owasp day - owasp day - lets secure!
TRANSCRIPT
![Page 1: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/1.jpg)
OWASP Top 10 Mobile Risks 2016(RC)
Prathan Phongthiproek
OWASP Mobile Security Team
![Page 2: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/2.jpg)
Overview
Arxan 5th Annual State of Application Security reportThe new research analyzed 126 popular mobile health and finance apps from the US, UK, Germany, and Japan
Key findings:
Consumers and app executives believe their mobile health and finance apps are secure. A combined 84 percent of mobile app users and mobile app executives believe that their mobile health and finance apps are “adequately secure,”
The majority of mobile health and finance apps contain critical security vulnerabilities. 90 percent of the mobile health and finance apps tested had at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks.
The security and safety risks are real and significant. 98 percent of the mobile apps tested lacked binary protection. 83 percent of the mobile apps had insufficient transport layer protection.
Most consumers would change providers if they knew their apps were not secure. 80 percent of mobile app users would change providers if they knew the apps they were using were not secure. 82 percent would change providers if they knew alternative apps offered by similar service providers were more secure.
![Page 3: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/3.jpg)
The Open Web Application Security Project (OWASP)– OWASP Top 10 Mobile Risks 2014 and 2016(RC)https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
Guideline for Mobile Application Security
OWASP Top 10 Mobile 2014 OWASP Top 10 Mobile 2016(RC)
M1: Weak Server Side Controls M1 - Improper Platform Usage
M2: Insecure Data Storage M2 - Insecure Data Storage
M3: Insufficient Transport Layer Protection M3 - Insecure Communication
M4: Unintended Data Leakage M4 - Insecure Authentication
M5: Poor Authorization and Authentication M5 - Insufficient Cryptography
M6: Broken Cryptography M6 - Insecure Authorization
M7: Client Side Injection M7 - Client Code Quality
M8: Security Decisions Via Untrusted Inputs M8 - Code Tampering
M9: Improper Session Handling M9 - Reverse Engineering
M10: Lack of Binary Protections M10 - Extraneous Functionality
![Page 4: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/4.jpg)
The Open Web Application Security Project (OWASP)– OWASP Mobile Security Testing Guide (MSTG)https://github.com/OWASP/owasp-mstg
Guideline for Mobile Application Security
Ref: https://docs.google.com/document/d/132Ose0jdQwN6Z_Fp0VOJtVdGCufIwligwmf6oT0lmK8/edit
![Page 5: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/5.jpg)
The Open Web Application Security Project (OWASP)– OWASP Mobile Top 10 Controlshttps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls
Guideline for Mobile Application Security
![Page 6: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/6.jpg)
The Open Web Application Security Project (OWASP)– OWASP Mobile Application Security Verification Standard (MASVS)https://github.com/OWASP/owasp-masvs
Guideline for Mobile Application Security
V1: Architecture, Design and Threat Modelling
Requirements
V2: Data Storage and Privacy Requirements
V3: Cryptography Verification
Requirements
V4: Authentication and Session Management
Requirements
V5: Network Communication Requirements
V6: Environmental Interaction
Requirements
V7: Code Quality and Build Setting
Requirements
V8: Resiliency Against Reverse Engineering
Requirements
![Page 7: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/7.jpg)
OWASP Top 10 Mobile Risks – 2016 (RC)
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
![Page 8: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/8.jpg)
M1 – IMPROPER PLATFORM USAGE
![Page 9: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/9.jpg)
M1 – Improper Platform UsageMisuse of a platform feature or failure to use platform security controls
• Unintentional misuse of Android Intent, TouchID, Keychain
• Requesting too many permissions, or the wrong permissions
• Includes security control that is part of the mobile operating system
![Page 10: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/10.jpg)
M1 – Improper Platform UsageAbusing Android Content Provider for obtaining sensitive information from application database.
Sensitive Information
.DBContentProvider
![Page 11: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/11.jpg)
M1 – Improper Platform UsageCVE-2015-1835: Remote exploit of secondary configuration variables in Apache Cordova on Android
![Page 12: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/12.jpg)
M2 – INSECURE DATA STORAGE
![Page 13: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/13.jpg)
M2 – Insecure Data StorageThis covers insecure data storage (M2) and unintended data leakage (M4).
2014 M2 Insecure Data Storage 2014 M4 Unintended Data Leakage
SQLite Databases URL Caching
Log Files Keystroke logging
Plist Files Screenshots (Task switcher)
XML Data stores /Manifest Files Logs (system, crash)
Binary data stores Copy/Paste buffer caching
Cookie stores Temp directories
SD card
Keychain
Cloud sync’d folders
![Page 14: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/14.jpg)
M2 – Insecure Data StorageInsecure Data Storage lead to Client-side based authentication flaw and File manipulation
![Page 15: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/15.jpg)
M2 – Insecure Data StorageSide-Channel Data Leakage through Android Clipboard and iOS generalPasteboard
![Page 16: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/16.jpg)
M2 – Insecure Data StorageInformation Leakage through Application backgrounding
![Page 17: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/17.jpg)
M3 – INSECURE COMMUNICATION
![Page 18: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/18.jpg)
M3 – Insecure Communication
• Poor handshaking
• Incorrect SSL version
• Weak negotiation
• Clear-text communication of sensitive assets; IMEI and hardware addresses, phone number or home address
• SSL certificate validity
![Page 19: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/19.jpg)
M3 – Insecure Communication
![Page 20: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/20.jpg)
M4 – INSECURE AUTHENTICATION
![Page 21: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/21.jpg)
M4 – Insecure AuthenticationNotions of authenticating the end user or bad session management. This can include:
• Failure to identify the user at all when that should be required
• Failure to maintain the user's identity when it is required
• Weaknesses in session management
• Lack of Adequate Timeout Protection
• Using device identifier (UDID, IP, MAC address, IMEI) to identify a user or a session
• Using SMS Out-of-Band Authentication (OOBA) which can be exploited based upon the fact that SMS was never designed to have the Confidentiality and Integrity that we as security professionals look for in systems.
• NIST SP 800-63-3: Digital Authentication Guideline
![Page 22: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/22.jpg)
M4 – Insecure AuthenticationBypass Client-side authentication using AM
![Page 23: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/23.jpg)
M4 – Insecure AuthenticationBypass Client-side authentication using AM
![Page 24: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/24.jpg)
M5 – INSUFFICIENT CRYPTOGRAPHY
![Page 25: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/25.jpg)
M5 – Insufficient Cryptography
• Encoding != Encryption
• Creation and Use of Custom Encryption Protocols
• Use of Insecure and/or deprecated algorithmso RC2
o MD4
o MD5
o SHA1
![Page 26: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/26.jpg)
M5 – Insufficient Cryptography
![Page 27: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/27.jpg)
M6 – INSECURE AUTHORIZATION
![Page 28: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/28.jpg)
M6 – Insecure Authorization
• Poor or missing authorization schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app
• If the app does not authenticate users at all in a situation where it should (e.g., granting anonymous access to some resource or service when authenticated and authorized access is required)
![Page 29: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/29.jpg)
M6 – Insecure AuthorizationBreaking Business Logic Flaw #1
Breaking Business Logic Flaw #2
![Page 30: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/30.jpg)
M7 – CLIENT CODE QUALITY
![Page 31: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/31.jpg)
M7 – Client Code Quality
• Code-level implementation problems in the mobile client. That's distinct from server-side coding mistakes.
![Page 32: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/32.jpg)
M7 – Client Code QualityAttacking Protocols Handlers (URL Scheme) - Sea Surf
dvia://highaltitudehacks.com/call_number/?phone=1234567890
![Page 33: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/33.jpg)
M7 – Client Code QualitySQLite Injection
![Page 34: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/34.jpg)
M8 – CODE TAMPERING
![Page 35: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/35.jpg)
M8 – Code Tampering• Binary patching
• Local resource modification
• Method hooking or swizzling
• Dynamic memory modification.
![Page 36: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/36.jpg)
M8 – Code TamperingInstrumenting Android Applications with Frida using Brute-Force technique
![Page 37: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/37.jpg)
M8 – Code TamperingRuntime manipulation using Method Swizzling
![Page 38: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/38.jpg)
M8 – Code TamperingBreaking Business Logic flaws and Bypassing End-to-end encryption
Binary file was decrypted in order to obtain classes/methods using Classdump
The encryption and decryption classes were addresses
cy#
Encryption/Decryption classes were intercepted by hooking using custom Cycript scripts
HTTPS Request/Response were obtained
cy#
Custom script were created for replacing the XML request/response in order to break business logic flaws (E.g. Authentication/Authorization/Indirect Object Reference)
![Page 39: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/39.jpg)
M9 – REVERSE ENGINEERING
![Page 40: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/40.jpg)
M9 – Reverse Engineering• Unfortunately, it is extremely common for apps to be deployed without binary protection
• A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary
• Can use an automated tool to easily visualize the control-flow and pseudo-code of the application
![Page 41: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/41.jpg)
M9 – Reverse EngineeringReverse-Engineering on iOS
![Page 42: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/42.jpg)
M10 – EXTRANEOUS FUNCTIONALITY
![Page 43: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/43.jpg)
M10 – Extraneous Functionality• Developers include hidden backdoor functionality or other internal development security controls that are
not intended to be released into a production environment.
• For example, a developer may accidentally include a password as a comment in a hybrid app.
• Disabling of 2-factor authentication during testing.
![Page 44: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/44.jpg)
Thank you
Q&A
![Page 45: OWASP Day - OWASP Day - Lets secure!](https://reader033.vdocuments.us/reader033/viewer/2022061612/58f9b366760da3da068bd5c2/html5/thumbnails/45.jpg)
References
• https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
• https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
• https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls
• https://github.com/OWASP/owasp-mstg
• https://github.com/OWASP/owasp-masvshttps://blog.ul-ts.com/posts/nist-to-deprecate-sms-for-out-of-band-authentication-what-is-the-impact/
• http://integricell.com/sms-out-of-band-authentication-a-false-sense-of-security/