This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Mobile Top 10 2014-M8"
From OWASP
(s/You/Your/) |
m (Adding description for Threat Agents.) |
||
| Line 7: | Line 7: | ||
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}} | {{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}} | ||
{{Top_10_2010:SummaryTableHeaderEndTemplate}} | {{Top_10_2010:SummaryTableHeaderEndTemplate}} | ||
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat | + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities but not limited, include users, malwares or a vulnerable app</td> |
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack Vector Description </td> | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack Vector Description </td> | ||
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Security Weakness Description </td> | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Security Weakness Description </td> | ||
Revision as of 23:09, 30 January 2015
| Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
|---|---|---|---|---|---|
| Application Specific | Exploitability EASY |
Prevalence COMMON |
Detectability EASY |
Impact SEVERE |
Application / Business Specific |
| Threat Agents include entities that can pass untrusted inputs to the sensitive method calls. Examples of such entities but not limited, include users, malwares or a vulnerable app | Attack Vector Description | Security Weakness Description | Technical Impacts | Business Impacts | |
Am I Vulnerable To Security Decisions Via Untrusted Inputs?
Your mobile application can accept data from all kinds of sources. In most cases this will be an Inter Process Communication (IPC) mechanism. In general try and adhere to the following IPC design patterns:
- If there is a business requirement for IPC communication, the mobile application should restrict access to a white-list of trusted applications
- Sensitive actions which are triggered through IPC entry points should require user interaction before performing the action
- All input received from IPC entry points must undergo stringent input validation in order to prevent input driven attacks
- Do not pass any sensitive information through IPC mechanisms, as it may be susceptible to being read by third party applications under certain scenarios
How Do I Prevent Security Decisions Via Untrusted Inputs?
iOS Specific Examples:
- Do not use the deprecated handleOpenURL method to handle URL Scheme calls. This method does not contain an argument containing the BundleID of the source application.
- Instead use the openURL:sourceApplication:annotation method and validation the sourceApplication argument against a white-list of trusted applications
- Do not use the iOS Pasteboard for IPC communications, as it is susceptible to being set or read by all third party apps on the device.
Android Specific Examples
Example Scenarios
Example Scenarios
References
References
