OWASP Mobile Top 10

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

Mobile pitfalls to avoid:Breaking down the OWASP Top 10 Mobile Risks

Katie StrzempkaDirector of Services

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Keith MokrisProduct Marketing Manager


1 ImproperPlatform Usage

OWASP MOBILE TOP 10 2016 DRAFT


Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.


Android - Implement intents carefullyIntents are used for inter-component signaling. Improper

implementation could result in data leakage, restricted functions being

called and program flow being manipulated.

https://books.nowsecure.com/secure-mobile-development/en/

android/implement-intents-carefully.html

iOS - Use the keychain carefullyiOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted.

https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html

Best practice(s):

https://books.nowsecure.com/secure-mobile-development/en/android/implement-intents-carefully.html









2 InsecureData Storage



Vulnerabilities that leak personal information and provide access to hackers.


1 in 10 apps leak private, sensitive data like email, username, or password

NowSecure: 2016 NowSecure Mobile Security Report

Data from testing 400,000 mobile apps

https://www.nowsecure.com/resources/mobile-security-report/en/index.html


Implement secure data storageTransmit and display but do not persist to memory. Ensure that an analog leak does not present itself

where screenshots of the data are written to disk. Store only in RAM (clear at application close).

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/

implement-secure-data-storage.html

Securely store data in RAMDo not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use.


Best practice(s):

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/implement-secure-data-storage.html







3 InsecureCommunication



Insecure communication refers to communications being sent in cleartext as well as other insecure methods.


Best practice(s):

Implement secure transmission of sensitive data

Best practices call for app providers to use SSL/TLS effectively to secure the transmission of passwords, login IDs, and other sensitive data over the network, and even go further and leverage app-layer encryption to protect user data.

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/implement-secure-network-transmission-of-sensitive-data.html






4 InsecureAuthentication



Mobile apps need to securely identify a user and maintain that user’s identity, especially when users are calling and sending sensitive data such as financial information.


Best practice(s):

Hide account numbers and use tokensGiven the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers.

https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/hide-account-numbers-and-use-tokens.html








● India’s largest startup with $1.1B in funding was hacked to allow unlimited free rides

● Hacker used MITM Proxy to view API calls over HTTP

● No OAuth token mechanism or encryption was in place to guard APIs

Source: The Next Web

Example: Ola

http://thenextweb.com/insider/2015/03/23/how-i-hacked-indias-biggest-startup/


5 InsufficientCryptography



The process behind encryption and decryption may allow a hacker to decrypt sensitive data.

The algorithm behind encryption and decryption may be weak in nature.


Implement secure data storageIf storing sensitive data on the device is a requirement,

add an additional layer of verified, third-party

encryption. By adding another layer of encryption, you

have more control over the implementation and mitigate

attacks focused on the main OS encryption classes.

https://books.nowsecure.com/secure-mobile-developme

nt/en/sensitive-data/implement-secure-data-storage.ht

ml

Best practice(s):






6 InsecureAuthorization



Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.


Best practice(s):

Implement proper web server configuration

Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems because every piece of information attackers can gain from a server makes staging an attack easier.

https://books.nowsecure.com/secure-mobile-development/en/servers/web-server-configuration.html







7Client CodeQuality



Risks that come from vulnerabilities like buffer overflows, format-string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.


Vulnerabilities in the Vitamio SDK

NowSecure Blog: World Writable Code Is Bad, MMMMKAY

Best practice(s):

Test third-party libraries

Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/test-third-party-libraries.html

https://www.nowsecure.com/blog/2015/08/10/world-writable-code-is-bad-mmmmkay/








8CodeTampering



When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.


● 50M downloads in 19 days on Android alone

● Within 3 days of initial release, malicious DroidJack software found on third-party app stores

● Remote Access Tool (RAT) can open a silent, backdoor for hackers

Source: NowSecure Blog

Example: PokemonGO

https://www.nowsecure.com/blog/2016/07/11/pokemon-go-security-risks-what-cisos-and-security-pros-need-to-know/


Best practice(s):

Implement anti-tampering techniquesEmploy anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures, and other validation mechanisms to help detect file tampering.

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/anti-tamper-techniques.html






9ReverseEngineering



Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.


● Hackers decompiled mobile app and recompiled it so they didn’t have to pay for premium content

● If it is possible, hackers will find a way

Source: Forbes

Example: Tinder

http://www.forbes.com/sites/thomasbrewster/2016/02/09/tinder-bad-security-design/#d370e7f49baa


Best practice(s):

Increase code complexity and use obfuscationReverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.

https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code-complexity-and-obfuscation.html






1 ExtraneousFunctionality

OWASP MOBILE TOP 10 2016 DRAFT0


Developers frequently include hidden backdoors or security controls they do not plan on releasing into production.

This error creates risk when a feature is released to the wild that was never intended to be shared.


● Manufacturer of hardware chips and processors for mobile devices

● A debug tool, left open for carriers to test network connections, was left open on shipped devices

Source: The Hacker News

Example: MediaTek

http://thehackernews.com/2016/02/mediatek-hacking-mobile.html


Best practice(s):

Carefully manage debug logsDebug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack.

https://books.nowsecure.com/secure-mobile-development/en/caching-logging/carefully-manage-debug-logs.html






https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad

Review the NowSecure Secure Mobile Development Best Practices in their entirety:

Read Now

https://books.nowsecure.com/secure-mobile-development/en/index.html




You can view the GitHub repository here:

https://github.com/nowsecure/secure-mobile-development

Contribute to the Secure Mobile Development Best Practices




Technology

OWASP Mobile Top 10