OWASP Mobile Top 10
Beau Woods h8p://beauwoods.com
@beauwoods h8ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project
2
Bluetooth NFC/RFID Backup
Mobile Elements
Client PlaQorm Hardware Network Server
ApplicaTon ApplicaTon
2
Other consideraTons
3
Mobile Comparison
Use models Always on Always connected Omnipresent
CapabiliTes CommunicaTons Limited resources Highly variable
Hardware Extensive RF & SSD Highly variable Not upgradable
PlaQorm Highly variable Limited opTons Variable security
Mobile Devices
Use models Frequently off Disconnected LocaTon-‐bound
CapabiliTes Many resources Robust plaQorm Well documented
Hardware Limited RF & HDD Highly variable Highly upgradable
PlaQorm Standardized Well understood Robust security
TradiTonal Devices
3
4
OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer ProtecTon M4 Client Side InjecTon M5 Poor AuthorizaTon and AuthenTcaTon M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 SensiTve InformaTon Disclosure
4
Under Revision
Mobile Security Project Top 10 Risks Top 10 Controls Threat Model TesTng Guide Tools Secure Development
5
OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer ProtecTon M4 Client Side InjecTon M5 Poor AuthorizaTon and AuthenTcaTon M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 SensiTve InformaTon Disclosure
5
6
M1 Insecure Data Storage SensiTve data AuthenTcaTon data Regulated informaTon Business-‐specific informaTon Private informaTon
Examples
RecommendaTons Business must define, classify, assign owner & set requirements Acquire, transmit, use and store as li8le sensiTve data as possible Inform and confirm data definiTon, collecTon, use & handling ProtecTons 1. Reduce use and storage 2. Encrypt or hash 3. PlaQorm-‐specific secure storage with restricted permissions
Mobile Controls 1, 2 & 7
6
7
M3 Insufficient Transport Layer ProtecTon Examples Impact
Expose authenTcaTon data Disclosure other sensiTve informaTon InjecTon Data tampering
RecommendaTons Use plaQorm-‐provided cryptographic libraries Force strong methods & valid cerTficates Test for cerTficate errors & warnings Use pre-‐defined cerTficates, as appropriate Encrypt sensiTve informaTon before sending All transport, including RFID, NFC, Bluetooth Wifi, Carrier Avoid HTTP GET method
Mobile Controls
3
8
M5 Poor AuthorizaTon and AuthenTcaTon Examples Impacts
Account takeover ConfidenTality breach Fraudulent transacTons
RecommendaTons Use appropriate methods for the risk Unique idenTfiers as addiTonal (not only) factors DifferenTate client-‐side passcode vs. server authenTcaTon Ensure out-‐of-‐band methods are truly OOB (this is hard) Hardware-‐independent idenTfiers (ie. Not IMSI, serial, etc.) MulT-‐factor authenTcaTon, depending on risk Define & enforce password length, strength & uniqueness
Most common methods Account name Password Oauth HTTP Cookies Stored passwords Unique tokens
Mobile Controls
4
9
M8 Side Channel Data Leakage Side channel data Caches Keystroke logging (by plaQorm) Screenshots (by plaQorm) Logs
RecommendaTons Consider server-‐side leakage Reduce client-‐side logging Consider mobile-‐specific private informaTon Consider plaQorm-‐specific data capture features Securely cache data (consider SSD limitaTons)
Examples
Mobile Controls
1, 2, 3, 6 & 7
10
M10 SensiTve InformaTon Disclosure SensiTve applicaTon data API or encrypTon keys Passwords SensiTve business logic Internal company informaTon Debugging or maintenance informaTon
RecommendaTons Store sensiTve applicaTon data server-‐side Avoid hardcoding informaTon in the applicaTon Use plaQorm-‐specific secure storage areas
M1 deals with customer data
M10 deals with applicaTon or developer data
11
DIY ExploraTon • Explore files on mobile devices and backups • Search for passwords • Sniff network connecTons • Downgrade SSL
OWASP Resources • WebScarab • GoatDroid • iGoat • MobiSec • iMas • Mobile TesTng Guide
12
Beau Woods @beauwoods
OWASP works when we work together. Get involved. To get involved get in touch with the project leader h8ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Top 10 Risks presentation at OWASP AppSec Turkey is
licensed under a Creative Commons Attribution 3.0 Unported License.