This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Mobile Top 10 2014-M5
From OWASP
Revision as of 08:49, 27 January 2014 by Jason Haddix (talk | contribs)
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
---|---|---|---|---|---|
Application Specific | Exploitability EASY |
Prevalence COMMON |
Detectability EASY |
Impact SEVERE |
Application / Business Specific |
Threat Description | Attack Vector Description | Security Weakness Description | Technical Impacts | Business Impacts |
Am I Vulnerable To Poor Authorization and Authentication?
Avoid the following Insecure Mobile Application Authentication Design Patterns:
- Authentication requires that mobile applications should match the security protections that of the web application component. Therefore, it should not be possible to authenticate through with less authentication factors then it would be possible through the web browser.
- Authenticating a user locally can lead to client-side bypass vulnerabilities. If the application stores data locally, the authentication routine can be bypassed on jailbroken devices through runtime manipulation or modification of the binary.
- Ensure all authentication requests are performed server-side. Upon successful authentication, application data will be loaded onto the mobile device. This will ensure that application data will only be available after successful authentication.
- If client-side storage of data is required, the data will need to be encrypted using an encryption key that is securely derived from the user’s login credentials. This will ensure that the stored application data will only accessible upon successfully entering the correct credentials.
- Persistent authentication (Remember Me) functionality implemented within mobile applications should never be implemented by storing a user’s password on the device.
- Ideally, mobile applications should utilize a device-specific authentication token, which can be revoked within the web application by the user. This will ensure that unauthorized access can be mitigated in the event of a stolen/lost device.
- Do not use any spoof-able values for authenticating a user. This includes device identifiers or geo-location.
- Persistent authentication within mobile applications should be implemented as opt-in and not enabled by default
How Do I Prevent Poor Authorization and Authentication?
Developers should assume all client-side authorization controls can be bypassed by malicious users. Authorization controls should be re-enforced server-side whenever possible.
Example Scenarios
Example Scenarios
References
References