• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Owasp Mobile Top 10 – 2014
 

Owasp Mobile Top 10 – 2014

on

  • 597 views

null Bangalore Chapter - May 2014 Meet

null Bangalore Chapter - May 2014 Meet

Statistics

Views

Total Views
597
Views on SlideShare
300
Embed Views
297

Actions

Likes
0
Downloads
11
Comments
0

1 Embed 297

http://null.co.in 297

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Owasp Mobile Top 10 – 2014 Owasp Mobile Top 10 – 2014 Presentation Transcript

    • N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T OWASP MOBILE TOP 10 – 2014 INTRODUCTION
    • OWASP MOBILE TOP-10 • Security project maintained by OWASP. • Intended audience – • developers, • security professionals, • Mobile users  • Home Page – OWASP Mobile security Project • Under development • Currently mainly focuses on iOS and Android mobile platforms.
    • 2012 2014 M1: Insecure Data Storage M1: Weak Server Side Controls M2: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M3: Insufficient Transport Layer Protection M4: Client Side Injection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M5: Poor Authorization and Authentication M6: Improper Session Handling M6: Broken Cryptography M7: Security Decisions Via Untrusted Inputs M7: Client Side Injection M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted Inputs M9: Broken Cryptography M9: Improper Session Handling M10: Sensitive Information Disclosure M10: Lack of Binary Protections
    • M1 – WEAK SERVER SIDE CONTROLS • Attack vectors generally leading to traditional OWASP Top-10. • SQL Injection, CSRF, etc. • Insecure coding practices.
    • M2 – INSECURE DATA STORAGE • Cardinal rule of Mobile Apps – • Not to store Data • Local files on Device. • SQLite Db files • Plist files – iOS • XML files • Log files • Manifest files, etc.
    • M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION • Clear text transport Protocols • Certificate verification • Weak cipher suites • Sensitive data sent over SMS / push Notifications
    • M4 – UNINTENDED DATA LEAKAGE • Platform cache storage • Clipboard data • Debug Logs • Screenshots, etc.
    • M5 – POOR AUTHORIZATION AND AUTHENTICATION • Usability leading to short and poor A&A schemas • Spoofable values used for authentication • Geo-locations • Device Identifiers • A&A for Offline services
    • M6 – BROKEN CRYPTOGRAPHY • Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays • RC4 • Base64 • MD5 • Custom cryptographic protocols • Improper Key Management • Hardcoding • Insecure Key transport
    • M7 – CLIENT SIDE INJECTION • SQLite Injection • Intent sniffing in Android • JavaScript Injection • Local File Inclusions • NSFileManager – iOS • Webviews - Android
    • M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS • Inter Process Communication • Data on clipboards /pasteboards • Platform specific Permission Model • Manifest files – Android • Entitlements – iOS
    • M9 – IMPROPER SESSION HANDLING • Application Backgrounding • Inadequate session Timeouts • Cookie based session management
    • M10 – LACK OF BINARY PROTECTIONS • Code decrypt of iOS apps • Disassembly of Android apk • Jailbreak detection / Root-Detection Controls • Debug detection controls
    • VULNERABLE APPS FOR PRACTICE • DVIA – Damn Vulnerable iOS App • Goat Droid • iGoat
    • NEXT TIME • M10 – Lack of Binary Protections • Jailbroken / Rooted device detection
    • ? Thank you & Questions