Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T
OWASP MOBILE TOP 10 – 2014
INTRODUCTION
OWASP MOBILE TOP-10
• Security project maintained by OWASP.
• Intended audience –
• developers,
• security professionals,
...
2012 2014
M1: Insecure Data Storage M1: Weak Server Side Controls
M2: Weak Server Side Controls M2: Insecure Data Storage
...
M1 – WEAK SERVER SIDE CONTROLS
• Attack vectors generally leading to traditional
OWASP Top-10.
• SQL Injection, CSRF, etc....
M2 – INSECURE DATA STORAGE
• Cardinal rule of Mobile Apps –
• Not to store Data
• Local files on Device.
• SQLite Db files...
M3 – INSUFFICIENT TRANSPORT LAYER
PROTECTION
• Clear text transport Protocols
• Certificate verification
• Weak cipher sui...
M4 – UNINTENDED DATA LEAKAGE
• Platform cache storage
• Clipboard data
• Debug Logs
• Screenshots, etc.
M5 – POOR AUTHORIZATION AND
AUTHENTICATION
• Usability leading to short and poor A&A schemas
• Spoofable values used for a...
M6 – BROKEN CRYPTOGRAPHY
• Less processing speed on devices
• Usage of weak cryptographic algorithms to avoid system delay...
M7 – CLIENT SIDE INJECTION
• SQLite Injection
• Intent sniffing in Android
• JavaScript Injection
• Local File Inclusions
...
M8 – SECURITY DECISIONS VIA
UNTRUSTED INPUTS
• Inter Process Communication
• Data on clipboards /pasteboards
• Platform sp...
M9 – IMPROPER SESSION HANDLING
• Application Backgrounding
• Inadequate session Timeouts
• Cookie based session management
M10 – LACK OF BINARY PROTECTIONS
• Code decrypt of iOS apps
• Disassembly of Android apk
• Jailbreak detection / Root-Dete...
VULNERABLE APPS FOR PRACTICE
• DVIA – Damn Vulnerable iOS App
• Goat Droid
• iGoat
NEXT TIME
• M10 – Lack of Binary Protections
• Jailbroken / Rooted device detection
?
Thank you
&
Questions
Upcoming SlideShare
Loading in …5
×

Owasp Mobile Top 10 – 2014

7,289 views

Published on

null Bangalore Chapter - May 2014 Meet

Published in: Education, Technology
  • If you need your papers to be written and if you are not that kind of person who likes to do researches and analyze something - you should definitely contact these guys! They are awesome ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Was a little hesitant about using ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ at first, but am very happy that I did. The writer was able to write my paper by the deadline and it was very well written. So guys don’t hesitate to use it.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ http://bit.ly/2ZDZFYj ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ♥♥♥ http://bit.ly/2ZDZFYj ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Owasp Mobile Top 10 – 2014

  1. 1. N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T OWASP MOBILE TOP 10 – 2014 INTRODUCTION
  2. 2. OWASP MOBILE TOP-10 • Security project maintained by OWASP. • Intended audience – • developers, • security professionals, • Mobile users  • Home Page – OWASP Mobile security Project • Under development • Currently mainly focuses on iOS and Android mobile platforms.
  3. 3. 2012 2014 M1: Insecure Data Storage M1: Weak Server Side Controls M2: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M3: Insufficient Transport Layer Protection M4: Client Side Injection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M5: Poor Authorization and Authentication M6: Improper Session Handling M6: Broken Cryptography M7: Security Decisions Via Untrusted Inputs M7: Client Side Injection M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted Inputs M9: Broken Cryptography M9: Improper Session Handling M10: Sensitive Information Disclosure M10: Lack of Binary Protections
  4. 4. M1 – WEAK SERVER SIDE CONTROLS • Attack vectors generally leading to traditional OWASP Top-10. • SQL Injection, CSRF, etc. • Insecure coding practices.
  5. 5. M2 – INSECURE DATA STORAGE • Cardinal rule of Mobile Apps – • Not to store Data • Local files on Device. • SQLite Db files • Plist files – iOS • XML files • Log files • Manifest files, etc.
  6. 6. M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION • Clear text transport Protocols • Certificate verification • Weak cipher suites • Sensitive data sent over SMS / push Notifications
  7. 7. M4 – UNINTENDED DATA LEAKAGE • Platform cache storage • Clipboard data • Debug Logs • Screenshots, etc.
  8. 8. M5 – POOR AUTHORIZATION AND AUTHENTICATION • Usability leading to short and poor A&A schemas • Spoofable values used for authentication • Geo-locations • Device Identifiers • A&A for Offline services
  9. 9. M6 – BROKEN CRYPTOGRAPHY • Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays • RC4 • Base64 • MD5 • Custom cryptographic protocols • Improper Key Management • Hardcoding • Insecure Key transport
  10. 10. M7 – CLIENT SIDE INJECTION • SQLite Injection • Intent sniffing in Android • JavaScript Injection • Local File Inclusions • NSFileManager – iOS • Webviews - Android
  11. 11. M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS • Inter Process Communication • Data on clipboards /pasteboards • Platform specific Permission Model • Manifest files – Android • Entitlements – iOS
  12. 12. M9 – IMPROPER SESSION HANDLING • Application Backgrounding • Inadequate session Timeouts • Cookie based session management
  13. 13. M10 – LACK OF BINARY PROTECTIONS • Code decrypt of iOS apps • Disassembly of Android apk • Jailbreak detection / Root-Detection Controls • Debug detection controls
  14. 14. VULNERABLE APPS FOR PRACTICE • DVIA – Damn Vulnerable iOS App • Goat Droid • iGoat
  15. 15. NEXT TIME • M10 – Lack of Binary Protections • Jailbroken / Rooted device detection
  16. 16. ? Thank you & Questions

×