This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Mobile Security Project Platform Specific Guidance Draft"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
== Local Storage ==
 
{| border="1" cellpadding="5" cellspacing="0"
 
{| border="1" cellpadding="5" cellspacing="0"
 
|-
 
|-
Line 63: Line 64:
  
 
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]
 
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
== Heading ==
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
 +
== Heading ==
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
  
 
2
 
2
Line 85: Line 237:
  
  
 +
== Heading ==
 
{| border="1" cellpadding="5" cellspacing="0"
 
{| border="1" cellpadding="5" cellspacing="0"
 
|-
 
|-

Revision as of 11:34, 20 October 2011

Local Storage

Local Storage
Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized.
  • Where can applications store local data on the device?
  • What formats are allowed?
iOS Android Mappings
Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications.
  • Apple overview page on iOS Data Management
  • Apple information about File and the Filesystem on iOS
  • Apple information about Shared files
  • Apple information about Protected files
  • Apple's Introduction to Property Lists
Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications.
  • Android documentation on Data Storage
  • Android Javadoc for Context.openFileOutput() describing file permission options
R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Heading

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10


Heading

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10


Heading

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10