1. N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T
OWASP MOBILE TOP 10 – 2014
INTRODUCTION
2. OWASP MOBILE TOP-10
• Security project maintained by OWASP.
• Intended audience –
• developers,
• security professionals,
• Mobile users
• Home Page – OWASP Mobile security Project
• Under development
• Currently mainly focuses on iOS and Android mobile platforms.
3. 2012 2014
M1: Insecure Data Storage M1: Weak Server Side Controls
M2: Weak Server Side Controls M2: Insecure Data Storage
M3: Insufficient Transport Layer
Protection
M3: Insufficient Transport Layer
Protection
M4: Client Side Injection M4: Unintended Data Leakage
M5: Poor Authorization and
Authentication
M5: Poor Authorization and
Authentication
M6: Improper Session Handling M6: Broken Cryptography
M7: Security Decisions Via
Untrusted Inputs
M7: Client Side Injection
M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted
Inputs
M9: Broken Cryptography M9: Improper Session Handling
M10: Sensitive Information
Disclosure
M10: Lack of Binary Protections
4. M1 – WEAK SERVER SIDE CONTROLS
• Attack vectors generally leading to traditional
OWASP Top-10.
• SQL Injection, CSRF, etc.
• Insecure coding practices.
5. M2 – INSECURE DATA STORAGE
• Cardinal rule of Mobile Apps –
• Not to store Data
• Local files on Device.
• SQLite Db files
• Plist files – iOS
• XML files
• Log files
• Manifest files, etc.
6. M3 – INSUFFICIENT TRANSPORT LAYER
PROTECTION
• Clear text transport Protocols
• Certificate verification
• Weak cipher suites
• Sensitive data sent over SMS / push Notifications
7. M4 – UNINTENDED DATA LEAKAGE
• Platform cache storage
• Clipboard data
• Debug Logs
• Screenshots, etc.
8. M5 – POOR AUTHORIZATION AND
AUTHENTICATION
• Usability leading to short and poor A&A schemas
• Spoofable values used for authentication
• Geo-locations
• Device Identifiers
• A&A for Offline services
9. M6 – BROKEN CRYPTOGRAPHY
• Less processing speed on devices
• Usage of weak cryptographic algorithms to avoid system delays
• RC4
• Base64
• MD5
• Custom cryptographic protocols
• Improper Key Management
• Hardcoding
• Insecure Key transport
10. M7 – CLIENT SIDE INJECTION
• SQLite Injection
• Intent sniffing in Android
• JavaScript Injection
• Local File Inclusions
• NSFileManager – iOS
• Webviews - Android
11. M8 – SECURITY DECISIONS VIA
UNTRUSTED INPUTS
• Inter Process Communication
• Data on clipboards /pasteboards
• Platform specific Permission Model
• Manifest files – Android
• Entitlements – iOS