Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Mobile Top 10 Risks

2,458 views

Published on

A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/

OWASP Top 10 Mobile Risks
M1 Insecure Data Storage
M2 Weak Server Side Controls
M3 Insufficient Transport Layer Protection
M4 Client Side Injection
M5 Poor Authorization and Authentication
M6 Improper Session Handling
M7 Security Decisions Via Untrusted Inputs
M8 Side Channel Data Leakage
M9 Broken Cryptography
M10 Sensitive Information Disclosure

Creative Commons - Attribution licensed - Beau Woods - @beauwoods

Published in: Technology, Business
  • Be the first to comment

OWASP Mobile Top 10 Risks

  1. 1. 1
  2. 2. 2
  3. 3. 3
  4. 4. 4
  5. 5. Path: Collected and uploaded personal information Concur: Stored password in plain text 5
  6. 6. Recommendation for future versions • Expand to specific risks 6
  7. 7. Google Wallet NFC MITM PayPal failure to validate certificates Apple iOS AppStore MITM led to circumventing purchases 7
  8. 8. Recommendation for future versions • Improve or eliminate 8
  9. 9. Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assets Audible: Used plaintext password to authenticate and used HTTP GET method OOB: Remember, mobile devices can potentially intercept phone calls, SMS and email 9
  10. 10. 10
  11. 11. Recommendation for future versions • Improve or eliminate 11
  12. 12. Android: Information sent to advertisers http://news.techeye.net/mobile/many- android-apps-send-your-private-information-to-advertisers Apple: Collected and stored mobile tower data; called before US Congress to answer questions Audible: Stored URL with password in logfile, also in GET request stored in web server log Recommendation for future versions • Consider combining with M10 • Consider incorporating the idea of collecting unnecessary but potentially sensitive or private information 12
  13. 13. 13
  14. 14. Recommendation for future versions • Consider combining with M8 14
  15. 15. http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/ 15
  16. 16. http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/ 16
  17. 17. http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile- application/ 17
  18. 18. 18
  19. 19. 19

×