OWASP Top 10 for Mobile

Mobile App Security Meet
OWASP Mobile Top 10

Recap
History
● Open Web Application Security Project
● Started in 2001 as an online community
● De facto standard for Application security
● Mandated standard by Compliances
● 42000+ Strong

Famous Projects
● Top 10 Issues (Documentation)
● Security tools
● Damn Vulnerable Apps (WebGoat)
● Code Review Guidelines

Why Top10 for Mobile?
● Started in 2010
● Essential : Mobile >>> PC/Laptop
● Attack Landscape
● More Targets
● 6.1B by 2018

What Mobile App Security boils down to?

Securing assets on the device

Principles
➢ Do not store/leak data ➢ Do not Drive

Principles
➢ Do not store/leak data
➢ Do not store/leak sensitive data
➢ Do not Drive
➢ Do not Drink and Drive

Principles
➢ Do not store/leak data
➢ Do not store/leak sensitive data
➢ Do not store/leak sensitive data in plain
➢ Do not Drive
➢ Do not Drink and Drive
➢ Do not Drink and Drive in a F1 race

Relevant OWASP Sections
● M2 – Insecure Data Storage
● M4 – Unintended Data Leakage
● M7 – Client Side Injection
● M10 – Lack of Binary Protection

M2 – Insecure Data Storage
● Adversary got physical access to phone
● Presence of Malware which accesses file system
● Your app runs on a rooted or jailbroken device

M2 : Whats stored?
● Unames
● Authtokens
● Passwords
● UDID/EMEI **
● SSN
● Credit card Numbers
● Appdata – Cache, Log,

M2 : Locations
● SQLite Dbs
● Log Files
● PlistFiles
● XML Files
● SD Card
● CloudSynced
● Shared Preferences

M4 : Unintended Data Leakage
● Placing sensitive information in insecure location
● Overlap with M2

M4 : Threat Model Locations
● Application Backgrounding
● Logging
● Clipboard
● URL Caching
● CrashLogs
● LocalStorage
● Analytics Data sent

M7 Client Side Injections
● Execution of malicious code in the context and scope of mobile app
● Sometimes with privileged scope

M7 : Locations
● Sqlite Injection
● Local file Inclusions
● XSS (WebView)
● Intent Injections

M10 : lack of Binary Protection
● A Binary at a client side cannot be trusted for its integrity
● Execution of a Binary can be monitored and altered
● IP can be decoded and used elsewhere

M10 : Results in
● Repackaging to insert Malware or Adware
● Bypass security Control
● Runtime Code Injection
● Method Swizzling

M10 : Best Practices
● JailBreak Detection Controls
● Checksum Controls
● Debug Detection controls
● Android Root Detection

Securing assets on the wire and at server

● M1 – Weak Server Side Controls
● M3 – Insufficient Transport Layer Protection
● M5 – Poor Authentication and Authorisation
● M6 – Broken Cryptography
● M8 - Security Decisions via Untrusted Inputs
● M9 – Improper Session Handling

M1 : Weak Server Side Controls
● Traditions SQL Injection
● XSS
● CSRF
● Other OWASP Top 10 (Web)

M3 : Insufficient Transport Layer Protection
● Results in MITM
● SSL Certificates
● Strong enough Ciphers
● HTTP/HTTPS
● SSL Pinning

M5 : Poor Authentication and Authorisation
All client-side authorization and authentication controls will be
bypassed
”

M5 : Poor Authentication and Authorisation
Authorization and authentication controls must be re-enforced
on the server-side

M9 : Improper Session Handling
● Results are same as M5
● Have a good time out
● Rotate cookies
● Switching access levels
● Creation of secure tokens

M6 : Broken Cryptography
● Still using MD5, RC2 ?
● Move on!
● Use strong Algos
● White Box Crypto (WBC)!!

M8 : Security Decisions Via Untrusted Inputs
● Threat model all your app inputs
● IPC??
● Hidden fields
● Parameters to determine access level

Conclusion
● Mobile App Security is critical and maturing at a faster pace
● Refer to OWASP guidelines to build accepted level of security within the mobile applications

OWASP Top 10 for Mobile

More Related Content

What's hot (20)

Viewers also liked (8)

Similar to OWASP Top 10 for Mobile (20)

OWASP Top 10 for Mobile