SlideShare a Scribd company logo

Owasp Mobile Risk Series : M4 : Unintended Data Leakage

Download as PPTX, PDF
Anant Shrivastava, profile picture
Anant Shrivastava

The document outlines the OWASP Mobile Top 10 Risk M4: Unintended Data Leakage, emphasizing the risks associated with developers unintentionally exposing sensitive information due to operating system quirks. It distinguishes unintended data leakage from insecure data storage, detailing common leakage points such as URL caching, keystroke logging, and third-party libraries. The document also provides prevention strategies, including never logging sensitive data and thoroughly reviewing third-party libraries.

Technology
Related topics:
Information Security
1 of 13
Downloaded 83 times
1
2
3
4
5
6
7
8
9
10
11
12
13
OWASP Mobile Top 10 Risk M4: Unintended Data Leakage Anant Shrivastava
About Me • Anant Shrivastava (@anantshri) • http://www.anantshri.info • Independent Information Security Consultant • Focus Area’s : Web, Mobile, Linux, Automation • Current Project: o CodeVigilant (codevigilant.com) • An initiative to find flaws in open source software and perform a responsible disclosure. Website currently holds 160+ disclosed vulnerability in various wordpress plugins. o Android Tamer (androidtamer.com) • Live ISO environment for Android Security Researchers. Used by multiple researchers as well as Trainers across the globe.
Agenda • Understand Data Leakage • Difference from M2: Insecure data storage • Example of Unintended data leakage • How to spot data leakage • How to prevent it
Data Leakage • When a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device. • Typically, these side-effects originate from the underlying mobile device's operating system (OS). • This will be a very prevalent vulnerability for code produced by a developer that does not have intimate knowledge of how that information can be stored or processed by the underlying OS
M4 v/s M2 • This is what confused most. How does unintended data leakage differ from insecure data storage. • Simply put • M2 : Insecure data storage talks about conscious efforts to store data in insecure manner. • M4: Unintended data leakage talks about OS specific quirks which can cause data leakages.
Common Leakage Points • URL Caching (Both request and response) • Keyboard Press Caching • Copy/Paste buffer Caching • Application backgrounding • Logging • HTML5 data storage • Browser cookie objects • Analytics data sent to 3rd parties (ad, social networks etc)
Common Leakage Points • Disabling screen shots (backgrounding) -- iOS and Android take screen shots of the application before backgrounding the application for improving perceived performance of the application reactivation. However, these screen shots are a cause of security concern due to the potential leak of customer data. • Key stroke logging -- On iOS and Android, some of the information entered via keyboard is automatically logged in the application directory for use with type-ahead capabilities. This feature could lead to potential leaks of customer data. • Third-party libraries -- These libraries (such as ad libraries) can leak user information about the user, the device, or the user's location.
Common Leakage Points • Debugging messages -- Applications can write sensitive data in debugging logs. Setting the logging level to FINE results in log messages being written for all of the data transmitted between the user's device and the server. • Disable clipboard copy and open-in functionality for sensitive documents displayed as part of the application. MAF currently does not provide the capability to disable copy and open-in functionality and is being targeted for a future release. • Temporary directories -- They may contain sensitive information.
Example • Data Leakage via Log’s
Example • Firefox
Preventions • never log credentials, PII, or other sensitive data to system logs • remove sensitive data before screenshots are taken • disable keystroke logging per field, and utilize anti-caching directives for web content • debug apps before releasing them to observe files created • review third party libraries introduced and the data they consume, and • test applications across as many platform versions as possible.
References • https://www.owasp.org/index.php/Mobile_Top_10_ 2014-M4 • http://securityintelligence.com/vulnerabilities-firefox- android-overtaking-firefox-profiles/ • http://docs.oracle.com/middleware/mobile200/mo bile/develop-oepe/oepe-maf-secure-dev-pract. htm • https://www.owasp.org/index.php/IOS_Developer_ Cheat_Sheet
Question Time

More Related Content

PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
PDF
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
 
PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
PPTX
Owasp mobile top 10
Pawel Rzepa
 
PDF
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
PPTX
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
Owasp mobile top 10
Pawel Rzepa
 
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Addressing the OWASP Mobile Security Threats using Xamarin
Alec Tucker
 

What's hot (20)

PPTX
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
PDF
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
PDF
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
PDF
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PPTX
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
PDF
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
PDF
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PPTX
Android pen test basics
OWASPKerala
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
PPTX
Secure Coding 2013
The eCore Group
 
PDF
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PDF
Introduction to Security Testing
vodQA
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PPTX
Penetrating Android Aapplications
Roshan Thomas
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Mobile Application Pentest [Fast-Track]
Prathan Phongthiproek
 
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
Android pen test basics
OWASPKerala
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Secure Coding 2013
The eCore Group
 
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Security Testing Training With Examples
Alwin Thayyil
 
Introduction to Security Testing
vodQA
 
OWASP Top Ten in Practice
Security Innovation
 
Penetrating Android Aapplications
Roshan Thomas
 
Ad

Similar to Owasp Mobile Risk Series : M4 : Unintended Data Leakage (20)

PPTX
Untitled 1
Sergey Kochergan
 
PPTX
Security testing of mobile applications
GTestClub
 
PPTX
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
PDF
Spikes Security Isla Isolation
Cybryx
 
PDF
Yow connected developing secure i os applications
mgianarakis
 
PPT
Security Testing for Mobile and Web Apps
DrKaramHatim
 
PDF
CNIT 128 8: Mobile development security
Sam Bowne
 
PPTX
Application Explosion How to Manage Productivity vs Security
Lumension
 
PPTX
Building a Mobile Security Program
Denim Group
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PDF
Best Practices for Developing Secure Web Applications
ScalaCode
 
PPTX
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
PDF
Cybersecurity update 12
Jim Kaplan CIA CFE
 
PDF
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
PPT
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
PPT
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
PPTX
Hacking Mobile Apps
Sophos Benelux
 
Untitled 1
Sergey Kochergan
 
Security testing of mobile applications
GTestClub
 
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Spikes Security Isla Isolation
Cybryx
 
Yow connected developing secure i os applications
mgianarakis
 
Security Testing for Mobile and Web Apps
DrKaramHatim
 
CNIT 128 8: Mobile development security
Sam Bowne
 
Application Explosion How to Manage Productivity vs Security
Lumension
 
Building a Mobile Security Program
Denim Group
 
Secure coding guidelines
Zakaria SMAHI
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Best Practices for Developing Secure Web Applications
ScalaCode
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
Cybersecurity update 12
Jim Kaplan CIA CFE
 
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
Hacking Mobile Apps
Sophos Benelux
 
Ad

More from Anant Shrivastava (20)

PDF
Diverseccon keynote: My 2 Paisa's on Infosec World
Anant Shrivastava
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
PDF
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
 
PDF
Android Tamer: Virtual Machine for Android (Security) Professionals
Anant Shrivastava
 
PDF
Slides null puliya linux basics
Anant Shrivastava
 
PDF
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
PDF
Exploiting publically exposed Version Control System
Anant Shrivastava
 
PDF
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
PDF
My tryst with sourcecode review
Anant Shrivastava
 
PDF
Snake bites : Python for Pentesters
Anant Shrivastava
 
PDF
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
PDF
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
PDF
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
PDF
Raspberry pi Beginners Session
Anant Shrivastava
 
PPTX
Career In Information security
Anant Shrivastava
 
PDF
WhitePaper : Security issues in android custom rom
Anant Shrivastava
 
PDF
Security Issues in Android Custom ROM
Anant Shrivastava
 
PDF
Web application finger printing - whitepaper
Anant Shrivastava
 
PDF
Battle Underground NullCon 2011 Walkthrough
Anant Shrivastava
 
PDF
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 
Diverseccon keynote: My 2 Paisa's on Infosec World
Anant Shrivastava
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Android Tamer BH USA 2016 : Arsenal Presentation
Anant Shrivastava
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Anant Shrivastava
 
Slides null puliya linux basics
Anant Shrivastava
 
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
Exploiting publically exposed Version Control System
Anant Shrivastava
 
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
My tryst with sourcecode review
Anant Shrivastava
 
Snake bites : Python for Pentesters
Anant Shrivastava
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
Raspberry pi Beginners Session
Anant Shrivastava
 
Career In Information security
Anant Shrivastava
 
WhitePaper : Security issues in android custom rom
Anant Shrivastava
 
Security Issues in Android Custom ROM
Anant Shrivastava
 
Web application finger printing - whitepaper
Anant Shrivastava
 
Battle Underground NullCon 2011 Walkthrough
Anant Shrivastava
 
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
KodekX | Application Modernization Development
KodekX
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Cloud computing and distributed systems.
kkkkkhan
 

Owasp Mobile Risk Series : M4 : Unintended Data Leakage

  • 1. OWASP Mobile Top 10 Risk M4: Unintended Data Leakage Anant Shrivastava
  • 2. About Me • Anant Shrivastava (@anantshri) • http://www.anantshri.info • Independent Information Security Consultant • Focus Area’s : Web, Mobile, Linux, Automation • Current Project: o CodeVigilant (codevigilant.com) • An initiative to find flaws in open source software and perform a responsible disclosure. Website currently holds 160+ disclosed vulnerability in various wordpress plugins. o Android Tamer (androidtamer.com) • Live ISO environment for Android Security Researchers. Used by multiple researchers as well as Trainers across the globe.
  • 3. Agenda • Understand Data Leakage • Difference from M2: Insecure data storage • Example of Unintended data leakage • How to spot data leakage • How to prevent it
  • 4. Data Leakage • When a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device. • Typically, these side-effects originate from the underlying mobile device's operating system (OS). • This will be a very prevalent vulnerability for code produced by a developer that does not have intimate knowledge of how that information can be stored or processed by the underlying OS
  • 5. M4 v/s M2 • This is what confused most. How does unintended data leakage differ from insecure data storage. • Simply put • M2 : Insecure data storage talks about conscious efforts to store data in insecure manner. • M4: Unintended data leakage talks about OS specific quirks which can cause data leakages.
  • 6. Common Leakage Points • URL Caching (Both request and response) • Keyboard Press Caching • Copy/Paste buffer Caching • Application backgrounding • Logging • HTML5 data storage • Browser cookie objects • Analytics data sent to 3rd parties (ad, social networks etc)
  • 7. Common Leakage Points • Disabling screen shots (backgrounding) -- iOS and Android take screen shots of the application before backgrounding the application for improving perceived performance of the application reactivation. However, these screen shots are a cause of security concern due to the potential leak of customer data. • Key stroke logging -- On iOS and Android, some of the information entered via keyboard is automatically logged in the application directory for use with type-ahead capabilities. This feature could lead to potential leaks of customer data. • Third-party libraries -- These libraries (such as ad libraries) can leak user information about the user, the device, or the user's location.
  • 8. Common Leakage Points • Debugging messages -- Applications can write sensitive data in debugging logs. Setting the logging level to FINE results in log messages being written for all of the data transmitted between the user's device and the server. • Disable clipboard copy and open-in functionality for sensitive documents displayed as part of the application. MAF currently does not provide the capability to disable copy and open-in functionality and is being targeted for a future release. • Temporary directories -- They may contain sensitive information.
  • 9. Example • Data Leakage via Log’s
  • 11. Preventions • never log credentials, PII, or other sensitive data to system logs • remove sensitive data before screenshots are taken • disable keystroke logging per field, and utilize anti-caching directives for web content • debug apps before releasing them to observe files created • review third party libraries introduced and the data they consume, and • test applications across as many platform versions as possible.
  • 12. References • https://www.owasp.org/index.php/Mobile_Top_10_ 2014-M4 • http://securityintelligence.com/vulnerabilities-firefox- android-overtaking-firefox-profiles/ • http://docs.oracle.com/middleware/mobile200/mo bile/develop-oepe/oepe-maf-secure-dev-pract. htm • https://www.owasp.org/index.php/IOS_Developer_ Cheat_Sheet

Editor's Notes

  • #2: ----- Meeting Notes (20/09/14 06:32) ----- By Anant shrivastava
  • #5: As Per OWASP