Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Loading in …3
×
1 of 17

Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014

Sep. 08, 2014
3 likes 38,303 views

3

Share

Download to read offline

Mobile

This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.

The presentation was done as part of null/OWASP/G4H Monthly Meet

License: CC Attribution-NonCommercial-ShareAlike License

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(3/5)
Free
Ultimate Guide to Mastering Command Blocks!: Minecraft Keys to Unlocking Secret Commands Triumph Books
(4.5/5)
Free
The Inmates Are Running the Asylum (Review and Analysis of Cooper's Book) BusinessNews Publishing
(4/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Algorithms to Live By: The Computer Science of Human Decisions Tom Griffiths
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community that Will Listen Kristen Meinzer
(4.5/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(3.5/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(3.5/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free
The Art of Social Media: Power Tips for Power Users Guy Kawasaki
(4/5)
Free
The Book of Why: The New Science of Cause and Effect Judea Pearl
(4/5)
Free

Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014

  1. 1. Mobile Top 10 2014-M2 Insecure Data Storage by Anant Shrivastava
  2. 2. About Me ● Anant Shrivastava ● http://anantshri.info ● Independent Information Security Consultant ● Interest Areas : Web, Mobile, Linux ● Project Lead – Android Tamer ● Live ISO environment for Android Security. Used by multiple professionals and trainers across the globe. – CodeVigilant ● A initiative to find flaws in opensource softwares. Holds 160+ responsibly disclosed web vulnerabilities at this point in time.
  3. 3. Agenda ● Understand Insecure Data Storage ● Effects on overall Security ● Examples of Insecure Data Storage ● How to Find Insecure Data Storage ● How to prevent it
  4. 4. Understand mobile Storage ● Android – /data/data/<app> ● Application specific data section, only application has access. Root has access to this partition also – /sdcard/ ● External memory generally FAT32 hence no ACL applies. Data can be read by all applications and externally read by card reader. ● IOS – <Application_Home>/Documents/ : Accessible only to app and root user. – No Sdcard for iOS devices
  5. 5. Insecure Data Storage ● It occurs when development teams assume that users or malware will not have access to a mobile device's filesystem. ● And sensitive information such as PII(Personally Identifiable Information) is stored in the data-stores on the device in insecure format. ● Insecure format – Plain text – Reversable trivial encoding (double ROT-13 or ROT-n, base64/32/128 etc)
  6. 6. Effect of Insecure Data Storage ● This could lead to – Identity Theft – Fraud – Reputation Damage – External Policy Violation (PCI) – or Material Loss.
  7. 7. Demo Time
  8. 8. Demo's ● Approtect ● Google Authenticator
  9. 9. Example - 1 Ref: https://code.google.com/p/google-authenticator/issues/detail? id=158&can=1&q=keystore
  10. 10. Outlook Ref: http://blog.includesecurity.com/2014/05/mobile-app-data-privacy-outlook-example. html
  11. 11. Outlook
  12. 12. How to find ● Data storage in mobile is generally in following formats – XML – Plist – SQLite – Plain text config files – Log Files – Cookies in webview
  13. 13. How to Find? Android Apps ● Install the app ● Configure and run it for some time ● Extract the /data/data/<app_name> ● Also before installing and after installing application observe change in /sdcard also ● Identify files and content
  14. 14. Mitigation ● don’t store data unless absolutely necessary ● Never store credentials on the phone file system ● Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements. ● For databases consider using SQLcipher for Sqlite data encryption ● Be aware that all data/entities using NSManagedObects will be stored in an unencrypted database file.
  15. 15. Mitigation ● Ensure any shared preferences properties are NOT MODE_WORLD_READABLE unless explicitly required for information sharing between apps. ● Ensure SDCARD storage is not used for PII or sensitive information of any sorts ● Avoid using NSUserDefaults to store senstitve pieces of information ● Apple or android keychains can be used but once jailbroken or rooted it can be easily read.
  16. 16. References ● www.owasp.org/index.php/Mobile_Top_10_2014-M2 ● h30499.www3.hp.com/t5/Fortify-Application- Security/Exploring-The-OWASP-Mobile-Top-10-M1- Insecure-Data-Storage/ba-p/ 5904609#.VAEKztYvC00 ● developer.android.com/training/articles/security-tips. html ● www.owasp.org/index.php/IOS_Developer_Cheat_S heet
  17. 17. Questions

×