This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Projects/OWASP Mobile Security Project -2015 Scratchpad
This is just a place to gather some ideas for the 2015 reworking of the Mobile Top Ten. It's totally unofficial open musings about truth, beauty, and justice.
- 1 What is It?
- 2 Who is it For?
- 3 Comments on Submitted Data
- 4 Other Questions
- 5 Top Ten Scratchpad
- 5.1 M1: Weak Server Side Controls
- 5.2 M2: Insecure Data Storage
- 5.3 M3: Insufficient Transport Layer Protection
- 5.4 M4: Unintended Data Leakage
- 5.5 M5: Poor Authorization and Authentication
- 5.6 M6: Broken Cryptography
- 5.7 M7: Client Side Injection
- 5.8 M8: Security Decisions Via Untrusted Inputs
- 5.9 M9: Improper Session Handling
- 5.10 M10: Lack of Binary Protections
What is It?
This is the "Mobile Top Ten" what? It's the top 10 "stuff people tend to screw up", but here are some important questions.
- Business risk or technical risk? The business risk would be something like "intellectual property unprotected" or "customer data exposed." A technical risk would be something like "data stored in plain text files."
- Root cause, or final impact? Often root causes are things like not encrypting when we should. Final impact is stuff like unintended data leaks. The problem is that some of these things are overlapping. Not every lack of crypto is a data leak, but many are.
- What threats are in scope? There are apps that simply do not care about protecting from malware, jailbreaking, etc. Think Yelp: it's just restaurant reviews. No financial impact, no reason to care about many client-side attacks. Plenty of apps do care about client-side attacks. E.g., banking, communications, health data. Many items hinge on whether or not you care about client side attacks. How do we capture this?
- If you care about client-side attacks, then failing to encrypt stuff is basically a data leakage.
- If you don't care about client-side attacks, then failing to encrypt stuff is kinda "gee you should do that".
- If you care about client-side attacks, there are probably some platform features that are not sufficient as-is: the app sandbox, etc. You probably want to be putting your own additional layer of encryptiong / protection, etc.
- If you don't care about client-side attacks, then you simply need to be using the standard APIs (keychain, app data storage, etc.) in the standard supported ways.
Who is it For?
Do we intend this to be a tool that infosec / appsec people use? Do we intend lay people to make use of it? (e.g., developers and non-mobile IT security people) What does the target audience need to get from it?
(Paco's opinion) We need to have a narrative: If you found functionality that does X, it is probably in bucket A, unless it is also doing (or not doing) Y, in which case that's bucket B.
Comments on Submitted Data
BugCrowd
I see “storing passwords in the clear” as a very common finding among their data. It gets classifed as M5 poor authentication, M2 insecure data storage, M4 data leakage, and sometimes M6 (broken crypto).
I see “storing session tokens insecurely” as a common finding. It is getting classified as M9 (session handling) and M2 (insecure data storage). I wonder openly whether passwords and session tokens are really that different.
We see a lot of caching of non-password, non-session data. Some of it is done explicitly by the app, some of it is done by the mobile OS through snapshotting, backups, etc. Sometimes it is classified as “data leakage” (M4) and sometimes as insecure storage (M2). And what is interesting is that some of it is the result of the OS and some is the result of the app. Do we want to make that distinction in the T10?
MetaIntelli
They only have 18 distinct things they report on, though they have 111,000 data points. Two of the 18 things are double-counted. They appear to be categorised in both M3 and another one.
Other Questions
Communications issues are a problem a lot. But TLS and crypto are tightly coupled. “Communications issues" includes certificate pinning, weak TLS ciphers, improper cert validation, HTTP and plaintext protocols, and more. There’s a lot of overlap with “broken crypto” like using Base64 instead of encryption, hard coded keys/passwords, weak hash algorithms, and so on. How do we tease out “crypto” issues from “communications” issues from “insecure storage” issues?
I can imagine a heuristic like this:
- did you use crypto where you were supposed to, but the crypto primitive you chose wasn’t appropriate for the task? That’s broken crypto.
- Did you omit crypto entirely when you should have used it? That’s insecure comms or insecure storage.
Some findings are deeply mobile (e.g., intent hijacking, keychain issues, jailbreak/root detection, etc.). They’re really tied to their respective platforms. Is that a problem for us? Does it matter?
Top Ten Scratchpad
Here's some top-ten possible categories. This is a wiki. Edit them. Change them. Leave comments. Mark it up.
M1: Weak Server Side Controls
Stuff
M2: Insecure Data Storage
Stuff
M3: Insufficient Transport Layer Protection
Stuff
M4: Unintended Data Leakage
Stuff
M5: Poor Authorization and Authentication
Stuff
M6: Broken Cryptography
Stuff
M7: Client Side Injection
Stuff
M8: Security Decisions Via Untrusted Inputs
Stuff
M9: Improper Session Handling
Stuff
M10: Lack of Binary Protections
Stuff