This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Projects/OWASP Mobile Security Project -2015 Scratchpad"
(Took a stab at updating Insecure Authentication and putting some content in.) |
(Added some examples and colour text) |
||
Line 238: | Line 238: | ||
==Insecure Authorization== | ==Insecure Authorization== | ||
===Generic Label=== | ===Generic Label=== | ||
+ | Insecure Authorisation | ||
+ | |||
===Audience-Specific Label=== | ===Audience-Specific Label=== | ||
+ | |||
===Overview Text=== | ===Overview Text=== | ||
− | + | ||
+ | This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.). | ||
===Prominent Characteristics=== | ===Prominent Characteristics=== | ||
===Risk=== | ===Risk=== | ||
===Examples=== | ===Examples=== | ||
+ | |||
+ | ====Client-based Authorisation Decisions==== | ||
+ | If the mobile app knows the user's privilege level, and offers menus and options appropriate to the user's level, that's normal. But if the server honours requests without verifying the user's right/privilege to execute those requests, then there is usually a problem. If the server is implicitly trusting the mobile code to only generate requests appropriate to the user's privilege level, that is a classic insecure authorization finding. | ||
+ | |||
+ | ====Authentication Instead of Authorization==== | ||
+ | |||
+ | The web app end points that service mobile apps might permit access to resources as long as any authentication has taken place. Imagine a REST-based microservice that provides the loyalty points balance for a given loyalty account number. If that service requires some kind of authentication, but does not validate the user's identity as being authorised to see that balance, then this a failure in authorization. | ||
==Client Code Quality Issues== | ==Client Code Quality Issues== |
Revision as of 21:55, 30 June 2015
- 1 Proposed Timeline
- 2 What is It?
- 3 Who is it For?
- 4 OWASP Category Elements
- 5 "Test Drive" Category Element
- 6 Top Ten Scratchpad
- 6.1 Improper Platform Usage
- 6.2 Insecure Data
- 6.3 Insecure Communication (Owner: Andrew Blaich)
- 6.4 Insecure Authentication (Paco)
- 6.5 Insufficient Cryptography (Owner: Paco Hope)
- 6.6 Insecure Authorization
- 6.7 Client Code Quality Issues
- 6.8 Code Tampering (Owner: Jonathan Carter)
- 6.9 Reverse Engineering (Owner: Jonathan Carter)
- 6.10 Extraneous Functionality (Owner: Andrew Blaich)
This is the draft of the 2015 reworking of the Mobile Top Ten. The commentary has been moved to Mobile2015Commentary.
Proposed Timeline
The content of the Mobile Top 10 will be refreshed at some cadence, and most probably not a short one. In between there will be needed changes as appropriate, but major changes will happen sparsely between "official releases".
In order to keep interest in the project and to offer deeper and more complete content, there is a proposal to supply architectural and code samples that illustrate the Top 10 items.
As a first milestone it is suggested that 6 months after the Top 10 is released we are able to do a refresh launch offering the initial version of these samples.
A set cadence for further refresh/release later on needs to be established as well.
What is It?
This is the "Mobile Top Ten" what? It's the top 10 "stuff people tend to screw up", but here are some important questions.
- Business risk or technical risk? The business risk would be something like "intellectual property unprotected" or "customer data exposed." A technical risk would be something like "data stored in plain text files."
- Root cause, or final impact? Often root causes are things like not encrypting when we should. Final impact is stuff like unintended data leaks. The problem is that some of these things are overlapping. Not every lack of crypto is a data leak, but many are.
- What threats are in scope? There are apps that simply do not care about protecting from malware, jailbreaking, etc. Think Yelp: it's just restaurant reviews. No financial impact, no reason to care about many client-side attacks. Plenty of apps do care about client-side attacks. E.g., banking, communications, health data. Many items hinge on whether or not you care about client side attacks. How do we capture this?
- If you care about client-side attacks, then failing to encrypt stuff is basically a data leakage.
- If you don't care about client-side attacks, then failing to encrypt stuff is kinda "gee you should do that".
- If you care about client-side attacks, there are probably some platform features that are not sufficient as-is: the app sandbox, etc. You probably want to be putting your own additional layer of encryptiong / protection, etc.
- If you don't care about client-side attacks, then you simply need to be using the standard APIs (keychain, app data storage, etc.) in the standard supported ways.
Who is it For?
Do we intend this to be a tool that infosec / appsec people use? Do we intend lay people to make use of it? (e.g., developers and non-mobile IT security people) What does the target audience need to get from it?
(Paco's opinion) We need to have a narrative: If you found functionality that does X, it is probably in bucket A, unless it is also doing (or not doing) Y, in which case that's bucket B.
OWASP Category Elements
This section explores the critical elements that must be included within all OWASP Mobile Top Ten 2015 categories. Each element is listed below along with a brief description of the appropriate content. The goal is to "test drive" this list of required elements with a sample, non-commital category to verify that the elements adequately cover what is needed within each of the OWASP Mobile Top Ten 2015 categories. Each of these elements has been initially based off the Google Hangout meeting held on April 1 2015.
Label (generic and audience-specific labels)
This element is a unique identifier for the bucket of issues that belong together. In the OWASP Mobile Top Ten 2015 Survey, we found that there were many different audiences that may use the OWASP Mobile Top Ten 2015 for different purposes. As always, there needs to be a generic label that uniquely identifies each bucket of issues. However, there should also be additional labels for the same category that are audience-specific to make it easier for different audiences to identify the category they are looking for. These additional labels will help clarify and differentiate the categories.
Overview Text
This element is a generic education piece (100-200 words) around the nature of the category. It should describe the nature of the category as it relates to the different audiences (e.g., penetration testers; software engineers). It should include external references and educational links to other sources around the nature of the problem.
Prominent Characteristics
This element eliminates any uncertainty or ambiguity that may result from vagueness / broadness in the category labels. It should include "headline vulnerabilities" that made it into the media and help each audience get a "gut feel" for what belongs to this category. In the 2014 list, we found that there were many instances where the same vulnerabilities were spread across many different categories. Hence, the need for this additional element along with a strive towards better categorisation.
Risk
This element helps clarify how critical the category of issues is from both a business and technical perspective. During the meeting of April 1 2015, it was proposed that the CVSS classification scheme may be used here as a way of helping guide the audiences in prioritisation of the fixing of the issues.
Examples
This element gives coding-specific examples, CVE vulnerabilities and newsworthy events that fall into this category. This element will help clarify to the difference audiences what fits into this category.
Audience Specific Guidance
This element gives practical advice and guidance for category remediation that is relevant to each audience (100-200 words). Each audience may approach the issue of remediation from very different perspectives. For example, an auditor may simply want to know more about whether or not remediation is appropriate. Meanwhile, a software engineer may want to have coding-specific advice. Each audience's concerns must be addressed in this element.
"Test Drive" Category Element
Here, we are testing a particular category to see whether or not the proposed elements for each category are adequate to address each audience's needs. It is important to note that this is a sample category and is not a formal commitment to any final category in the OWASP Mobile Top Ten 2015. It is strictly meant for testing purposes. Members who would like to 'own' particular elements in the category below should 'sign up' and add content where appropriate.
Insecure Data Transmission
Generic Label
Owner(s): Jonathan Carter
Audience-Specific Labels
Owner(s): Jonathan Carter
Overview Text
Mobile devices and applications can be used to transmit data over many communication channels. These channels include, but are not limited to: "Wireless Cellular Protocols (2G, 3G, 4G, 5G, etc.), WiFi(Ad-Hoc, Infrastructure, and Peer to Peer modes), Bluetooth (and it's variants), Infrared, RFID, NFC, etc.
Vulnerabilities in this category focus on weaknesses associated with "data in motion" when transmission occurs over the above noted communication channels. These vulnerabilities can arise as a result of one or more failures in adequately securing the communications channels including but not limited to: plain-text transmission of sensitive data (i.e. not utilizing adequate encryption over the communication channel), insufficient authentication of encrypted channel endpoints (i.e. Failing to confirm the identity of the remote end-point you are attempting secure transmissions with) and/or insufficiently/inadequately establishing the encryption communications protocol (i.e. using weak encryption secrets, ciphers and/or protocols).
Owner(s): Milan Singh Thakur, Amin Lalji
Prominent Characteristics
Owner(s): David Fern
The key differentiator of this vulnerability is that it is concerned about unencrypted or improperly encrypted data being stolen during transmission, not on the device but through the airwaves.
Insecure Data Transmission should not be confused with others in the top 10 such as:
M3: Insufficient Transport Layer Protection – I DO NOT SEE ANT DIFFERENCE
M4: Unintended Data Leakage – Unintended data leakage is a result of insecure data transmission. Once data has been stolen and interpreted it may contain information that is valuable to attackers (leaked).
M6: Broken Cryptography – While broken cryptography does relate to data that has been improperly encrypted, and it may be an input or causes of insecure data transmission, it focuses on the encryption process/technique itself on the device transmitting the data.
Risk
The risk attributed to mobile applications that suffer from this category of vulnerabilities rely upon the "business" value of the data being transmitted - however from a technical perspective, exploitation of this vulnerability can lead to a loss of confidentiality (i.e. access to confidential/sensitive data by unauthorized individuals/systems) and possibly a loss of integrity (i.e. data may be changed in transit).
The ease of exploitation of this type vulnerability varies based on the communication channel, but generally speaking, is not an overly complex attack to successfully execute (i.e. when sensitive data is transmitted over WiFi in clear-text, it is trivial to intercept and review).
Mitigating the risks associated with this category of vulnerabilities can take various forms depending on the transmission protocol being used.
- Include examples here for protocol level security implemented with Layer 6/7 (TLS/HTTPS), WiFi, Bluetooth, NFC, RFID, etc.)
Owner(s): Rajvinder Singh, Milan Singh Thakur, Amin Lalji
Examples
Owner(s): Adam Kliarsky
Audience-Specific Guidance
Owner(s): Andi Pannell, Amin Lalji
From both a development and auditing stance, the easiest way to test this is to insert a proxy (such as burp) between the device running the mobile app and the wifi connection. Looking for data being transferred over plain text, as well as identifying weak procotols (SSLv2, SSLv3) and ciphers (RC4, MD5) being used to transmit data.
Top Ten Scratchpad
These are proposed new categories for the 2015 Mobile Top Ten. Edit them. Discuss them. Include inline comments with attirbution where possible.
Improper Platform Usage
Generic Label
Audience-Specific Label
Overview Text
This category would cover misuse or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system.
There are several ways that mobile apps can experience this risk.
Violation of published guidelines. All platforms have development guidelines for security (c.f., ((Android)), ((iOS)), ((Windows Phone))). If an app contradicts the best practices recommended by the manufacturer, it will be exposed to this risk. For example, there are guidelines on how to use the iOS Keychain or how to secure exported services on Android. Apps that do not follow these guidelines will experience this risk.
Violation of convention or common practice. Not all best practices are codified in manufacturer guidance. In some instances, there are de facto best practices that are common in mobile apps.
Unintentional Misuse. Some apps intend to do the right thing, but actually get some part of the implementation wrong. This could be a simple bug, like setting the wrong flag on an API call, or it could be a misunderstanding of how the protections work.
Prominent Characteristics
Risk
Examples
Insecure Data
Generic Label
Audience-Specific Label
Overview Text
This new category will be a combination of M2 + M4 from Mobile Top Ten 2014.
Prominent Characteristics
Risk
Examples
Insecure Communication (Owner: Andrew Blaich)
Generic Label
Audience-Specific Label
Overview Text
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.
Prominent Characteristics
Risk
Examples
Insecure Authentication (Paco)
Generic Label
Insecure Authentication
Audience-Specific Label
Overview Text
This category captures notions of authenticating the end user or bad session management. This can include:
- Failing to identify the user at all when that should be required
- Failure to maintain the user's identity when it is required
- Weaknesses in session management
This is incomplete. Just getting started.
Session Issues
In past versions of the OWASP Mobile Top Ten, there were separate categories for session management issues. In this version, all such issues go here—unless they have another, better place to go.
Session issues can include:
- Predictable session identifiers
- Failing to log users out
- Session lifetime risks (sessions valid too long, sessions valid across multiple channels)
- Session fixation
Prominent Characteristics
Risk
One common risk around authentication is granting rights or services to unidentified users.
Examples
Trivially Guessed Identifiers
If an app used some small, non-decreasing integer to identify users, it would be subject to obvious attacks like spoofing.
Insufficient Cryptography (Owner: Paco Hope)
Generic Label
Insufficient Cryptography
Audience-Specific Label
Overview Text
The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.
Prominent Characteristics
Common failures in this category include:
- Weak ciphers
- Small keys
- Wrong type of crypto (e.g., symmetric when asymmetric is more appropriate)
- Vulnerability to a well known cryptanalytic attack like
- Chosen plaintext attack
- Known plaintext attack
- Poor key selection (e.g., predictable randomness)
All issues in this category share a common quality: The app did attempt to protect the data, and the protection probably works to some degree. But the finding is usually that the protection is deemed insufficient for one reason or another.
Risk
The data that is being protected with cryptography is likely to be exposed. Typical results are related to either the confidentiality or the integrity of the data that was protected.
Confidentiality risks might include an offline brute force attack against the data or inference attacks against the encrypted data. Such risks mean that an attacker learns some or all the protected information.
Integrity risks might include replay attacks if a cryptographic signature can be forged. Insecure code might get loaded if a code signature can be forged. Guessable or predictable cryptographic tokens might enable fake transactions.
Examples
These are just a few examples of the kinds of issues that might be classified in this category.
Predictable Keys
Imagine a mobile app that encrypts data before sending it to the server using a strong symmetric cipher (e.g., AES-256). If the key for encrypting were easily determined, this would be insufficient cryptography. Perhaps the encryption key is simply the user's numeric userid or some other easily guessed identifier. Fixing this issue would involve generating a strong key and securely communicating it between the server and client, or perhaps using asymmetric cryptography.
Easily Forged Integrity Checks
Imagine a mobile app that posts data to a central service (e.g., high scores for a game, user's geographic location, etc.). Imagine that the mobile app adds a hash of the user's data as a parameter in the request as an integrity check. This hash is trivial to duplicate, so an attacker attempting to forge a legitimate update can do so easily. The attacker simply needs to calculate the same hash over the fake data. Fixing this issue would involve making the signature unique and difficult to forge.
Insecure Authorization
Generic Label
Insecure Authorisation
Audience-Specific Label
Overview Text
This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).
Prominent Characteristics
Risk
Examples
Client-based Authorisation Decisions
If the mobile app knows the user's privilege level, and offers menus and options appropriate to the user's level, that's normal. But if the server honours requests without verifying the user's right/privilege to execute those requests, then there is usually a problem. If the server is implicitly trusting the mobile code to only generate requests appropriate to the user's privilege level, that is a classic insecure authorization finding.
Authentication Instead of Authorization
The web app end points that service mobile apps might permit access to resources as long as any authentication has taken place. Imagine a REST-based microservice that provides the loyalty points balance for a given loyalty account number. If that service requires some kind of authentication, but does not validate the user's identity as being authorised to see that balance, then this a failure in authorization.
Client Code Quality Issues
Generic Label
Audience-Specific Label
Overview Text
This was "Security Decisions Via Untrusted Inputs", one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client. That's distinct from server-side coding mistakes. This would capture things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.
Prominent Characteristics
Risk
Examples
Code Tampering (Owner: Jonathan Carter)
Generic Label
Audience-Specific Label
Overview Text
This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.
Prominent Characteristics
Risk
Examples
Reverse Engineering (Owner: Jonathan Carter)
Generic Label
Audience-Specific Label
Overview Text
This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Think about using IDA Pro, Hopper, otool, and other binary inspection tools used to reverse engineer the application. This is valuable to a hacker on its own.
Prominent Characteristics
Risk
Examples
Extraneous Functionality (Owner: Andrew Blaich)
Generic Label
Audience-Specific Label
Overview Text
Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes disabling of 2-factor authentication during testing.
Prominent Characteristics
Risk
Examples
(Jason) Regarding m10 - Several submissions reported m10 vulns. Unfortunately some were types of services such as binary reputation scanners, that do not have the ability to check for dynamic or code level findings. In order to fix this i recommend a name change or re-working of this category. I want to separate out the delineation of Anti-exploit vs Code Obfuscation/Anti-reversing. Must talk to group about this.