OWASP Mobile Top 10 : Brief Overview


Mobile devices are now an integral part of our life. Currently, people can’t imagine life without mobile devices. You are able to do 80 to 90 percent of tasks with mobile devices which you previously do with help of desktops or laptops. Mobile devices contain a lot of personal data in which may be non-government and government agencies are interested. In the US, the police need a warrant to check any records in the mobile device or track the mobile location of any individual.

As mobile devices have a lot of personal data, criminals also interested in mobile devices vulnerabilities to get access to your personal data such as credit card numbers, social security number, health data etc. Here, we will discuss Top 10 Mobile vulnerabilities release by the Open Web Application Security Project (OWASP), a non-profit organization which helps in improving the security of software. This article best for beginners who just started a career in mobile security or anyone who is interested in the security of mobile devices and its applications.

M1-Improper Platform Usage

This category of vulnerability arises when a developer has not implemented platform security features such as Keychain, Android Intents, platform permissions etc. correctly in the mobile application.

Mitigation: Secure Coding techniques and best practices suggested by Android, iOS, Windows etc. in developing security features (such as API call) are the key mitigation techniques for this kind of vulnerability.

 

M2-Insecure Data Storage

As the name implied, this category related to leakage and storage of data like credit card number, social security number etc in an unencrypted format or stored on the device. The reason may be a bad implementation of the data storing and processing functionality in a mobile application.

Mitigation: Implements extreme security measures while handling user data in an instance of caching (url, application, copy/paste buffer etc.), while storing logs, analytics data sent to 3rd parties etc. It is advisable to create a threat model of different data handled by mobile devices and application, by third-party API etc. to understand how data is stored or processed in mobile devices.

M3-Insecure Communication

This category related to leaking of user data and secrets while transmission from source to destination. It covers a wide range of technologies and protocols such as NFC, audio, infrared, GSM, 3G, SMS, TCP/IP, WiFi, Bluetooth/Bluetooth-LE, etc. which helps in transmission of messages.

Mitigations: Always implements the latest SSL/TLS protocols in a mobile application for sending and receiving any data from the server and any third party. Also, perform SSL chain verification periodically. Always look for updates regarding new vulnerabilities comes in public space and patch it accordingly.

M4-Insecure Authentication

This category deals with issues related to authentication of the end user and session management. Some vulnerabilities of this category include authentication of an anonymous individual via API call, store secrets in the device without any encryption, weak password policy etc.

Mitigations: Exhaustive testing for roles and permission should be done. Same authentication mechanism should be implemented for mobile devices as of web application. It is recommended to authenticate a user from the server side. In case of persistent authentication feature (i.e. remember me functionality), username, password should not be stored.

 

M5-Insufficient Cryptography

This category covers all issues related to the improper implementation of cryptographic protocols in the mobile applications.

Mitigations: Must follow NIST guidelines while implementing any cryptographic algorithm and module. Also, avoid sensitive data storage in mobile devices.

M6-Insecure Authorization

This category covers issues related to authorization such as forced browsing, privilege escalation, Insecure Direct Object Reference (IDOR) vulnerabilities etc.

Mitigations: Exhaustive testing should be performed while testing roles in mobile apps. Production code should be reviewed periodically by developers.

M7-Client Code Quality

This category covers all issues (like buffer overflow) related to the bad practices followed by developers in the development of the code.

Mitigations: Use static analysis tools to identify issues in code development. Follow secure programming guidelines in the development of the code. Peer review may be an option for reviewing a code periodically.

 

M8-Code Tampering

As the name suggests, this category related to a modification of the code of mobile applications. An attacker can easily download binaries of mobile apps from the internet, hence it is easy to modify the code by doing reverse engineering and change the APIs and contents of code for monetary gain.

Mitigations: Mobile apps should be able to detect the integrity of code while running on mobile device.  Also, it should able to detect the security of the platforms such as jailbroken Apple and rooted Android devices.

M9-Reverse Engineering

This category related to extracting the information regarding the source code, libraries, algorithms, and other assets from the binaries and executables files.

Mitigations: Use obfuscation tools to obfuscate the code and try to deobfuscate code by using tools such as IDA Pro and Hopper to validate the effectiveness of obfuscation tools.

M10-Extraneous Functionality

This category related to the implementation of extra functionalities (not planned or needed) in the mobile applications by the developer. Extra functionalities include passwords left by mistake in a comment section, disabling logging mechanism etc.

Mitigations: Validate configuration settings of a mobile application, check test code in production code, logs should not contain any sensitive information etc. are some of the mitigation techniques for this category.

 

References:

  • https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

Comments:

Your email address will not be published. Required fields are marked *

 
error: