SlideShare ist ein Scribd-Unternehmen logo

OWASP Top 10 Mobile Risks

Beau Woods
Beau Woods

OWASP Mobile Security Project: Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions Via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure

Technologie
1 von 18
Downloaden Sie, um offline zu lesen
OWASP Mobile Top 10 OWASP Korea Day 2013 July 13, 2013 Beau Woods http://beauwoods.com @beauwoods OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License.
2 Mobile Elements ClientPlatformHardwareNetworkServer ApplicationApplication 2
3 Mobile Considerations Use models Always on Always connected Omnipresent Capabilities Communications Limited resources Highly variable Hardware Extensive RF & SSD Highly variable Not upgradable Platform Highly variable Limited options Variable security Mobile Devices Use models Frequently off Disconnected Location-bound Capabilities Many resources Robust platform Well documented Hardware Limited RF & HDD Highly variable Highly upgradable Platform Standardized Well understood Robust security Traditional Devices 3
4 OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure 4 Alpha Documentation Mobile Security Project Top 10 Risks Top 10 Controls Threat Model Testing Guide Tools Secure Development
5 M1 Insecure Data Storage Sensitive data Authentication data Regulated information Business-specific information Private information Examples Recommendations Business must define, classify, assign owner & set requirements Acquire, transmit, use and store as little sensitive data as possible Inform and confirm data definition, collection, use & handling Protections 1. Reduce use and storage 2. Encrypt or hash 3. Platform-specific secure storage with restricted permissions Mobile Controls 1, 2 & 7 5
6 M2 Weak Server Side Controls OWASP Top 10 Web Application Risks 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Mobile App Servers RESTful API SOAP Web Service Web XML Recommendations Always validate input Don’t trust the client Harden mobile app servers & services Beware information disclosure Understand host & network controls Perform integrity checking regularly Mobile Controls 5 & 6
7 M3 Insufficient Transport Layer Protection ExamplesImpact Expose authentication data Disclosure other sensitive information Injection Data tampering Recommendations Use platform-provided cryptographic libraries Force strong methods & valid certificates Test for certificate errors & warnings Use pre-defined certificates, as appropriate Encrypt sensitive information before sending All transport, including RFID, NFC, Bluetooth Wifi, Carrier Avoid HTTP GET method Mobile Controls 3
8 M4 Client Side Injection Impact App or device compromise Abuse resources or services (SMS, phone, payments, online banking) Extract or inject data Man-in-the-Browser (MITB) Recommendations Always validate input Don’t trust the server Harden mobile app clients Beware information disclosure Perform integrity checking regularly Mobile Controls 9
9 M5 Poor Authorization and Authentication ExamplesImpacts Account takeover Confidentiality breach Fraudulent transactions Recommendations Use appropriate methods for the risk Use unique identifiers as additional (not primary) factors Differentiate between client vs. server authentication Ensure out-of-band methods are truly OOB (this is hard) Hardware-independent identifiers Most common methods Account name Password Oauth HTTP Cookies Stored passwords Unique tokens Mobile Controls 4
10 M6 Improper Session Handling Recommendations Allow revocation of device/password Use strong tokens and generation methods Consider appropriate session length (longer than web) Reauthenticate periodically or after focus change Store and transmit session tokens securely Mobile Controls 4 Impacts Account takeover Confidentiality breach Fraudulent transactions Most common methods Oauth HTTP Cookies Stored passwords Unique tokens
11 M7 Security Decisions via Untrusted Inputs Description Reliance on files, settings, network resources or other inputs which may be modified. Recommendations Validate settings and files with checksums Validate all inputs Encrypt communications Ensure trusted data sources Examples DNS settings Cookies Configuration files Network injection Mobile malware URL calls
12 M8 Side Channel Data Leakage Side channel data Caches Keystroke logging (by platform) Screenshots (by platform) Logs Recommendations Consider server-side leakage Reduce client-side logging Consider mobile-specific private information Consider platform-specific data capture features Securely cache data (consider SSD limitations) Examples Mobile Controls 1, 2, 3, 6 & 7
13 M9 Broken Cryptography ExamplesCryptography …is not encoding …is not obfuscation …is not serialization …is best left to the experts Recommendations Use only well-vetted cryptographic libraries Understand one-way vs. two-way encryption Use only well-vetted cryptographic libraries (not a typo) Use only platform-provided cryptographic storage Use only well-vetted cryptographic libraries (still not a typo) Protect cryptographic keys fanatically Use only well-vetted cryptographic libraries (seriously - always do this) “The only way to tell good cryptography from bad cryptography is to have it examined by experts.” -Bruce Schneier Mobile Controls 1, 2 & 3
14 M10 Sensitive Information Disclosure Side application data API or encryption keys Passwords Sensitive business logic Internal company information Debugging or maintenance information Recommendations Store sensitive application data server-side Avoid hardcoding information in the application Use platform-specific secure storage areas
15 Case Study M1 Insecure Data Storage • Account number & passcode stored in flat text file Risks & mitigating factors • Passcode not used for other systems • App contained and accessed sensitive and private information
16 Case Study M5 Poor Authorization & Authentication • Account name and password in plain text • Used HTTP GET method (logged to server) M8 Side Channel Data Leakage • Logged password to client and server M9 Broken Cryptography • First attempt to fix issue obfuscated password Risks & mitigating factors • Same password used for web application • Password reuse likely • Stored password securely
17 DIY Vulnerability Discovery • Explore files on mobile devices and backups • Search for passwords • Sniff network connections • Downgrade SSL OWASP Resources • WebScarab • GoatDroid • iGoat • MobiSec • iMas • Mobile Testing Guide
18 Beau Woods http://beauwoods.com @beauwoods

Empfohlen

Owasp top-10-mobile-risks-v-1-3 publish
Owasp top-10-mobile-risks-v-1-3 publishOwasp top-10-mobile-risks-v-1-3 publish
Owasp top-10-mobile-risks-v-1-3 publishAli Kazmi
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsDigital Shadows
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 

Empfohlen

Owasp top-10-mobile-risks-v-1-3 publish
Owasp top-10-mobile-risks-v-1-3 publishOwasp top-10-mobile-risks-v-1-3 publish
Owasp top-10-mobile-risks-v-1-3 publishAli Kazmi
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsMitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsDigital Shadows
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerDigital Shadows
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentDigital Shadows
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Alex Q. Chen
 
Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Distil Networks
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEC-Council
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testingshwetaupadhyay
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessBeyondTrust
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanAsad Zaman
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsBeyondTrust
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014n|u - The Open Security Community
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risksIslam Azeddine Mennouchi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerDigital Shadows
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentDigital Shadows
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Alex Q. Chen
 
Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Distil Networks
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEC-Council
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AlonePortalGuard
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testingshwetaupadhyay
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessBeyondTrust
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanAsad Zaman
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsBeyondTrust
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 

Was ist angesagt? (20)

Mitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed ProgrammerMitre ATTACK and the North Korean Regime-Backed Programmer
Mitre ATTACK and the North Korean Regime-Backed Programmer
 
MITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB IndictmentMITRE ATT&CK and 2017 FSB Indictment
MITRE ATT&CK and 2017 FSB Indictment
 
Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015Two Factor Authentication Made Easy ICWE 2015
Two Factor Authentication Made Easy ICWE 2015
 
Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
 
Essential Defense by Kevin Cardwell
Essential Defense by Kevin CardwellEssential Defense by Kevin Cardwell
Essential Defense by Kevin Cardwell
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Avoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not AloneAvoiding Two-factor Authentication? You're Not Alone
Avoiding Two-factor Authentication? You're Not Alone
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
 
Security testing
Security testingSecurity testing
Security testing
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
 
Two-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _ZamanTwo-factor authentication- A sample writing _Zaman
Two-factor authentication- A sample writing _Zaman
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
VAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant maliVAPT, Ethical Hacking and Laws in India by prashant mali
VAPT, Ethical Hacking and Laws in India by prashant mali
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 

Ähnlich wie OWASP Top 10 Mobile Risks

Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingTonex
 
Big data, Security, or Privacy in IoT: Choice is Yours
Big data, Security, or Privacy in IoT: Choice is YoursBig data, Security, or Privacy in IoT: Choice is Yours
Big data, Security, or Privacy in IoT: Choice is YoursDilum Bandara
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365SecureAuth
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best PracticesRedBlackTree
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-WilheminaRossi174
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or looseBjørn Sloth
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingSoftware Guru
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
 
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...Nextel S.A.
 

Ähnlich wie OWASP Top 10 Mobile Risks (20)

OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security Training
 
Securing Your Business
Securing Your BusinessSecuring Your Business
Securing Your Business
 
Big data, Security, or Privacy in IoT: Choice is Yours
Big data, Security, or Privacy in IoT: Choice is YoursBig data, Security, or Privacy in IoT: Choice is Yours
Big data, Security, or Privacy in IoT: Choice is Yours
 
Cloud computingsec p3
Cloud computingsec p3Cloud computingsec p3
Cloud computingsec p3
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
 
Mobile App Security - Best Practices
Mobile App Security - Best PracticesMobile App Security - Best Practices
Mobile App Security - Best Practices
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
Secure Cloud Reference Architecture
Secure Cloud Reference ArchitectureSecure Cloud Reference Architecture
Secure Cloud Reference Architecture
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
Adaptive Trust for Strong Network Security
Adaptive Trust for Strong Network SecurityAdaptive Trust for Strong Network Security
Adaptive Trust for Strong Network Security
 
Smartphones' Security
Smartphones' SecuritySmartphones' Security
Smartphones' Security
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
Evaluación de riesgos asociados al puesto de trabajo: empleados, externos, vi...
 

Kürzlich hochgeladen

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Kürzlich hochgeladen (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

OWASP Top 10 Mobile Risks

  • 1. OWASP Mobile Top 10 OWASP Korea Day 2013 July 13, 2013 Beau Woods http://beauwoods.com @beauwoods OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License.
  • 3. 3 Mobile Considerations Use models Always on Always connected Omnipresent Capabilities Communications Limited resources Highly variable Hardware Extensive RF & SSD Highly variable Not upgradable Platform Highly variable Limited options Variable security Mobile Devices Use models Frequently off Disconnected Location-bound Capabilities Many resources Robust platform Well documented Hardware Limited RF & HDD Highly variable Highly upgradable Platform Standardized Well understood Robust security Traditional Devices 3
  • 4. 4 OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure 4 Alpha Documentation Mobile Security Project Top 10 Risks Top 10 Controls Threat Model Testing Guide Tools Secure Development
  • 5. 5 M1 Insecure Data Storage Sensitive data Authentication data Regulated information Business-specific information Private information Examples Recommendations Business must define, classify, assign owner & set requirements Acquire, transmit, use and store as little sensitive data as possible Inform and confirm data definition, collection, use & handling Protections 1. Reduce use and storage 2. Encrypt or hash 3. Platform-specific secure storage with restricted permissions Mobile Controls 1, 2 & 7 5
  • 6. 6 M2 Weak Server Side Controls OWASP Top 10 Web Application Risks 2013 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards Mobile App Servers RESTful API SOAP Web Service Web XML Recommendations Always validate input Don’t trust the client Harden mobile app servers & services Beware information disclosure Understand host & network controls Perform integrity checking regularly Mobile Controls 5 & 6
  • 7. 7 M3 Insufficient Transport Layer Protection ExamplesImpact Expose authentication data Disclosure other sensitive information Injection Data tampering Recommendations Use platform-provided cryptographic libraries Force strong methods & valid certificates Test for certificate errors & warnings Use pre-defined certificates, as appropriate Encrypt sensitive information before sending All transport, including RFID, NFC, Bluetooth Wifi, Carrier Avoid HTTP GET method Mobile Controls 3
  • 8. 8 M4 Client Side Injection Impact App or device compromise Abuse resources or services (SMS, phone, payments, online banking) Extract or inject data Man-in-the-Browser (MITB) Recommendations Always validate input Don’t trust the server Harden mobile app clients Beware information disclosure Perform integrity checking regularly Mobile Controls 9
  • 9. 9 M5 Poor Authorization and Authentication ExamplesImpacts Account takeover Confidentiality breach Fraudulent transactions Recommendations Use appropriate methods for the risk Use unique identifiers as additional (not primary) factors Differentiate between client vs. server authentication Ensure out-of-band methods are truly OOB (this is hard) Hardware-independent identifiers Most common methods Account name Password Oauth HTTP Cookies Stored passwords Unique tokens Mobile Controls 4
  • 10. 10 M6 Improper Session Handling Recommendations Allow revocation of device/password Use strong tokens and generation methods Consider appropriate session length (longer than web) Reauthenticate periodically or after focus change Store and transmit session tokens securely Mobile Controls 4 Impacts Account takeover Confidentiality breach Fraudulent transactions Most common methods Oauth HTTP Cookies Stored passwords Unique tokens
  • 11. 11 M7 Security Decisions via Untrusted Inputs Description Reliance on files, settings, network resources or other inputs which may be modified. Recommendations Validate settings and files with checksums Validate all inputs Encrypt communications Ensure trusted data sources Examples DNS settings Cookies Configuration files Network injection Mobile malware URL calls
  • 12. 12 M8 Side Channel Data Leakage Side channel data Caches Keystroke logging (by platform) Screenshots (by platform) Logs Recommendations Consider server-side leakage Reduce client-side logging Consider mobile-specific private information Consider platform-specific data capture features Securely cache data (consider SSD limitations) Examples Mobile Controls 1, 2, 3, 6 & 7
  • 13. 13 M9 Broken Cryptography ExamplesCryptography …is not encoding …is not obfuscation …is not serialization …is best left to the experts Recommendations Use only well-vetted cryptographic libraries Understand one-way vs. two-way encryption Use only well-vetted cryptographic libraries (not a typo) Use only platform-provided cryptographic storage Use only well-vetted cryptographic libraries (still not a typo) Protect cryptographic keys fanatically Use only well-vetted cryptographic libraries (seriously - always do this) “The only way to tell good cryptography from bad cryptography is to have it examined by experts.” -Bruce Schneier Mobile Controls 1, 2 & 3
  • 14. 14 M10 Sensitive Information Disclosure Side application data API or encryption keys Passwords Sensitive business logic Internal company information Debugging or maintenance information Recommendations Store sensitive application data server-side Avoid hardcoding information in the application Use platform-specific secure storage areas
  • 15. 15 Case Study M1 Insecure Data Storage • Account number & passcode stored in flat text file Risks & mitigating factors • Passcode not used for other systems • App contained and accessed sensitive and private information
  • 16. 16 Case Study M5 Poor Authorization & Authentication • Account name and password in plain text • Used HTTP GET method (logged to server) M8 Side Channel Data Leakage • Logged password to client and server M9 Broken Cryptography • First attempt to fix issue obfuscated password Risks & mitigating factors • Same password used for web application • Password reuse likely • Stored password securely
  • 17. 17 DIY Vulnerability Discovery • Explore files on mobile devices and backups • Search for passwords • Sniff network connections • Downgrade SSL OWASP Resources • WebScarab • GoatDroid • iGoat • MobiSec • iMas • Mobile Testing Guide

Hinweis der Redaktion

  1. Path: Collected and uploaded personal informationConcur: Stored password in plain text http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/Similar flaws in other applicationsUstream: Stored password in plain text http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile-application/Bambuser: Stored password in plain text http://stratigossecurity.com/2012/10/03/security-advisory-bambuser-mobile-application/
  2. Recommendation for future versionsExpand to specific risks
  3. Google Wallet NFC MITMPayPal failure to validate certificatesApple iOSAppStore MITM led to circumventing purchases
  4. Recommendation for future versionsImprove or eliminate
  5. Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assetsAudible: Used plaintext password to authenticate and used HTTP GET methodOOB: Remember, mobile devices can potentially intercept phone calls, SMS and emailRecommendation for future versionsCombine with M6
  6. Recommendation for future versionsCombine with M5
  7. Recommendation for future versionsImprove or eliminate
  8. Android: Information sent to advertisers http://news.techeye.net/mobile/many-android-apps-send-your-private-information-to-advertisersApple: Collected and stored mobile tower data; called before US Congress to answer questionsAudible: Stored URL with password in logfile, also in GET request stored in web server logRecommendation for future versionsConsider combining with M10Consider incorporating the idea of collecting unnecessary but potentially sensitive or private information
  9. Recommendation for future versionsConsider combining with M8