SlideShare ist ein Scribd-Unternehmen logo

Owasp Mobile Top 10 – 2014

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore Chapter - May 2014 Meet

BildungTechnologie
1 von 16
Downloaden Sie, um offline zu lesen
N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T OWASP MOBILE TOP 10 – 2014 INTRODUCTION
OWASP MOBILE TOP-10 • Security project maintained by OWASP. • Intended audience – • developers, • security professionals, • Mobile users  • Home Page – OWASP Mobile security Project • Under development • Currently mainly focuses on iOS and Android mobile platforms.
2012 2014 M1: Insecure Data Storage M1: Weak Server Side Controls M2: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M3: Insufficient Transport Layer Protection M4: Client Side Injection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M5: Poor Authorization and Authentication M6: Improper Session Handling M6: Broken Cryptography M7: Security Decisions Via Untrusted Inputs M7: Client Side Injection M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted Inputs M9: Broken Cryptography M9: Improper Session Handling M10: Sensitive Information Disclosure M10: Lack of Binary Protections
M1 – WEAK SERVER SIDE CONTROLS • Attack vectors generally leading to traditional OWASP Top-10. • SQL Injection, CSRF, etc. • Insecure coding practices.
M2 – INSECURE DATA STORAGE • Cardinal rule of Mobile Apps – • Not to store Data • Local files on Device. • SQLite Db files • Plist files – iOS • XML files • Log files • Manifest files, etc.
M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION • Clear text transport Protocols • Certificate verification • Weak cipher suites • Sensitive data sent over SMS / push Notifications
M4 – UNINTENDED DATA LEAKAGE • Platform cache storage • Clipboard data • Debug Logs • Screenshots, etc.
M5 – POOR AUTHORIZATION AND AUTHENTICATION • Usability leading to short and poor A&A schemas • Spoofable values used for authentication • Geo-locations • Device Identifiers • A&A for Offline services
M6 – BROKEN CRYPTOGRAPHY • Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays • RC4 • Base64 • MD5 • Custom cryptographic protocols • Improper Key Management • Hardcoding • Insecure Key transport
M7 – CLIENT SIDE INJECTION • SQLite Injection • Intent sniffing in Android • JavaScript Injection • Local File Inclusions • NSFileManager – iOS • Webviews - Android
M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS • Inter Process Communication • Data on clipboards /pasteboards • Platform specific Permission Model • Manifest files – Android • Entitlements – iOS
M9 – IMPROPER SESSION HANDLING • Application Backgrounding • Inadequate session Timeouts • Cookie based session management
M10 – LACK OF BINARY PROTECTIONS • Code decrypt of iOS apps • Disassembly of Android apk • Jailbreak detection / Root-Detection Controls • Debug detection controls
VULNERABLE APPS FOR PRACTICE • DVIA – Damn Vulnerable iOS App • Goat Droid • iGoat
NEXT TIME • M10 – Lack of Binary Protections • Jailbroken / Rooted device detection
? Thank you & Questions

Empfohlen

OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 

Empfohlen

OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellPrathan Phongthiproek
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)Narudom Roongsiriwong, CISSP
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008Jim Geovedi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSСергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSKazHackStan
 
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
Mobile Malfeasance - Exploring Dangerous Mobile VulnerabilitiesMobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilitiesjasonhaddix
 

Weitere ähnliche Inhalte

Was ist angesagt?

Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008Jim Geovedi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 

Was ist angesagt? (20)

Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 

Ähnlich wie Owasp Mobile Top 10 – 2014

Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSСергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSKazHackStan
 
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
Mobile Malfeasance - Exploring Dangerous Mobile VulnerabilitiesMobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilitiesjasonhaddix
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Securing your telco cloud
Securing your telco cloud Securing your telco cloud
Securing your telco cloud OPNFV
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Session810 ken huang
Session810 ken huangSession810 ken huang
Session810 ken huangKen Huang
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersAlberto Aguzzi
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-AssessmentsELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-AssessmentsJames '​-- Mckinlay
 

Ähnlich wie Owasp Mobile Top 10 – 2014 (20)

Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSСергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
 
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
Mobile Malfeasance - Exploring Dangerous Mobile VulnerabilitiesMobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Securing your telco cloud
Securing your telco cloud Securing your telco cloud
Securing your telco cloud
 
WebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdfWebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdf
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Session810 ken huang
Session810 ken huangSession810 ken huang
Session810 ken huang
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manish
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net Developers
 
SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and Best
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-AssessmentsELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfChristalin Nelson
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research DiscourseAnita GoswamiGiri
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptxmary850239
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 

Kürzlich hochgeladen (20)

Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Indexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdfIndexing Structures in Database Management system.pdf
Indexing Structures in Database Management system.pdf
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research Discourse
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 

Owasp Mobile Top 10 – 2014

  • 1. N U L L B A N G A L O R E – M A Y 2 0 1 4 M E E T OWASP MOBILE TOP 10 – 2014 INTRODUCTION
  • 2. OWASP MOBILE TOP-10 • Security project maintained by OWASP. • Intended audience – • developers, • security professionals, • Mobile users  • Home Page – OWASP Mobile security Project • Under development • Currently mainly focuses on iOS and Android mobile platforms.
  • 3. 2012 2014 M1: Insecure Data Storage M1: Weak Server Side Controls M2: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M3: Insufficient Transport Layer Protection M4: Client Side Injection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M5: Poor Authorization and Authentication M6: Improper Session Handling M6: Broken Cryptography M7: Security Decisions Via Untrusted Inputs M7: Client Side Injection M8: Side Channel Data Leakage M8: Security Decisions Via Untrusted Inputs M9: Broken Cryptography M9: Improper Session Handling M10: Sensitive Information Disclosure M10: Lack of Binary Protections
  • 4. M1 – WEAK SERVER SIDE CONTROLS • Attack vectors generally leading to traditional OWASP Top-10. • SQL Injection, CSRF, etc. • Insecure coding practices.
  • 5. M2 – INSECURE DATA STORAGE • Cardinal rule of Mobile Apps – • Not to store Data • Local files on Device. • SQLite Db files • Plist files – iOS • XML files • Log files • Manifest files, etc.
  • 6. M3 – INSUFFICIENT TRANSPORT LAYER PROTECTION • Clear text transport Protocols • Certificate verification • Weak cipher suites • Sensitive data sent over SMS / push Notifications
  • 7. M4 – UNINTENDED DATA LEAKAGE • Platform cache storage • Clipboard data • Debug Logs • Screenshots, etc.
  • 8. M5 – POOR AUTHORIZATION AND AUTHENTICATION • Usability leading to short and poor A&A schemas • Spoofable values used for authentication • Geo-locations • Device Identifiers • A&A for Offline services
  • 9. M6 – BROKEN CRYPTOGRAPHY • Less processing speed on devices • Usage of weak cryptographic algorithms to avoid system delays • RC4 • Base64 • MD5 • Custom cryptographic protocols • Improper Key Management • Hardcoding • Insecure Key transport
  • 10. M7 – CLIENT SIDE INJECTION • SQLite Injection • Intent sniffing in Android • JavaScript Injection • Local File Inclusions • NSFileManager – iOS • Webviews - Android
  • 11. M8 – SECURITY DECISIONS VIA UNTRUSTED INPUTS • Inter Process Communication • Data on clipboards /pasteboards • Platform specific Permission Model • Manifest files – Android • Entitlements – iOS
  • 12. M9 – IMPROPER SESSION HANDLING • Application Backgrounding • Inadequate session Timeouts • Cookie based session management
  • 13. M10 – LACK OF BINARY PROTECTIONS • Code decrypt of iOS apps • Disassembly of Android apk • Jailbreak detection / Root-Detection Controls • Debug detection controls
  • 14. VULNERABLE APPS FOR PRACTICE • DVIA – Damn Vulnerable iOS App • Goat Droid • iGoat
  • 15. NEXT TIME • M10 – Lack of Binary Protections • Jailbroken / Rooted device detection