This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Mobile Top 10 2014-M6"
(Created page with "{{Top_10_2010:SummaryTableHeaderBeginTemplate}} {{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}} {{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}...") |
|||
Line 13: | Line 13: | ||
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=1|risk=2}} | {{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=1|risk=2}} | ||
− | The | + | The M6 category covers the various ways that insecure cryptography is used within mobile applications. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | Insecure use of cryptography is common in most any application that uses encryption, and there are two mistakes in this area that lead to the most insecurity: | ||
− | + | 1. The Creation and Use of Custom Encryption Algorithms | |
− | + | 2. Use of Insecure and/or Deprecated Algorithms | |
− | + | 2. Poor Key Management | |
− | |||
− | |||
− | |||
− | + | ==Creation and Use of Custom Encryption Protocols== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | There is no easier way to mishandle encryption--mobile or otherwise--than to try to create and use your own encryption algorithms or protocols. | ||
− | + | Always use modern algorithms that are accepted as strong by the security community, and whenever possible leverage the state of the art encryption APIs within your mobile platform. | |
− | |||
− | |||
+ | ==Use of Insecure and/or Deprecated Algorithms== | ||
− | + | Many cryptographic algorithms and protocols should not be used because they have been shown to have significant weaknesses or are otherwise insufficient for modern security requirements. These include: | |
− | + | * RC2 | |
+ | * MD4 | ||
+ | * MD5 | ||
+ | * SHA1 | ||
− | + | ==Poor Key Management== | |
− | + | The best algorithms don't matter if you mishandle your keys. Many make the mistake of using the correct encryption algorithm, but implementing their own protocol for employing it. Some examples of problems here include: | |
− | + | * Including the keys in the same attacker-readable directory as the encrypted content | |
+ | * Making the keys otherwise available to the attacker | ||
+ | * Failing to use built-in encryption functionality | ||
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=2}} | {{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=2}} | ||
References | References |
Revision as of 07:00, 27 January 2014
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
---|---|---|---|---|---|
Application Specific | Exploitability EASY |
Prevalence COMMON |
Detectability EASY |
Impact SEVERE |
Application / Business Specific |
Threat Description | Attack Vector Description | Security Weakness Description | Technical Impacts | Business Impacts |
The M6 category covers the various ways that insecure cryptography is used within mobile applications.
Insecure use of cryptography is common in most any application that uses encryption, and there are two mistakes in this area that lead to the most insecurity:
1. The Creation and Use of Custom Encryption Algorithms 2. Use of Insecure and/or Deprecated Algorithms 2. Poor Key Management
Creation and Use of Custom Encryption Protocols
There is no easier way to mishandle encryption--mobile or otherwise--than to try to create and use your own encryption algorithms or protocols.
Always use modern algorithms that are accepted as strong by the security community, and whenever possible leverage the state of the art encryption APIs within your mobile platform.
Use of Insecure and/or Deprecated Algorithms
Many cryptographic algorithms and protocols should not be used because they have been shown to have significant weaknesses or are otherwise insufficient for modern security requirements. These include:
- RC2
- MD4
- MD5
- SHA1
Poor Key Management
The best algorithms don't matter if you mishandle your keys. Many make the mistake of using the correct encryption algorithm, but implementing their own protocol for employing it. Some examples of problems here include:
- Including the keys in the same attacker-readable directory as the encrypted content
- Making the keys otherwise available to the attacker
- Failing to use built-in encryption functionality
References