Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Owasp Mobile Top 10 – 2014

  1. 1. N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T OWASP MOBILE TOP 10 – 2014 INTRODUCTION
  2. 2. OWASP MOBILE TOP-10 • Security project maintained by OWASP. • Intended audience – • developers, • security professionals, • Mobile users  • Home Page – OWASP Mobile security Project • Under development • Currently mainly focuses on iOS and Android mobile platforms.
  3. 3. 2012 2014 M1: Insecure Data Storage M1: Weak Server Side Controls M2: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M3: Insufficient Transport Layer Protection M4: Client Side Injection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M5: Poor Authorization and Authentication M6: Improper Session Handling M6: Broken Cryptography M7: Security Decisions Via Untrusted Inputs M7: Client Side Injection M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted Inputs M9: Broken Cryptography M9: Improper Session Handling M10: Sensitive Information Disclosure M10: Lack of Binary Protections
  4. 4. M1 – WEAK SERVER SIDE CONTROLS • Attack vectors generally leading to traditional OWASP Top-10. • SQL Injection, CSRF, etc. • Insecure coding practices.
  5. 5. M2 – INSECURE DATA STORAGE • Cardinal rule of Mobile Apps – • Not to store Data • Local files on Device. • SQLite Db files • Plist files – iOS • XML files • Log files • Manifest files, etc.
  6. 6. M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION • Clear text transport Protocols • Certificate verification • Weak cipher suites • Sensitive data sent over SMS / push Notifications
  7. 7. M4 – UNINTENDED DATA LEAKAGE • Platform cache storage • Clipboard data • Debug Logs • Screenshots, etc.
  8. 8. M5 – POOR AUTHORIZATION AND AUTHENTICATION • Usability leading to short and poor A&A schemas • Spoofable values used for authentication • Geo-locations • Device Identifiers • A&A for Offline services
  9. 9. M6 – BROKEN CRYPTOGRAPHY • Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays • RC4 • Base64 • MD5 • Custom cryptographic protocols • Improper Key Management • Hardcoding • Insecure Key transport
  10. 10. M7 – CLIENT SIDE INJECTION • SQLite Injection • Intent sniffing in Android • JavaScript Injection • Local File Inclusions • NSFileManager – iOS • Webviews - Android
  11. 11. M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS • Inter Process Communication • Data on clipboards /pasteboards • Platform specific Permission Model • Manifest files – Android • Entitlements – iOS
  12. 12. M9 – IMPROPER SESSION HANDLING • Application Backgrounding • Inadequate session Timeouts • Cookie based session management
  13. 13. M10 – LACK OF BINARY PROTECTIONS • Code decrypt of iOS apps • Disassembly of Android apk • Jailbreak detection / Root-Detection Controls • Debug detection controls
  14. 14. VULNERABLE APPS FOR PRACTICE • DVIA – Damn Vulnerable iOS App • Goat Droid • iGoat
  15. 15. NEXT TIME • M10 – Lack of Binary Protections • Jailbroken / Rooted device detection
  16. 16. ? Thank you & Questions

×