owasp mobile top 10 owasp mobile top 10 risks presentation at owasp korea july 13, 2013 is licensed...
TRANSCRIPT
OWASP Mobile Top 10
OWASP Mobile Top 10 Risks presentation at OWASP Korea July 13, 2013 is licensed under a Creative Commons Attribution 3.0 Unported License.
Beau Woodshttp://
beauwoods.com@beauwoods
To get involved get in touch with the project leaderhttps://www.owasp.org/index.php/OWASP_Mobile_Security_Project
2
Bluetooth
NFC/RFID
Backup
Mobile Elements
ClientPlatformHardwareNetworkServer
ApplicationApplication
2
Other considerations
3
Mobile Comparison
Use models
Always on Always connected
Omnipresent
Capabilities Communications Limited resources Highly variable
Hardware Extensive RF & SSD
Highly variable Not upgradable
Platform Highly variable Limited options Variable security
MobileDevices
Use models
Frequently off Disconnected Location-bound
Capabilities Many resources Robust platform Well documented
Hardware Limited RF & HDD Highly variable Highly upgradable
Platform Standardized Well understood Robust security
TraditionalDevices
3
4
OWASP Mobile Top 10 Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure
4
Alpha Documentation
Mobile Security Project
Top 10 Risks Top 10 Controls Threat Model Testing Guide Tools Secure Development
5
M1 Insecure Data StorageSensitive dataAuthentication dataRegulated informationBusiness-specific informationPrivate information
Examples
RecommendationsBusiness must define, classify, assign owner & set requirementsAcquire, transmit, use and store as little sensitive data as possibleInform and confirm data definition, collection, use & handling
Protections1. Reduce use and storage2. Encrypt or hash3. Platform-specific secure storage with restricted permissions
Mobile Contro
ls1, 2 &
7
5
6
M2 Weak Server Side Controls OWASP Top 10 Web Application Risks 2013
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
Mobile App ServersRESTful API
SOAPWeb Service
Web XML
RecommendationsAlways validate inputDon’t trust the clientHarden mobile app servers & servicesBeware information disclosureUnderstand host & network controlsPerform integrity checking regularly
Mobile Contro
ls5 & 6
7
M3 Insufficient Transport Layer Protection
ExamplesImpactExpose authentication dataDisclosure other sensitive informationInjectionData tampering
RecommendationsUse platform-provided cryptographic librariesForce strong methods & valid certificatesTest for certificate errors & warningsUse pre-defined certificates, as appropriateEncrypt sensitive information before sendingAll transport, including RFID, NFC, Bluetooth Wifi, CarrierAvoid HTTP GET method
Mobile Contro
ls3
8
M4 Client Side InjectionImpactApp or device compromiseAbuse resources or services (SMS, phone, payments, online banking)Extract or inject dataMan-in-the-Browser (MITB)
RecommendationsAlways validate inputDon’t trust the serverHarden mobile app clientsBeware information disclosurePerform integrity checking regularly
Mobile Contro
ls9
9
M5 Poor Authorization and Authentication
ExamplesImpactsAccount takeoverConfidentiality breachFraudulent transactions
RecommendationsUse appropriate methods for the riskUnique identifiers as additional (not only) factorsDifferentiate client-side passcode vs. server authenticationEnsure out-of-band methods are truly OOB (this is hard)Hardware-independent identifiers (ie. Not IMSI, serial, etc.)Multi-factor authentication, depending on riskDefine & enforce password length, strength & uniqueness
Most common methodsAccount name PasswordOauthHTTP CookiesStored passwordsUnique tokens
Mobile Contro
ls4
10
M6 Improper Session Handling
RecommendationsAllow revocation of device/passwordUse strong tokens and generation methodsConsider appropriate session length (longer than web)Reauthenticate periodically or after focus changeStore and transmit session tokens securely
Mobile Contro
ls4
ImpactsAccount takeoverConfidentiality breachFraudulent transactions
Most common methodsOauthHTTP CookiesStored passwordsUnique tokens
11
M7 Security Decisions via Untrusted InputsDescriptionReliance on files, settings, network resources or other inputs which may be modified.
RecommendationsValidate all inputsDigitally sign decisioning inputs, where possibleEnsure trusted data sources for security decisions
ExamplesDNS settingsCookiesConfiguration filesNetwork injectionMobile malwareURL calls
12
M8 Side Channel Data LeakageSide channel dataCachesKeystroke logging (by platform)Screenshots (by platform)LogsRecommendationsConsider server-side leakageReduce client-side loggingConsider mobile-specific private informationConsider platform-specific data capture featuresSecurely cache data (consider SSD limitations)
Examples
Mobile Controls1, 2, 3, 6
& 7
13
M9 Broken CryptographyExamplesCryptography
…is not encoding…is not obfuscation…is not serialization…is best left to the expertsRecommendationsUse only well-vetted cryptographic librariesUnderstand one-way vs. two-way encryptionUse only well-vetted cryptographic libraries (not a typo)Use only platform-provided cryptographic storageUse only well-vetted cryptographic libraries (still not a typo)Protect cryptographic keys fanaticallyUse only well-vetted cryptographic libraries (seriously - always do this)
“The only way to tell good cryptography from bad cryptography is to have it examined by experts.”
-Bruce SchneierMobile Contro
ls1, 2 &
3
14
M10 Sensitive Information DisclosureSensitive application dataAPI or encryption keysPasswordsSensitive business logicInternal company informationDebugging or maintenance informationRecommendationsStore sensitive application data server-sideAvoid hardcoding information in the applicationUse platform-specific secure storage areas
M1 deals with customer dataM10 deals with application or developer data
15
Case StudyM1 Insecure Data Storage
• Account number & passcode stored in flat text file
Risks & mitigating factors• Passcode not used for other
systems• App contained and accessed
sensitive and private information
16
Case StudyM5 Poor Authorization &
Authentication• Account name and password in plain text• Used HTTP GET method (logged to server)
M8 Side Channel Data Leakage• Logged password to client and server
M9 Broken Cryptography• First attempt to fix issue obfuscated password
Risks & mitigating factors• Same password used for web application• Password reuse likely• Stored password securely
17
Case StudyM1 Insecure Data Storage
• Account name & password stored in flat text file
Risks & mitigating factors• App accessed private information• Password reuse likely• App used in Arab Spring and other
protests
18
DIY Vulnerability Discovery• Explore files on mobile devices and
backups• Search for passwords• Sniff network connections• Downgrade SSL
OWASP Resources• WebScarab• GoatDroid• iGoat• MobiSec• iMas• Mobile Testing Guide
19
Beau Woodshttp://
beauwoods.com@beauwoods
We have a long road ahead – your comments and participation are appreciatedTo get involved get in touch with the project leader
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project