Mobile Top 10 2014-M8 - Revision history

Barbarafox: missing period.

2015-10-08T18:32:13Z

missing period.

Barbarafox: Grammatical errors

2015-10-08T18:31:17Z

Grammatical errors

Shivang Desai at 23:40, 30 January 2015

2015-01-30T23:40:06Z

Shivang Desai at 23:30, 30 January 2015

2015-01-30T23:30:54Z

Shivang Desai at 23:23, 30 January 2015

2015-01-30T23:23:03Z

Shivang Desai at 23:22, 30 January 2015

2015-01-30T23:22:43Z

Shivang Desai: Adding description for Technical Impacts.

2015-01-30T23:19:36Z

Adding description for Technical Impacts.

Shivang Desai: Adding description for Threat Agents.

2015-01-30T23:09:37Z

Adding description for Threat Agents.

Ryan Dewhurst: s/You/Your/

2014-01-28T13:08:17Z

s/You/Your/

Jason Haddix at 08:49, 27 January 2014

2014-01-27T08:49:43Z

@@ Line 7: / Line 7: @@
 {{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
 {{Top_10_2010:SummaryTableHeaderEndTemplate}}
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities include, but are not limited to, users, malware and vulnerable apps</td>
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities include, but are not limited to, users, malware and vulnerable apps.</td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Exploitability of this vulnerability remains easy. <br> An attacker with access to app can intercept intermediate calls and manipulate results via parameter tampering. </td>
       <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. An attacker can intercept the calls (IPC or web service calls) and temper with such sensitive parameters. Weak implementation of such functionalities leads to improper behavior of an app and even granting higher level permissions to an attacker.This can easily be exploited through hooking functionality. </td>

@@ Line 7: / Line 7: @@
 {{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
 {{Top_10_2010:SummaryTableHeaderEndTemplate}}
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities but not limited, include users, malwares or a vulnerable app</td>
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities include, but are not limited to, users, malware and vulnerable apps</td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Exploitability of this vulnerability remains easy. <br> An attacker with access to app can intercept intermediate calls and manipulate results via parameter tampering. </td>
       <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. An attacker can intercept the calls (IPC or web service calls) and temper with such sensitive parameters. Weak implementation of such functionalities leads to improper behavior of an app and even granting higher level permissions to an attacker.This can easily be exploited through hooking functionality. </td>

@@ Line 8: / Line 8: @@
 {{Top_10_2010:SummaryTableHeaderEndTemplate}}
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities but not limited, include users, malwares or a vulnerable app</td>
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack Vector </td>
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Exploitability of this vulnerability remains easy. <br> An attacker with access to app can intercept intermediate calls and manipulate results via parameter tampering. </td>
-      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. An attacker can intercept the calls (IPC or web service calls) and temper with such sensitive parameters. Weak implementation of such functionalities leads to improper behavior of an app and even granting higher level permissions to an attacker.</td>
+      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. An attacker can intercept the calls (IPC or web service calls) and temper with such sensitive parameters. Weak implementation of such functionalities leads to improper behavior of an app and even granting higher level permissions to an attacker.This can easily be exploited through hooking functionality. </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>This vulnerability may lead to privilege escalation providing access of higher authorities and functionalities to an attacker. It can even bypass security mechanisms implemented by the app leading to loss of confidentiality and integrity. </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>This vulnerability leads to loss of reputation. <br>At the same time, impacting and harming the integrity and confidentiality. </td>

@@ Line 8: / Line 8: @@
 {{Top_10_2010:SummaryTableHeaderEndTemplate}}
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities but not limited, include users, malwares or a vulnerable app</td>
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack Vector Description </td>
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack Vector </td>
-      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Security Weakness Description </td>
+      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. An attacker can intercept the calls (IPC or web service calls) and temper with such sensitive parameters. Weak implementation of such functionalities leads to improper behavior of an app and even granting higher level permissions to an attacker.</td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>This vulnerability may lead to privilege escalation providing access of higher authorities and functionalities to an attacker. It can even bypass security mechanisms implemented by the app leading to loss of confidentiality and integrity. </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>This vulnerability leads to loss of reputation. <br>At the same time, impacting and harming the integrity and confidentiality. </td>

@@ Line 11: / Line 11: @@
       <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Security Weakness Description </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>This vulnerability may lead to privilege escalation providing access of higher authorities and functionalities to an attacker. It can even bypass security mechanisms implemented by the app leading to loss of confidentiality and integrity. </td>
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>This vulnerability leads to loss of reputation. </br>At the same time, impacting and harming the integrity and confidentiality. </td>
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>This vulnerability leads to loss of reputation. <br>At the same time, impacting and harming the integrity and confidentiality. </td>
 {{Top_10_2010:SummaryTableEndTemplate}}

@@ Line 15: / Line 15: @@
 {{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=1|risk=7}}
-You mobile application can accept data from all kinds of sources. In most cases this will be an Inter Process Communication (IPC) mechanism. In general try and adhere to the following IPC design patterns:
+Your mobile application can accept data from all kinds of sources. In most cases this will be an Inter Process Communication (IPC) mechanism. In general try and adhere to the following IPC design patterns:
 * If there is a business requirement for IPC communication, the mobile application should restrict access to a white-list of trusted applications

← Older revision		Revision as of 08:49, 27 January 2014
Line 1:		Line 1:
		+	<center>[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Back To The Mobile Top Ten Main Page]</center>
	{{Top_10_2010:SubsectionColoredTemplate\|<center>Security Decisions Via Untrusted Inputs</center>\|\|year=2014}}		{{Top_10_2010:SubsectionColoredTemplate\|<center>Security Decisions Via Untrusted Inputs</center>\|\|year=2014}}
	{{Top_10_2010:SummaryTableHeaderBeginTemplate}}		{{Top_10_2010:SummaryTableHeaderBeginTemplate}}