This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Mobile Top 10 2014-M5

From OWASP
Revision as of 08:49, 27 January 2014 by Jason Haddix (talk | contribs)

Jump to: navigation, search
Back To The Mobile Top Ten Main Page
Poor Authorization and Authentication
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
SEVERE
Application / Business Specific
Threat Description Attack Vector Description Security Weakness Description Technical Impacts Business Impacts

Am I Vulnerable To Poor Authorization and Authentication?

Avoid the following Insecure Mobile Application Authentication Design Patterns:

  • Authentication requires that mobile applications should match the security protections that of the web application component. Therefore, it should not be possible to authenticate through with less authentication factors then it would be possible through the web browser.
  • Authenticating a user locally can lead to client-side bypass vulnerabilities. If the application stores data locally, the authentication routine can be bypassed on jailbroken devices through runtime manipulation or modification of the binary.
  • Ensure all authentication requests are performed server-side. Upon successful authentication, application data will be loaded onto the mobile device. This will ensure that application data will only be available after successful authentication.
  • If client-side storage of data is required, the data will need to be encrypted using an encryption key that is securely derived from the user’s login credentials. This will ensure that the stored application data will only accessible upon successfully entering the correct credentials.
  • Persistent authentication (Remember Me) functionality implemented within mobile applications should never be implemented by storing a user’s password on the device.
  • Ideally, mobile applications should utilize a device-specific authentication token, which can be revoked within the web application by the user. This will ensure that unauthorized access can be mitigated in the event of a stolen/lost device.
  • Do not use any spoof-able values for authenticating a user. This includes device identifiers or geo-location.
  • Persistent authentication within mobile applications should be implemented as opt-in and not enabled by default

How Do I Prevent Poor Authorization and Authentication?

Developers should assume all client-side authorization controls can be bypassed by malicious users. Authorization controls should be re-enforced server-side whenever possible.


Example Scenarios

Example Scenarios


References

References