OWASP  Mobile  Top  10  

Beau  Woods h8p://beauwoods.com

@beauwoods h8ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project

2

Bluetooth NFC/RFID Backup

Mobile  Elements

Client PlaQorm Hardware Network Server

ApplicaTon ApplicaTon

2

Other  consideraTons

3

Mobile  Comparison

 Use  models  Always  on  Always  connected  Omnipresent

 CapabiliTes  CommunicaTons  Limited  resources  Highly  variable

 Hardware  Extensive  RF  &  SSD  Highly  variable  Not  upgradable

 PlaQorm  Highly  variable  Limited  opTons  Variable  security

Mobile Devices

 Use  models  Frequently  off  Disconnected  LocaTon-­‐bound

 CapabiliTes  Many  resources  Robust  plaQorm  Well  documented

 Hardware  Limited  RF  &  HDD  Highly  variable  Highly  upgradable

 PlaQorm  Standardized  Well  understood  Robust  security

TradiTonal Devices

3

4

OWASP  Mobile  Top  10  Risks  M1  Insecure  Data  Storage  M2  Weak  Server  Side  Controls  M3  Insufficient  Transport  Layer  ProtecTon  M4  Client  Side  InjecTon  M5  Poor  AuthorizaTon  and  AuthenTcaTon  M6  Improper  Session  Handling  M7  Security  Decisions  via  Untrusted  Inputs  M8  Side  Channel  Data  Leakage  M9  Broken  Cryptography  M10  SensiTve  InformaTon  Disclosure

4

Under  Revision

 Mobile  Security  Project  Top  10  Risks  Top  10  Controls  Threat  Model  TesTng  Guide  Tools  Secure  Development

5

OWASP  Mobile  Top  10  Risks  M1  Insecure  Data  Storage  M2  Weak  Server  Side  Controls  M3  Insufficient  Transport  Layer  ProtecTon  M4  Client  Side  InjecTon  M5  Poor  AuthorizaTon  and  AuthenTcaTon  M6  Improper  Session  Handling  M7  Security  Decisions  via  Untrusted  Inputs  M8  Side  Channel  Data  Leakage  M9  Broken  Cryptography  M10  SensiTve  InformaTon  Disclosure

5

6

M1  Insecure  Data  Storage SensiTve  data AuthenTcaTon  data Regulated  informaTon Business-­‐specific  informaTon Private  informaTon

Examples

RecommendaTons Business  must  define,  classify,  assign  owner  &  set  requirements Acquire,  transmit,  use  and  store  as  li8le  sensiTve  data  as  possible Inform  and  confirm  data  definiTon,  collecTon,  use  &  handling   ProtecTons 1.  Reduce  use  and  storage 2.  Encrypt  or  hash 3.  PlaQorm-­‐specific  secure  storage  with  restricted  permissions

Mobile  Controls 1,  2  &  7

6

7

M3  Insufficient  Transport  Layer  ProtecTon Examples Impact

Expose  authenTcaTon  data Disclosure  other  sensiTve  informaTon InjecTon Data  tampering

RecommendaTons Use  plaQorm-­‐provided  cryptographic  libraries Force  strong  methods  &  valid  cerTficates Test  for  cerTficate  errors  &  warnings Use  pre-­‐defined  cerTficates,  as  appropriate Encrypt  sensiTve  informaTon  before  sending All  transport,  including  RFID,  NFC,  Bluetooth  Wifi,  Carrier Avoid  HTTP  GET  method

Mobile  Controls

3

8

M5  Poor  AuthorizaTon  and  AuthenTcaTon Examples Impacts

Account  takeover ConfidenTality  breach Fraudulent  transacTons

RecommendaTons Use  appropriate  methods  for  the  risk Unique  idenTfiers  as  addiTonal  (not  only)  factors DifferenTate  client-­‐side  passcode  vs.  server  authenTcaTon Ensure  out-­‐of-­‐band  methods  are  truly  OOB  (this  is  hard) Hardware-­‐independent  idenTfiers  (ie.  Not  IMSI,  serial,  etc.) MulT-­‐factor  authenTcaTon,  depending  on  risk Define  &  enforce  password  length,  strength  &  uniqueness

Most  common  methods Account  name   Password Oauth HTTP  Cookies Stored  passwords Unique  tokens

Mobile  Controls

4

9

M8  Side  Channel  Data  Leakage Side  channel  data Caches Keystroke  logging  (by  plaQorm) Screenshots  (by  plaQorm) Logs

RecommendaTons Consider  server-­‐side  leakage Reduce  client-­‐side  logging Consider  mobile-­‐specific  private  informaTon Consider  plaQorm-­‐specific  data  capture  features Securely  cache  data  (consider  SSD  limitaTons)

Examples

Mobile  Controls

1,  2,  3,  6  &  7

10

M10  SensiTve  InformaTon  Disclosure SensiTve  applicaTon  data API  or  encrypTon  keys Passwords SensiTve  business  logic Internal  company  informaTon Debugging  or  maintenance  informaTon

RecommendaTons Store  sensiTve  applicaTon  data  server-­‐side Avoid  hardcoding  informaTon  in  the  applicaTon Use  plaQorm-­‐specific  secure  storage  areas

M1  deals  with  customer  data

M10  deals  with  applicaTon  or  developer  data

11

DIY  ExploraTon •  Explore  files  on  mobile  devices  and  backups •  Search  for  passwords •  Sniff  network  connecTons •  Downgrade  SSL

OWASP  Resources • WebScarab •  GoatDroid •  iGoat •  MobiSec •  iMas •  Mobile  TesTng  Guide

12

Beau  Woods @beauwoods

OWASP  works  when  we  work  together.  Get  involved. To  get  involved  get  in  touch  with  the  project  leader h8ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Top 10 Risks presentation at OWASP AppSec Turkey is

licensed under a Creative Commons Attribution 3.0 Unported License.