N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T

OWASP MOBILE TOP 10 – 2014 INTRODUCTION

OWASP MOBILE TOP-10

• Security project maintained by OWASP.

• Intended audience –

• developers,

• security professionals,

• Mobile users

• Home Page – OWASP Mobile security Project

• Under development

• Currently mainly focuses on iOS and Android mobile platforms.

2012 2014

M1: Insecure Data Storage M1: Weak Server Side Controls

M2: Weak Server Side Controls M2: Insecure Data Storage

M3: Insufficient Transport Layer

Protection

M3: Insufficient Transport Layer

Protection

M4: Client Side Injection M4: Unintended Data Leakage

M5: Poor Authorization and

Authentication

M5: Poor Authorization and

Authentication

M6: Improper Session Handling M6: Broken Cryptography

M7: Security Decisions Via

Untrusted Inputs

M7: Client Side Injection

M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted

Inputs

M9: Broken Cryptography M9: Improper Session Handling

M10: Sensitive Information

Disclosure

M10: Lack of Binary Protections

M1 – WEAK SERVER SIDE CONTROLS

• Attack vectors generally leading to traditional

OWASP Top-10.

• SQL Injection, CSRF, etc.

• Insecure coding practices.

M2 – INSECURE DATA STORAGE

• Cardinal rule of Mobile Apps –

• Not to store Data

• Local files on Device.

• SQLite Db files

• Plist files – iOS

• XML files

• Log files

• Manifest files, etc.

M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION

• Clear text transport Protocols

• Certificate verification

• Weak cipher suites

• Sensitive data sent over SMS / push Notifications

M4 – UNINTENDED DATA LEAKAGE

• Platform cache storage

• Clipboard data

• Debug Logs

• Screenshots, etc.

M5 – POOR AUTHORIZATION AND AUTHENTICATION

• Usability leading to short and poor A&A schemas

• Spoofable values used for authentication

• Geo-locations

• Device Identifiers

• A&A for Offline services

M6 – BROKEN CRYPTOGRAPHY

• Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays

• RC4

• Base64

• MD5

• Custom cryptographic protocols

• Improper Key Management • Hardcoding

• Insecure Key transport

M7 – CLIENT SIDE INJECTION

• SQLite Injection

• Intent sniffing in Android

• JavaScript Injection

• Local File Inclusions

• NSFileManager – iOS

• Webviews - Android

M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS

• Inter Process Communication

• Data on clipboards /pasteboards

• Platform specific Permission Model

• Manifest files – Android

• Entitlements – iOS

M9 – IMPROPER SESSION HANDLING

• Application Backgrounding

• Inadequate session Timeouts

• Cookie based session management

M10 – LACK OF BINARY PROTECTIONS

• Code decrypt of iOS apps

• Disassembly of Android apk

• Jailbreak detection / Root-Detection Controls

• Debug detection controls

VULNERABLE APPS FOR PRACTICE

• DVIA – Damn Vulnerable iOS App

• Goat Droid

• iGoat

NEXT TIME

• M10 – Lack of Binary Protections

• Jailbroken / Rooted device detection

?

Thank you

&

Questions