OWASP Mobile Top 10

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Mobile pitfalls to avoid:
Breaking down the OWASP
Top 10 Mobile Risks

Katie Strzempka
Director of Services
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Keith Mokris
Product Marketing Manager

1
Improper
Platform Usage
OWASP MOBILE TOP 10 2016 DRAFT

Misuse of a platform feature or lack of
platform security controls for the
Android or iOS operating systems. Issues
may include incorrect use of the keychain
on iOS or Android intents.

Android - Implement intents carefully
Intents are used for inter-component signaling. Improper
implementation could result in data leakage, restricted functions being
called and program flow being manipulated.
https://books.nowsecure.com/secure-mobile-development/en/
android/implement-intents-carefully.html
iOS - Use the keychain carefully
iOS provides the keychain for secure data storage. However, in several
scenarios, the keychain can be compromised and subsequently
decrypted.
https://books.nowsecure.com/secure-mobile-development/en/ios/
use-the-keychain-carefully.html
Best practice(s):

2
Insecure
Data Storage

Vulnerabilities that
leak personal information and
provide access to hackers.

1 in 10apps leak private, sensitive data like
email, username, or password
NowSecure: 2016 NowSecure Mobile Security Report
Data from testing 400,000 mobile apps

Implement secure data storage
Transmit and display but do not persist to memory. Ensure that an analog leak does not present itself
where screenshots of the data are written to disk. Store only in RAM (clear at application close).
https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/
implement-secure-data-storage.html
Securely store data in RAM
Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that
hold keys after use.
https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html
Best practice(s):

3Insecure
Communication

Insecure communication refers to
communications being sent in
cleartext as well as other insecure
methods.

Best practice(s):
Implement secure transmission of sensitive data
Best practices call for app providers to use SSL/TLS effectively to secure the
transmission of passwords, login IDs, and other sensitive data over the network, and
even go further and leverage app-layer encryption to protect user data.
https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/
implement-secure-network-transmission-of-sensitive-data.html

4Insecure
Authentication

Mobile apps need to
securely identify a user and maintain
that user’s identity, especially when
users are calling and sending
sensitive data such as financial
information.

Best practice(s):
Hide account numbers and use
tokens
Given the widespread use of mobile apps in public
places, displaying partial numbers (e.g. *9881) can
help ensure maximum privacy for this information.
Unless there is a need to store the complete number
on the device, store the partially hidden numbers.
https://books.nowsecure.com/secure-mobile-develo
pment/en/sensitive-data/hide-account-numbers-
and-use-tokens.html

● India’s largest startup with $1.1B
in funding was hacked to allow
unlimited free rides
● Hacker used MITM Proxy to view
API calls over HTTP
● No OAuth token mechanism or
encryption was in place to guard
APIs
Source: The Next Web
Example: Ola

5Insufficient
Cryptography

The process behind
encryption and
decryption may allow
a hacker to decrypt
sensitive data.
The algorithm behind
encryption and
decryption may be
weak in nature.

Implement secure data storage
If storing sensitive data on the device is a requirement,
add an additional layer of verified, third-party
encryption. By adding another layer of encryption, you
have more control over the implementation and mitigate
attacks focused on the main OS encryption classes.
https://books.nowsecure.com/secure-mobile-developme
nt/en/sensitive-data/implement-secure-data-storage.ht
ml
Best practice(s):

6Insecure
Authorization

Insecure authorization refers to
the failure of a server to properly
enforce identity and permissions
as stated by the mobile app.

Best practice(s):
Implement proper web
server configuration
Certain settings on a web server can increase
security. One commonly overlooked
vulnerability on a web server is information
disclosure. Information disclosure can lead to
serious problems because every piece of
information attackers can gain from a server
makes staging an attack easier.
https://books.nowsecure.com/secure-mobile-d
evelopment/en/servers/
web-server-configuration.html

7
Client Code
Quality

Risks that come from vulnerabilities like buffer
overflows, format-string vulnerabilities, and
various other code-level mistakes where the
solution is to rewrite some code that's
running on the mobile device.

Vulnerabilities in the Vitamio SDK
NowSecure Blog: World Writable Code Is Bad, MMMMKAY
Best practice(s):
Test third-party libraries
Third-party libraries can contain vulnerabilities
and weaknesses. Many developers assume
third-party libraries are well-developed and
tested, however, issues can and do exist in their
code.
https://books.nowsecure.com/secure-mobile-d
evelopment/en/coding-practices/
test-third-party-libraries.html

8Code
Tampering

When attackers tamper with or
install a backdoor on an app, re-sign
it and publish the malicious version
to third-party app marketplaces.

● 50M downloads in 19 days on
Android alone
● Within 3 days of initial release,
malicious DroidJack software
found on third-party app stores
● Remote Access Tool (RAT) can
open a silent, backdoor for
hackers
Source: NowSecure Blog
Example: PokemonGO

Best practice(s):
Implement anti-tampering techniques
Employ anti-tamper and tamper-detection techniques to prevent illegitimate
applications from executing. Use checksums, digital signatures, and other validation
mechanisms to help detect file tampering.
https://books.nowsecure.com/secure-mobile-development/en/coding-practices/
anti-tamper-techniques.html

9Reverse
Engineering

Reverse engineering refers to
the analysis of a final binary to
determine its source code,
libraries, algorithms, and more.

● Hackers decompiled mobile app
and recompiled it so they didn’t
have to pay for premium content
● If it is possible, hackers will find a
way
Source: Forbes
Example: Tinder

Best practice(s):
Increase code complexity and use obfuscation
Reverse engineering apps can provide valuable insight into how your app works.
Making your app more complex internally makes it more difficult for attackers to see
how the app operates, which can reduce the number of attack vectors.
https://books.nowsecure.com/secure-mobile-development/en/coding-practices/
code-complexity-and-obfuscation.html

1 Extraneous
Functionality
OWASP MOBILE TOP 10 2016 DRAFT0

Developers frequently include hidden
backdoors or security controls they
do not plan on releasing into production.
This error creates risk when a feature is
released to the wild that was
never intended to be shared.

● Manufacturer of hardware chips
and processors for mobile
devices
● A debug tool, left open for
carriers to test network
connections, was left open on
shipped devices
Source: The Hacker News
Example: MediaTek

Best practice(s):
Carefully manage debug logs
Debug logs are generally designed to be used to detect and correct flaws in an
application. These logs can leak sensitive information that may help an attacker create
a more powerful attack.
https://books.nowsecure.com/secure-mobile-development/en/caching-logging/
carefully-manage-debug-logs.html

Review the NowSecure Secure
Mobile Development
Best Practices in their entirety:
Read Now

You can view the GitHub
repository here:
https://github.com/nowsecure/
secure-mobile-development
Contribute to the Secure Mobile
Development Best Practices

OWASP Mobile Top 10

More Related Content

What's hot

Viewers also liked

Similar to OWASP Mobile Top 10

More from NowSecure

Recently uploaded

OWASP Mobile Top 10