1
OWASP Mobile Top 10 Risks
Dec 18, 2014
A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/
OWASP Top 10 Mobile Risks
M1 Insecure Data Storage
M2 Weak Server Side Controls
M3 Insufficient Transport Layer Protection
M4 Client Side Injection
M5 Poor Authorization and Authentication
M6 Improper Session Handling
M7 Security Decisions Via Untrusted Inputs
M8 Side Channel Data Leakage
M9 Broken Cryptography
M10 Sensitive Information Disclosure
Creative Commons - Attribution licensed - Beau Woods - @beauwoods
OWASP Top 10 Mobile Risks
M1 Insecure Data Storage
M2 Weak Server Side Controls
M3 Insufficient Transport Layer Protection
M4 Client Side Injection
M5 Poor Authorization and Authentication
M6 Improper Session Handling
M7 Security Decisions Via Untrusted Inputs
M8 Side Channel Data Leakage
M9 Broken Cryptography
M10 Sensitive Information Disclosure
Creative Commons - Attribution licensed - Beau Woods - @beauwoods
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
2
3
4
Path: Collected and uploaded personal informationConcur: Stored password in plain text
5
Recommendation for future versions• Expand to specific risks
6
Google Wallet NFC MITMPayPal failure to validate certificatesApple iOS AppStore MITM led to circumventing purchases
7
Recommendation for future versions• Improve or eliminate
8
Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assetsAudible: Used plaintext password to authenticate and used HTTP GET methodOOB: Remember, mobile devices can potentially intercept phone calls, SMS and email
9
10
Recommendation for future versions• Improve or eliminate
11
Android: Information sent to advertisers http://news.techeye.net/mobile/many-android-apps-send-your-private-information-to-advertisersApple: Collected and stored mobile tower data; called before US Congress to answer questionsAudible: Stored URL with password in logfile, also in GET request stored in web server log
Recommendation for future versions• Consider combining with M10• Consider incorporating the idea of collecting unnecessary but potentially sensitive
or private information
12
13
Recommendation for future versions• Consider combining with M8
14
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/
15
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/
16
http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile-application/
17
18
19
Related Documents
