OWASP Mobile Top 10 OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License. Beau Woods http:// beauwoods.com @beauwoods To get involved get in touch with the project leader https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
OWASP Mobile Top 10. Beau Woods http://beauwoods.com @ beauwoods. To get involved get in touch with the project leader https:// www.owasp.org/index.php/OWASP_Mobile_Security_Project. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
OWASP Mobile Top 10
OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License.
Beau Woodshttp://
beauwoods.com@beauwoods
To get involved get in touch with the project leaderhttps://www.owasp.org/index.php/OWASP_Mobile_Security_Project
OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure 4
Alpha Documentation
Mobile Security Project
Top 10 Risks Top 10 Controls Threat Model Testing Guide Tools Secure Development
M1 Insecure Data StorageSensitive dataAuthentication dataRegulated informationBusiness-specific informationPrivate information
Examples
RecommendationsBusiness must define, classify, assign owner & set requirementsAcquire, transmit, use and store as little sensitive data as possibleInform and confirm data definition, collection, use & handling
Protections1. Reduce use and storage2. Encrypt or hash3. Platform-specific secure storage with restricted permissions
M2 Weak Server Side Controls OWASP Top 10 Web Application Risks 2013
A1 Injection A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
Mobile App ServersRESTful API
SOAPWeb Service
Web XML
RecommendationsAlways validate inputDon’t trust the clientHarden mobile app servers & servicesBeware information disclosureUnderstand host & network controlsPerform integrity checking regularly
M3 Insufficient Transport Layer ProtectionExamplesImpact
Expose authentication dataDisclosure other sensitive informationInjectionData tampering
RecommendationsUse platform-provided cryptographic librariesForce strong methods & valid certificatesTest for certificate errors & warningsUse pre-defined certificates, as appropriateEncrypt sensitive information before sendingAll transport, including RFID, NFC, Bluetooth Wifi, CarrierAvoid HTTP GET method
M4 Client Side InjectionImpactApp or device compromiseAbuse resources or services (SMS, phone, payments, online banking)Extract or inject dataMan-in-the-Browser (MITB)
RecommendationsAlways validate inputDon’t trust the serverHarden mobile app clientsBeware information disclosurePerform integrity checking regularly
RecommendationsUse appropriate methods for the riskUnique identifiers as additional (not only) factorsDifferentiate client-side passcode vs. server authenticationEnsure out-of-band methods are truly OOB (this is hard)Hardware-independent identifiers (ie. Not IMSI, serial, etc.)Multi-factor authentication, depending on riskDefine & enforce password length, strength & uniqueness
Most common methodsAccount name PasswordOauthHTTP CookiesStored passwordsUnique tokens
RecommendationsAllow revocation of device/passwordUse strong tokens and generation methodsConsider appropriate session length (longer than web)Reauthenticate periodically or after focus changeStore and transmit session tokens securely
…is not encoding…is not obfuscation…is not serialization…is best left to the expertsRecommendationsUse only well-vetted cryptographic librariesUnderstand one-way vs. two-way encryptionUse only well-vetted cryptographic libraries (not a typo)Use only platform-provided cryptographic storageUse only well-vetted cryptographic libraries (still not a typo)Protect cryptographic keys fanaticallyUse only well-vetted cryptographic libraries (seriously - always do this)
“The only way to tell good cryptography from bad cryptography is to have it examined by experts.”
M10 Sensitive Information DisclosureSensitive application dataAPI or encryption keysPasswordsSensitive business logicInternal company informationDebugging or maintenance informationRecommendationsStore sensitive application data server-sideAvoid hardcoding information in the applicationUse platform-specific secure storage areas
M1 deals with customer dataM10 deals with application or developer data