Click here to load reader
View
2.802
Download
2
Embed Size (px)
DESCRIPTION
null Bangalore Chapter - May 2014 Meet
Citation preview
N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T
OWASP MOBILE TOP 10 – 2014 INTRODUCTION
OWASP MOBILE TOP-10
• Security project maintained by OWASP.
• Intended audience –
• developers,
• security professionals,
• Mobile users
• Home Page – OWASP Mobile security Project
• Under development
• Currently mainly focuses on iOS and Android mobile platforms.
2012 2014
M1: Insecure Data Storage M1: Weak Server Side Controls
M2: Weak Server Side Controls M2: Insecure Data Storage
M3: Insufficient Transport Layer
Protection
M3: Insufficient Transport Layer
Protection
M4: Client Side Injection M4: Unintended Data Leakage
M5: Poor Authorization and
Authentication
M5: Poor Authorization and
Authentication
M6: Improper Session Handling M6: Broken Cryptography
M7: Security Decisions Via
Untrusted Inputs
M7: Client Side Injection
M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted
Inputs
M9: Broken Cryptography M9: Improper Session Handling
M10: Sensitive Information
Disclosure
M10: Lack of Binary Protections
M1 – WEAK SERVER SIDE CONTROLS
• Attack vectors generally leading to traditional
OWASP Top-10.
• SQL Injection, CSRF, etc.
• Insecure coding practices.
M2 – INSECURE DATA STORAGE
• Cardinal rule of Mobile Apps –
• Not to store Data
• Local files on Device.
• SQLite Db files
• Plist files – iOS
• XML files
• Log files
• Manifest files, etc.
M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION
• Clear text transport Protocols
• Certificate verification
• Weak cipher suites
• Sensitive data sent over SMS / push Notifications
M4 – UNINTENDED DATA LEAKAGE
• Platform cache storage
• Clipboard data
• Debug Logs
• Screenshots, etc.
M5 – POOR AUTHORIZATION AND AUTHENTICATION
• Usability leading to short and poor A&A schemas
• Spoofable values used for authentication
• Geo-locations
• Device Identifiers
• A&A for Offline services
M6 – BROKEN CRYPTOGRAPHY
• Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays
• RC4
• Base64
• MD5
• Custom cryptographic protocols
• Improper Key Management • Hardcoding
• Insecure Key transport
M7 – CLIENT SIDE INJECTION
• SQLite Injection
• Intent sniffing in Android
• JavaScript Injection
• Local File Inclusions
• NSFileManager – iOS
• Webviews - Android
M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS
• Inter Process Communication
• Data on clipboards /pasteboards
• Platform specific Permission Model
• Manifest files – Android
• Entitlements – iOS
M9 – IMPROPER SESSION HANDLING
• Application Backgrounding
• Inadequate session Timeouts
• Cookie based session management
M10 – LACK OF BINARY PROTECTIONS
• Code decrypt of iOS apps
• Disassembly of Android apk
• Jailbreak detection / Root-Detection Controls
• Debug detection controls
VULNERABLE APPS FOR PRACTICE
• DVIA – Damn Vulnerable iOS App
• Goat Droid
• iGoat
NEXT TIME
• M10 – Lack of Binary Protections
• Jailbroken / Rooted device detection
?
Thank you
&
Questions