OWASP Top 10 for Mobile

Mobile App Security Meet

OWASP Mobile Top 10


Recap

History

● Open Web Application Security Project

● Started in 2001 as an online community

● De facto standard for Application security

● Mandated standard by Compliances

● 42000+ Strong


Famous Projects

● Top 10 Issues (Documentation)

● Security tools

● Damn Vulnerable Apps (WebGoat)

● Code Review Guidelines


Why Top10 for Mobile?

● Started in 2010

● Essential : Mobile >>> PC/Laptop

● Attack Landscape

● More Targets

● 6.1B by 2018


What Mobile App Security boils down to?


Securing assets on the device


Principles

➢ Do not store/leak data ➢ Do not Drive


Principles

➢ Do not store/leak data

➢ Do not store/leak sensitive data

➢ Do not Drive

➢ Do not Drink and Drive


Principles

➢ Do not store/leak data

➢ Do not store/leak sensitive data

➢ Do not store/leak sensitive data in plain

➢ Do not Drive

➢ Do not Drink and Drive

➢ Do not Drink and Drive in a F1 race


Relevant OWASP Sections

● M2 – Insecure Data Storage

● M4 – Unintended Data Leakage

● M7 – Client Side Injection

● M10 – Lack of Binary Protection


M2 – Insecure Data Storage

● Adversary got physical access to phone

● Presence of Malware which accesses file system

● Your app runs on a rooted or jailbroken device


M2 : Whats stored?

● Unames

● Authtokens

● Passwords

● UDID/EMEI **

● SSN

● Credit card Numbers

● Appdata – Cache, Log,


M2 : Locations

● SQLite Dbs

● Log Files

● PlistFiles

● XML Files

● SD Card

● CloudSynced

● Shared Preferences


M4 : Unintended Data Leakage

● Placing sensitive information in insecure location

● Overlap with M2


M4 : Threat Model Locations

● Application Backgrounding

● Logging

● Clipboard

● URL Caching

● CrashLogs

● LocalStorage

● Analytics Data sent


M7 Client Side Injections

● Execution of malicious code in the context and scope of mobile app

● Sometimes with privileged scope


M7 : Locations

● Sqlite Injection

● Local file Inclusions

● XSS (WebView)

● Intent Injections


M10 : lack of Binary Protection

● A Binary at a client side cannot be trusted for its integrity

● Execution of a Binary can be monitored and altered

● IP can be decoded and used elsewhere


M10 : Results in

● Repackaging to insert Malware or Adware

● Bypass security Control

● Runtime Code Injection

● Method Swizzling


M10 : Best Practices

● JailBreak Detection Controls

● Checksum Controls

● Debug Detection controls

● Android Root Detection


Securing assets on the wire and at server


● M1 – Weak Server Side Controls

● M3 – Insufficient Transport Layer Protection

● M5 – Poor Authentication and Authorisation

● M6 – Broken Cryptography

● M8 - Security Decisions via Untrusted Inputs

● M9 – Improper Session Handling


M1 : Weak Server Side Controls

● Traditions SQL Injection

● XSS

● CSRF

● Other OWASP Top 10 (Web)


M3 : Insufficient Transport Layer Protection

● Results in MITM

● SSL Certificates

● Strong enough Ciphers

● HTTP/HTTPS

● SSL Pinning


M5 : Poor Authentication and Authorisation

All client-side authorization and authentication controls will be bypassed

”


M5 : Poor Authentication and Authorisation

Authorization and authentication controls must be re-enforced on the server-side


M9 : Improper Session Handling

● Results are same as M5

● Have a good time out

● Rotate cookies

● Switching access levels

● Creation of secure tokens


M6 : Broken Cryptography

● Still using MD5, RC2 ?

● Move on!

● Use strong Algos

● White Box Crypto (WBC)!!


M8 : Security Decisions Via Untrusted Inputs

● Threat model all your app inputs

● IPC??

● Hidden fields

● Parameters to determine access level


Conclusion

● Mobile App Security is critical and maturing at a faster pace

● Refer to OWASP guidelines to build accepted level of security within the mobile applications