This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Architecture and design principles

From OWASP
Revision as of 11:57, 10 May 2011 by Giles Hogben (talk | contribs) (Created page with "The following is a merge of ENISA, OWASP and Veracode top 10. I have cut those risks which cannot be addressed by developers. Note some of the OWASP top ten are in the category o...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The following is a merge of ENISA, OWASP and Veracode top 10. I have cut those risks which cannot be addressed by developers. Note some of the OWASP top ten are in the category of vulnerabilities so I have cut these.

ENISA top 10

  1. Data leakage resulting from device loss or theft: The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.
  2. Unintentional disclosure of data: The smartphone user unintentionally discloses data on the smartphone.
  3. Attacks on decommissioned smartphones: The smartphone is decommissioned improperly allowing an attacker access to the data on the device.
  4. Phishing attacks: An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, email) messages that seem genuine.
  5. Spyware: Spyware covers untargeted collection of personal information as opposed to targeted surveillance.
  6. Network Spoofing Attacks: An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing.
  7. Surveillance attacks: An attacker keeps a specific user under surveillance through the target user’s smartphone.
  8. Diallerware attacks: An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers.
  9. Financial malware attacks The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
  10. Network congestion Network resource overload due to smartphone usage leading to network unavailability for the end-user.

OWASP Top 10 Mobile Risks

  1. Insecure or unnecessary client-side data storage
  2. Lack of data protection in transit
  3. Personal data leakage
  4. Client-side injection
  5. Client-side DOS
  6. Malicious third-party code
  7. Client-side buffer overflow

Additional Considerations

  1. Failure to properly handle inbound SMS messages
  2. Failure to properly handle outbound SMS messages
  3. Malicious / Fake applications from appstore
  4. Ability of one application to view data or communicate with other applications
  5. Switching networks during a transaction
  6. Failure to Protect Sensitive Data at rest
  7. Failure to disable insecure platform features in application (caching of keystrokes, screen data)

Veracode top 10

Retrieved from "https://wiki.owasp.org/index.php?title=Architecture_and_design_principles&oldid=110159"