
• Code decrypt of iOS apps
• Disassembly of Android apk
• Jailbreak detection / Root-Dete...
VULNERABLE APPS FOR PRACTICE
• DVIA – Damn Vulnerable iOS App
• Goat Droid
• iGoat
NEXT TIME
• M10 – Lack of Binary Protections
• Jailbroken / Rooted device detection
?
Thank you
&
Questions
Upcoming SlideShare
Loading in...5
×

Owasp Mobile Top 10 – 2014

3,404

Published on

null Bangalore Chapter - May 2014 Meet

Published in: Education, Technology

Owasp Mobile Top 10 – 2014

  1. 1. N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T OWASP MOBILE TOP 10 – 2014 INTRODUCTION
  2. 2. OWASP MOBILE TOP-10 • Security project maintained by OWASP. • Intended audience – • developers, • security professionals, • Mobile users  • Home Page – OWASP Mobile security Project • Under development • Currently mainly focuses on iOS and Android mobile platforms.
  3. 3. 2012 2014 M1: Insecure Data Storage M1: Weak Server Side Controls M2: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M3: Insufficient Transport Layer Protection M4: Client Side Injection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M5: Poor Authorization and Authentication M6: Improper Session Handling M6: Broken Cryptography M7: Security Decisions Via Untrusted Inputs M7: Client Side Injection M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted Inputs M9: Broken Cryptography M9: Improper Session Handling M10: Sensitive Information Disclosure M10: Lack of Binary Protections
  4. 4. M1 – WEAK SERVER SIDE CONTROLS • Attack vectors generally leading to traditional OWASP Top-10. • SQL Injection, CSRF, etc. • Insecure coding practices.
  5. 5. M2 – INSECURE DATA STORAGE • Cardinal rule of Mobile Apps – • Not to store Data • Local files on Device. • SQLite Db files • Plist files – iOS • XML files • Log files • Manifest files, etc.
  6. 6. M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION • Clear text transport Protocols • Certificate verification • Weak cipher suites • Sensitive data sent over SMS / push Notifications
  7. 7. M4 – UNINTENDED DATA LEAKAGE • Platform cache storage • Clipboard data • Debug Logs • Screenshots, etc.
  8. 8. M5 – POOR AUTHORIZATION AND AUTHENTICATION • Usability leading to short and poor A&A schemas • Spoofable values used for authentication • Geo-locations • Device Identifiers • A&A for Offline services
  9. 9. M6 – BROKEN CRYPTOGRAPHY • Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays • RC4 • Base64 • MD5 • Custom cryptographic protocols • Improper Key Management • Hardcoding • Insecure Key transport
  10. 10. M7 – CLIENT SIDE INJECTION • SQLite Injection • Intent sniffing in Android • JavaScript Injection • Local File Inclusions • NSFileManager – iOS • Webviews - Android
  11. 11. M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS • Inter Process Communication • Data on clipboards /pasteboards • Platform specific Permission Model • Manifest files – Android • Entitlements – iOS
  12. 12. M9 – IMPROPER SESSION HANDLING • Application Backgrounding • Inadequate session Timeouts • Cookie based session management
  13. 13. M10 – LACK OF BINARY PROTECTIONS • Code decrypt of iOS apps • Disassembly of Android apk • Jailbreak detection / Root-Detection Controls • Debug detection controls
  14. 14. VULNERABLE APPS FOR PRACTICE • DVIA – Damn Vulnerable iOS App • Goat Droid • iGoat
  15. 15. NEXT TIME • M10 – Lack of Binary Protections • Jailbroken / Rooted device detection
  16. 16. ? Thank you & Questions
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×