OWASP Mobile Top 10: Brief Overview

Mobile devices are now an integral part of our life. Currently, people can't imagine life without mobile devices. You can do 80 to 90 percent of daily tasks with mobile devices, which you previously do with the help of desktops or laptops. Mobile devices contain a lot of personal data in which may be non-government and government agencies are interested. In the US, the police need a warrant to check any records on the mobile device or track the mobile location of any individual.

As mobile devices have a lot of personal data, criminals are also interested in mobile device vulnerabilities to access your personal data such as credit card numbers, social security numbers, health data, etc. Here, we will discuss the Top 10 Mobile vulnerabilities released by the Open Web Application Security Project (OWASP), a non-profit organization that improves software security. This article is best for beginners who just started a career in mobile security or anyone interested in the security of mobile devices and their applications.

M1-Improper Platform Usage

This vulnerability category arises when a developer has not implemented platform security features such as Keychain, Android Intents, platform permissions, etc., correctly in the mobile application.

Mitigation: Secure Coding techniques and best practices suggested by Android, iOS, Windows, etc., in developing security features (such as API calls) are the key mitigation techniques for this kind of vulnerability.

M2-Insecure Data Storage

As the name implied, this category is related to the leakage and storage of data like credit card numbers, social security numbers, etc., in an unencrypted format or stored on the device. The reason may be a bad implementation of the data storing and processing functionality in a mobile application.

Mitigation: Implements extreme security measures while handling user data in an instance of caching (url, application, copy/paste buffer etc.), while storing logs, analytics data sent to 3rd parties, etc. It is advisable to create a threat model of different data handled by mobile devices and applications, by third-party API, etc. to understand how data is stored or processed in mobile devices.

M3-Insecure Communication

This category is related to the leaking of user data and secrets during transmission from source to destination. It covers a wide range of technologies and protocols such as NFC, audio, infrared, GSM, 3G, SMS, TCP/IP, WiFi, Bluetooth/Bluetooth-LE, etc., which helps in the transmission of messages.

Mitigations: Always implement the latest SSL/TLS protocols in a mobile application to send and receive any data from the server and any third party. Also, perform SSL chain verification periodically. Always look for updates regarding new vulnerabilities that come into public space and patch them accordingly.

M4-Insecure Authentication

This category deals with issues related to authentication of the end-user and session management. Some vulnerabilities of this category include authentication of an anonymous individual via API call, store secrets in the device without any encryption, weak password policy, etc.

Mitigations: Exhaustive testing for roles and permission should be done. The same authentication mechanism should be implemented for mobile devices as for web applications. It is recommended to authenticate a user from the server side. In case of persistent authentication feature (i.e., remember me functionality), username, the password should not be stored.

M5-Insufficient Cryptography

This category covers all issues related to the improper implementation of cryptographic protocols in mobile applications.

Mitigations: Must follow NIST guidelines while implementing any cryptographic algorithm and module. Also, avoid sensitive data storage in mobile devices.

M6-Insecure Authorization

This category covers issues related to authorization such as forced browsing, privilege escalation, Insecure Direct Object Reference (IDOR) vulnerabilities, etc.

Mitigations: Exhaustive testing should be performed while testing roles in mobile apps. Production code should be reviewed periodically by developers.

M7-Client Code Quality

This category covers all issues (like buffer overflow) related to the bad practices followed by developers in developing the code.

Mitigations: Use static analysis tools to identify issues in code development. Follow secure programming guidelines in the development of the code. Peer review may be an option for reviewing a code periodically.

M8-Code Tampering

As the name suggests, this category is related to a modification of the code of mobile applications. An attacker can easily download binaries of mobile apps from the internet; hence it is easy to modify the code by reverse engineering and change the APIs and contents of code for monetary gain.

Mitigations: Mobile apps should detect the integrity of code while running on a mobile device.  It should also detect the security of the platforms such as jailbroken Apple and rooted Android devices.

M9-Reverse Engineering

This category is related to extracting the source code, libraries, algorithms, and other assets from the binaries and executables files.

Mitigations: Use obfuscation tools to obfuscate the code and try to deobfuscate code using tools such as IDA Pro and Hopper to validate the effectiveness of obfuscation tools.

M10-Extraneous Functionality

This category is related to the implementation of extra functionalities (not planned or needed) in the mobile applications by the developer. Extra functionalities include passwords left by mistake in a comment section, disabling the logging mechanism, etc.

Mitigations: Validate configuration settings of a mobile application, check test code in production code, logs should not contain any sensitive information, etc., are some of the mitigation techniques for this category.

References:

• https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10