Gtorok: Added threat posed to an app's data running on a rooted or jailbroken device.

2018-05-02T17:06:59Z

Added threat posed to an app's data running on a rooted or jailbroken device.

Milan Singh Thakur at 06:04, 6 March 2017

2017-03-06T06:04:41Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M3-{{Mobile_Top_10_2016:ByTheNumbers |3 |year=2016 |langua..."

2017-02-14T01:06:00Z

Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M3-{{Mobile_Top_10_2016:ByTheNumbers |3 |year=2016 |langua..."

New page

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M3-{{Mobile_Top_10_2016:ByTheNumbers
|3
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M1-{{Mobile_Top_10_2016:ByTheNumbers
|1
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Threats agents include the following: an adversary that has attained a lost/stolen mobile device; malware or another repackaged app acting on the adversary's behalf that executes on the mobile device.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>In the event that an adversary physically attains the mobile device, the adversary hooks up the mobile device to a computer with freely available software. These tools allow the adversary to see all third party application directories that often contain stored personally identifiable information (PII) or other sensitive information assets. An adversary may construct malware or modify a legitimate app to steal such information assets.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>This can result in data loss, in the best case for one user, and in the worst case for many users. It may also result in the following technical impacts: extraction of the app's sensitive information via mobile malware, modified apps or forensic tools.

The nature of the business impact is highly dependent upon the nature of the information stolen. Insecure data may result in the following business impacts:

* Identity theft;
* Privacy violation;
* Fraud;
* Reputation damage;
* External policy violation (PCI); or
* Material loss.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Insecure data storage vulnerabilities typically lead to the following business risks for the organization that owns the risk app:

* Identity Theft
* Fraud
* Reputation Damage
* External Policy Violation (PCI); or
* Material Loss.

</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=2|year=2016|language=en}}
This category insecure data storage and unintended data leakage. Data stored insecurely includes, but is not limited to, the following:

* SQL databases;
* Log files;
* XML data stores ou manifest files;
* Binary data stores;
* Cookie stores;
* SD card;
* Cloud synced.

Unintended data leakage includes, but is not limited to, vulnerabilities from:

* The OS;
* Frameworks;
* Compiler environment;
* New hardware.

This is obviously without a developer's knowledge. In mobile development specifically, this is most seen in undocumented, or under-documented, internal processes such as:

* The way the OS caches data, images, key-presses, logging, and buffers;
* The way the development framework caches data, images, key-presses, logging, and buffers;
* The way or amount of data ad, analytic, social, or enablement frameworks cache data, images, key-presses, logging, and buffers.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=2|year=2016|language=en}}
It is important to threat model your mobile app, OS, platforms and frameworks to understand the information assets the app processes and how the APIs handle those assets. It is crucial to see how they handle the following types of features :

* URL caching (both request and response);
* Keyboard press caching;
* Copy/Paste buffer caching;
* Application backgrounding;
* Logging;
* HTML5 data storage;
* Browser cookie objects;
* Analytics data sent to 3rd parties.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=2|year=2016|language=en}}
=== A Visual Example ===

iGoat is a purposefully vulnerable mobile app for the security community to explore these types of vulnerabilities first hand. In the exercise below, we enter our credentials and log in to the fake bank app. Then, we navigate to the file system. Within the applications directory, we can see a database called “credentials.sqlite”. Exploring this database reveals that the application is storing our username and credentials (Jason:pleasedontstoremebro!) in plain text.

[[Image:Screen%20Shot%202012-12-19%20at%206.34.23%20AM.png]]
[[Image:Screen%20Shot%202012-12-19%20at%206.44.51%20AM.png]]
[[Image:Screen%20Shot%202012-12-19%20at%2010.11.15%20AM.png]]

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=2|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet OWASP ][https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet IOS Developer Cheat Sheet]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://source.android.com/tech/security/ Google Androids Developer Security Topics 1]
* [http://developer.android.com/training/articles/security-tips.html Google Androids Developer Security Topics 2]
* [https://developer.apple.com/library/mac/ Apple's Introduction to Secure Coding]
* [http://h30499.www3.hp.com/t5/Application-Security-Fortify-on/Exploring-The-OWASP-Mobile-Top-10-M1-Insecure-Data-Storage/ba-p/5904609 Fortify On Demand Blog - Exploring The OWASP Mobile Top 10: Insecure Data Storage]

@@ Line 65: / Line 65: @@
 * Compiler environment;
 * New hardware.
 This is obviously without a developer's knowledge. In mobile development specifically, this is most seen in undocumented, or under-documented, internal processes such as:

@@ Line 23: / Line 23: @@
 </td>
-      <td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.
+      <td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Usage of poor encryption libraries is to be avoided. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.
 </td>
@@ Line 79: / Line 79: @@
 * Copy/Paste buffer caching;
 * Application backgrounding;
 * Logging;
 * HTML5 data storage;

Mobile Top 10 2016-M2-Insecure Data Storage - Revision history

Gtorok: Added threat posed to an app's data running on a rooted or jailbroken device.

Milan Singh Thakur at 06:04, 6 March 2017

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M3-{{Mobile_Top_10_2016:ByTheNumbers |3 |year=2016 |langua..."