Abstract image of a woman sitting on books and studying on a laptop

Owasp top-10-mobile-risks-v-1-3 publish

Download as PPTX, PDF
Ali Kazmi, profile picture
Ali Kazmi

This document discusses the OWASP Mobile Top 10 risks. It provides an overview of each of the top 10 mobile risks: M1) Insecure Data Storage, M2) Weak Server Side Controls, M3) Insufficient Transport Layer Protection, M4) Client Side Injection, M5) Poor Authorization and Authentication, M6) Improper Session Handling, M7) Security Decisions via Untrusted Inputs, M8) Side Channel Data Leakage, M9) Broken Cryptography, and M10) Sensitive Information Disclosure. For each risk, it describes examples, potential impacts, and recommendations for mitigating controls. It also includes case studies analyzing specific risks in more detail.

Education
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
OWASP Mobile Top 10 OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License. Beau Woods http://beauwoods.com @beauwoods To get involved get in touch with the project leader https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
2 BluetoothNFC/RFIDBackup Mobile Elements ClientPlatformHardwareNetworkServer ApplicationApplication 2 Other considerations
3 Mobile Comparison Use models Always on Always connected Omnipresent Capabilities Communications Limited resources Highly variable Hardware Extensive RF & SSD Highly variable Not upgradable Platform Highly variable Limited options Variable security Mobile Devices Use models Frequently off Disconnected Location-bound Capabilities Many resources Robust platform Well documented Hardware Limited RF & HDD Highly variable Highly upgradable Platform Standardized Well understood Robust security Traditional Devices 3
4 OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure 4 Alpha Documentation Mobile Security Project Top 10 Risks Top 10 Controls Threat Model Testing Guide Tools Secure Development
5 M1 Insecure Data Storage Sensitive data Authentication data Regulated information Business-specific information Private information Examples Recommendations Business must define, classify, assign owner & set requirements Acquire, transmit, use and store as little sensitive data as possible Inform and confirm data definition, collection, use & handling Protections 1. Reduce use and storage 2. Encrypt or hash 3. Platform-specific secure storage with restricted permissions Mobile Controls 1, 2 & 7 5
6 M2 Weak Server Side Controls OWASP Top 10 Web Application Risks 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Mobile App Servers RESTful API SOAP Web Service Web XML Recommendations Always validate input Don’t trust the client Harden mobile app servers & services Beware information disclosure Understand host & network controls Perform integrity checking regularly Mobile Controls 5 & 6
7 M3 Insufficient Transport Layer Protection ExamplesImpact Expose authentication data Disclosure other sensitive information Injection Data tampering Recommendations Use platform-provided cryptographic libraries Force strong methods & valid certificates Test for certificate errors & warnings Use pre-defined certificates, as appropriate Encrypt sensitive information before sending All transport, including RFID, NFC, Bluetooth Wifi, Carrier Avoid HTTP GET method Mobile Controls 3
8 M4 Client Side Injection Impact App or device compromise Abuse resources or services (SMS, phone, payments, online banking) Extract or inject data Man-in-the-Browser (MITB) Recommendations Always validate input Don’t trust the server Harden mobile app clients Beware information disclosure Perform integrity checking regularly Mobile Controls 9
9 M5 Poor Authorization and Authentication ExamplesImpacts Account takeover Confidentiality breach Fraudulent transactions Recommendations Use appropriate methods for the risk Unique identifiers as additional (not only) factors Differentiate client-side passcode vs. server authentication Ensure out-of-band methods are truly OOB (this is hard) Hardware-independent identifiers (ie. Not IMSI, serial, etc.) Multi-factor authentication, depending on risk Define & enforce password length, strength & uniqueness Most common methods Account name Password Oauth HTTP Cookies Stored passwords Unique tokens Mobile Controls 4
10 M6 Improper Session Handling Recommendations Allow revocation of device/password Use strong tokens and generation methods Consider appropriate session length (longer than web) Reauthenticate periodically or after focus change Store and transmit session tokens securely Mobile Controls 4 Impacts Account takeover Confidentiality breach Fraudulent transactions Most common methods Oauth HTTP Cookies Stored passwords Unique tokens
11 M7 Security Decisions via Untrusted Inputs Description Reliance on files, settings, network resources or other inputs which may be modified. Recommendations Validate all inputs Digitally sign decisioning inputs, where possible Ensure trusted data sources for security decisions Examples DNS settings Cookies Configuration files Network injection Mobile malware URL calls
12 M8 Side Channel Data Leakage Side channel data Caches Keystroke logging (by platform) Screenshots (by platform) Logs Recommendations Consider server-side leakage Reduce client-side logging Consider mobile-specific private information Consider platform-specific data capture features Securely cache data (consider SSD limitations) Examples Mobile Controls 1, 2, 3, 6 & 7
13 M9 Broken Cryptography ExamplesCryptography …is not encoding …is not obfuscation …is not serialization …is best left to the experts Recommendations Use only well-vetted cryptographic libraries Understand one-way vs. two-way encryption Use only well-vetted cryptographic libraries (not a typo) Use only platform-provided cryptographic storage Use only well-vetted cryptographic libraries (still not a typo) Protect cryptographic keys fanatically Use only well-vetted cryptographic libraries (seriously - always do this) “The only way to tell good cryptography from bad cryptography is to have it examined by experts.” -Bruce Schneier Mobile Controls 1, 2 & 3
14 M10 Sensitive Information Disclosure Sensitive application data API or encryption keys Passwords Sensitive business logic Internal company information Debugging or maintenance information Recommendations Store sensitive application data server-side Avoid hardcoding information in the application Use platform-specific secure storage areas M1 deals with customer data M10 deals with application or developer data
15 Case Study M1 Insecure Data Storage • Account number & passcode stored in flat text file Risks & mitigating factors • Passcode not used for other systems • App contained and accessed sensitive and private information
16 Case Study M5 Poor Authorization & Authentication • Account name and password in plain text • Used HTTP GET method (logged to server) M8 Side Channel Data Leakage • Logged password to client and server M9 Broken Cryptography • First attempt to fix issue obfuscated password Risks & mitigating factors • Same password used for web application • Password reuse likely • Stored password securely
17 Case Study M1 Insecure Data Storage • Account name & password stored in flat text file Risks & mitigating factors • App accessed private information • Password reuse likely • App used in Arab Spring and other protests
18 DIY Vulnerability Discovery • Explore files on mobile devices and backups • Search for passwords • Sniff network connections • Downgrade SSL OWASP Resources • WebScarab • GoatDroid • iGoat • MobiSec • iMas • Mobile Testing Guide
19 Beau Woods http://beauwoods.com @beauwoods We have a long road ahead – your comments and participation are appreciated To get involved get in touch with the project leader https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

More Related Content

PDF
OWASP Top 10 Mobile Risks
Beau Woods
 
PDF
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
PPTX
Two Factor Authentication Made Easy ICWE 2015
Alex Q. Chen
 
PPTX
Security Testing for Web Application
Precise Testing Solution
 
PPTX
Multifactor Authentication
Ronnie Isherwood
 
PDF
The Complete Web Application Security Testing Checklist
Cigital
 
PPTX
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
PDF
Avoiding Two-factor Authentication? You're Not Alone
PortalGuard
 
OWASP Top 10 Mobile Risks
Beau Woods
 
Point-Of-Sale Hacking - 2600Thailand#20
Prathan Phongthiproek
 
Two Factor Authentication Made Easy ICWE 2015
Alex Q. Chen
 
Security Testing for Web Application
Precise Testing Solution
 
Multifactor Authentication
Ronnie Isherwood
 
The Complete Web Application Security Testing Checklist
Cigital
 
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Avoiding Two-factor Authentication? You're Not Alone
PortalGuard
 

What's hot (20)

PPTX
Security Testing Training With Examples
Alwin Thayyil
 
PPTX
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
PPTX
Security testing
Rihab Chebbah
 
PDF
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
PPT
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
PPT
Web Application Security Testing
Marco Morana
 
PPTX
Mobile security services 2012
Tjylen Veselyj
 
PDF
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
PPTX
Security Testing
BOSS Webtech
 
PPTX
Security testing
Khizra Sammad
 
PDF
Security testing presentation
Confiz
 
PPTX
Intro to Smart Cards & Multi-Factor Authentication
hon1nbo
 
PDF
Introduction to Security Testing
vodQA
 
PPT
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
PPTX
Ethical hacking
Јаѓќеѕн Јажѕшаф
 
PPT
Get Ready for Web Application Security Testing
Alan Kan
 
PPTX
Parameter tampering
Dilan Warnakulasooriya
 
PPTX
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
PPTX
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Security Testing Training With Examples
Alwin Thayyil
 
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Security testing
Rihab Chebbah
 
OWASP Thailand-Beyond the Penetration Testing
Prathan Phongthiproek
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Protecting web aplications with machine learning and security fabric
DATA SECURITY SOLUTIONS
 
Web Application Security Testing
Marco Morana
 
Mobile security services 2012
Tjylen Veselyj
 
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
Security Testing
BOSS Webtech
 
Security testing
Khizra Sammad
 
Security testing presentation
Confiz
 
Intro to Smart Cards & Multi-Factor Authentication
hon1nbo
 
Introduction to Security Testing
vodQA
 
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Ethical hacking
Јаѓќеѕн Јажѕшаф
 
Get Ready for Web Application Security Testing
Alan Kan
 
Parameter tampering
Dilan Warnakulasooriya
 
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Ad

Similar to Owasp top-10-mobile-risks-v-1-3 publish (20)

PPTX
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
PDF
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
PPTX
Standards and methodology for application security assessment
Mykhailo Antonishyn
 
PPTX
Mobile Security for the Enterprise
Will Adams
 
PPS
Application Security Review 5 Dec 09 Final
Manoj Agarwal
 
PDF
Mobile Security Training, Mobile Device Security Training
Tonex
 
PPTX
Appsecurity, win or loose
Bjørn Sloth
 
PPT
oiqwjrfoijqwwieoefmklqwmefioqjweeifmqwklefmqwef
ramrajcottons02
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PDF
Smartphones' Security
Nicola Cadenelli
 
PPTX
Big data, Security, or Privacy in IoT: Choice is Yours
Dilum Bandara
 
PDF
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
PPTX
Securing Your Business
Jose L. Quiñones-Borrero
 
PPTX
Cloud computingsec p3
Cesar Schmitzhaus
 
PDF
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
PDF
Module 6.pdf
Sitamarhi Institute of Technology
 
PPT
Adaptive Trust for Strong Network Security
Aruba, a Hewlett Packard Enterprise company
 
PDF
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
PDF
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
Standards and methodology for application security assessment
Mykhailo Antonishyn
 
Mobile Security for the Enterprise
Will Adams
 
Application Security Review 5 Dec 09 Final
Manoj Agarwal
 
Mobile Security Training, Mobile Device Security Training
Tonex
 
Appsecurity, win or loose
Bjørn Sloth
 
oiqwjrfoijqwwieoefmklqwmefioqjweeifmqwklefmqwef
ramrajcottons02
 
00. introduction to app sec v3
Eoin Keary
 
Smartphones' Security
Nicola Cadenelli
 
Big data, Security, or Privacy in IoT: Choice is Yours
Dilum Bandara
 
8 Mandatory Security Control Categories for Successful Submissions
ICS
 
Securing Your Business
Jose L. Quiñones-Borrero
 
Cloud computingsec p3
Cesar Schmitzhaus
 
Module 6.Security in Evolving Technology
Sitamarhi Institute of Technology
 
Module 6.pdf
Sitamarhi Institute of Technology
 
Adaptive Trust for Strong Network Security
Aruba, a Hewlett Packard Enterprise company
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
NetworkCollaborators
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
NetworkCollaborators
 
Ad

Recently uploaded (20)

PPTX
Computer Architecture Input Output Memory.pptx
Gunasundari Selvaraj
 
PDF
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
PDF
BP 505 T. PHARMACEUTICAL JURISPRUDENCE (UNIT 2).pdf
CMEmpire
 
PPTX
Module on health assessment of CHN. pptx
GurdeepSingh626704
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PDF
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 2).pdf
CMEmpire
 
PDF
International_Financial_Reporting_Standa.pdf
VrindaTayade1
 
PDF
LEARNERS WITH ADDITIONAL NEEDS ProfEd Topic
Johnlloyd489543
 
PDF
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
PDF
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 1)
CMEmpire
 
PPTX
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
PDF
advance database management system book.pdf
hinamannan364
 
PPTX
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
PDF
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
PDF
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
PDF
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
PDF
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
PDF
MICROENCAPSULATION_NDDS_BPHARMACY__SEM VII_PCI .pdf
SabsKhan1
 
PPTX
Education and Perspectives of Education.pptx
Central University of South Bihar, Gaya, Bihar
 
Computer Architecture Input Output Memory.pptx
Gunasundari Selvaraj
 
Τίμαιος είναι φιλοσοφικός διάλογος του Πλάτωνα
iliaskessaris
 
BP 505 T. PHARMACEUTICAL JURISPRUDENCE (UNIT 2).pdf
CMEmpire
 
Module on health assessment of CHN. pptx
GurdeepSingh626704
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 2).pdf
CMEmpire
 
International_Financial_Reporting_Standa.pdf
VrindaTayade1
 
LEARNERS WITH ADDITIONAL NEEDS ProfEd Topic
Johnlloyd489543
 
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
BP 704 T. NOVEL DRUG DELIVERY SYSTEMS (UNIT 1)
CMEmpire
 
Core Concepts of Personalized Learning and Virtual Learning Environments
Dr. Bushra Sumaiya
 
advance database management system book.pdf
hinamannan364
 
Introduction to pro and eukaryotes and differences.pptx
AvaniKarumathil
 
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
English Textual Question & Ans (12th Class).pdf
javaidpaswal33
 
Environmental Education MCQ BD2EE - Share Source.pdf
Dr Raja Mohammed T
 
Hazard Identification & Risk Assessment .pdf
estagiarioprotegesms
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
MICROENCAPSULATION_NDDS_BPHARMACY__SEM VII_PCI .pdf
SabsKhan1
 
Education and Perspectives of Education.pptx
Central University of South Bihar, Gaya, Bihar
 

Owasp top-10-mobile-risks-v-1-3 publish

  • 1. OWASP Mobile Top 10 OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License. Beau Woods http://beauwoods.com @beauwoods To get involved get in touch with the project leader https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 3. 3 Mobile Comparison Use models Always on Always connected Omnipresent Capabilities Communications Limited resources Highly variable Hardware Extensive RF & SSD Highly variable Not upgradable Platform Highly variable Limited options Variable security Mobile Devices Use models Frequently off Disconnected Location-bound Capabilities Many resources Robust platform Well documented Hardware Limited RF & HDD Highly variable Highly upgradable Platform Standardized Well understood Robust security Traditional Devices 3
  • 4. 4 OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure 4 Alpha Documentation Mobile Security Project Top 10 Risks Top 10 Controls Threat Model Testing Guide Tools Secure Development
  • 5. 5 M1 Insecure Data Storage Sensitive data Authentication data Regulated information Business-specific information Private information Examples Recommendations Business must define, classify, assign owner & set requirements Acquire, transmit, use and store as little sensitive data as possible Inform and confirm data definition, collection, use & handling Protections 1. Reduce use and storage 2. Encrypt or hash 3. Platform-specific secure storage with restricted permissions Mobile Controls 1, 2 & 7 5
  • 6. 6 M2 Weak Server Side Controls OWASP Top 10 Web Application Risks 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Mobile App Servers RESTful API SOAP Web Service Web XML Recommendations Always validate input Don’t trust the client Harden mobile app servers & services Beware information disclosure Understand host & network controls Perform integrity checking regularly Mobile Controls 5 & 6
  • 7. 7 M3 Insufficient Transport Layer Protection ExamplesImpact Expose authentication data Disclosure other sensitive information Injection Data tampering Recommendations Use platform-provided cryptographic libraries Force strong methods & valid certificates Test for certificate errors & warnings Use pre-defined certificates, as appropriate Encrypt sensitive information before sending All transport, including RFID, NFC, Bluetooth Wifi, Carrier Avoid HTTP GET method Mobile Controls 3
  • 8. 8 M4 Client Side Injection Impact App or device compromise Abuse resources or services (SMS, phone, payments, online banking) Extract or inject data Man-in-the-Browser (MITB) Recommendations Always validate input Don’t trust the server Harden mobile app clients Beware information disclosure Perform integrity checking regularly Mobile Controls 9
  • 9. 9 M5 Poor Authorization and Authentication ExamplesImpacts Account takeover Confidentiality breach Fraudulent transactions Recommendations Use appropriate methods for the risk Unique identifiers as additional (not only) factors Differentiate client-side passcode vs. server authentication Ensure out-of-band methods are truly OOB (this is hard) Hardware-independent identifiers (ie. Not IMSI, serial, etc.) Multi-factor authentication, depending on risk Define & enforce password length, strength & uniqueness Most common methods Account name Password Oauth HTTP Cookies Stored passwords Unique tokens Mobile Controls 4
  • 10. 10 M6 Improper Session Handling Recommendations Allow revocation of device/password Use strong tokens and generation methods Consider appropriate session length (longer than web) Reauthenticate periodically or after focus change Store and transmit session tokens securely Mobile Controls 4 Impacts Account takeover Confidentiality breach Fraudulent transactions Most common methods Oauth HTTP Cookies Stored passwords Unique tokens
  • 11. 11 M7 Security Decisions via Untrusted Inputs Description Reliance on files, settings, network resources or other inputs which may be modified. Recommendations Validate all inputs Digitally sign decisioning inputs, where possible Ensure trusted data sources for security decisions Examples DNS settings Cookies Configuration files Network injection Mobile malware URL calls
  • 12. 12 M8 Side Channel Data Leakage Side channel data Caches Keystroke logging (by platform) Screenshots (by platform) Logs Recommendations Consider server-side leakage Reduce client-side logging Consider mobile-specific private information Consider platform-specific data capture features Securely cache data (consider SSD limitations) Examples Mobile Controls 1, 2, 3, 6 & 7
  • 13. 13 M9 Broken Cryptography ExamplesCryptography …is not encoding …is not obfuscation …is not serialization …is best left to the experts Recommendations Use only well-vetted cryptographic libraries Understand one-way vs. two-way encryption Use only well-vetted cryptographic libraries (not a typo) Use only platform-provided cryptographic storage Use only well-vetted cryptographic libraries (still not a typo) Protect cryptographic keys fanatically Use only well-vetted cryptographic libraries (seriously - always do this) “The only way to tell good cryptography from bad cryptography is to have it examined by experts.” -Bruce Schneier Mobile Controls 1, 2 & 3
  • 14. 14 M10 Sensitive Information Disclosure Sensitive application data API or encryption keys Passwords Sensitive business logic Internal company information Debugging or maintenance information Recommendations Store sensitive application data server-side Avoid hardcoding information in the application Use platform-specific secure storage areas M1 deals with customer data M10 deals with application or developer data
  • 15. 15 Case Study M1 Insecure Data Storage • Account number & passcode stored in flat text file Risks & mitigating factors • Passcode not used for other systems • App contained and accessed sensitive and private information
  • 16. 16 Case Study M5 Poor Authorization & Authentication • Account name and password in plain text • Used HTTP GET method (logged to server) M8 Side Channel Data Leakage • Logged password to client and server M9 Broken Cryptography • First attempt to fix issue obfuscated password Risks & mitigating factors • Same password used for web application • Password reuse likely • Stored password securely
  • 17. 17 Case Study M1 Insecure Data Storage • Account name & password stored in flat text file Risks & mitigating factors • App accessed private information • Password reuse likely • App used in Arab Spring and other protests
  • 18. 18 DIY Vulnerability Discovery • Explore files on mobile devices and backups • Search for passwords • Sniff network connections • Downgrade SSL OWASP Resources • WebScarab • GoatDroid • iGoat • MobiSec • iMas • Mobile Testing Guide
  • 19. 19 Beau Woods http://beauwoods.com @beauwoods We have a long road ahead – your comments and participation are appreciated To get involved get in touch with the project leader https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Editor's Notes

  • #4: Solid State Drives perform an activity called “wear leveling” to prevent frequently used storage areas from being destroyed quickly. This process copies data to other parts of the drive every time the data sector is read or written. Therefore traditional data deletion routines do not work – an important thing to keep in mind. This means that any sensitive information should be strongly protected (encrypted or written to protected storage areas), rather than relying on secure deletion mechanisms.
  • #6: Path: Collected and uploaded personal information Concur: Stored password in plain text
  • #7: Recommendation for future versions Expand to specific risks
  • #8: Google Wallet NFC MITM PayPal failure to validate certificates Apple iOS AppStore MITM led to circumventing purchases
  • #9: Recommendation for future versions Improve or eliminate
  • #10: Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assets Audible: Used plaintext password to authenticate and used HTTP GET method OOB: Remember, mobile devices can potentially intercept phone calls, SMS and email
  • #12: Recommendation for future versions Improve or eliminate
  • #13: Android: Information sent to advertisers http://news.techeye.net/mobile/many-android-apps-send-your-private-information-to-advertisers Apple: Collected and stored mobile tower data; called before US Congress to answer questions Audible: Stored URL with password in logfile, also in GET request stored in web server log Recommendation for future versions Consider combining with M10 Consider incorporating the idea of collecting unnecessary but potentially sensitive or private information
  • #15: Recommendation for future versions Consider combining with M8
  • #16: http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/
  • #17: http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/
  • #18: http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile-application/