This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Mobile Top 10 2012 - M3 Insufficient Transport Layer Protection"
From OWASP
Jason Haddix (talk | contribs) (Created page with "{{Top_10_2010:SummaryTableHeaderBeginTemplate}} {{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}} {{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}...") |
Jason Haddix (talk | contribs) |
||
Line 1: | Line 1: | ||
{{Top_10_2010:SummaryTableHeaderBeginTemplate}} | {{Top_10_2010:SummaryTableHeaderBeginTemplate}} | ||
− | {{Top_10_2010:SummaryTableValue- | + | {{Top_10_2010:SummaryTableValue-3-Template|Exploitability|DIFFICULT}} |
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}} | {{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}} | ||
− | {{Top_10_2010:SummaryTableValue- | + | {{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY}} |
− | {{Top_10_2010:SummaryTableValue- | + | {{Top_10_2010:SummaryTableValue-2-Template|Impact|MODERATE}} |
{{Top_10_2010:SummaryTableHeaderEndTemplate}} | {{Top_10_2010:SummaryTableHeaderEndTemplate}} | ||
− | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> | + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>When designing a mobile application, commonly data is exchanged in a client-server fashion. When this data is exchanged it traverses both the carrier network and the internet. For sensitive data, if the application is coded poorly, users local to your network, any devices (routers, cell towers, etc), or other threat agents can use techniques to view this sensitive data while it's travelling across the wire. </td> |
− | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> | + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> The exploitabilty factor of monitoring a network for insecure communications ranges. Monitoring traffic over a carriers network is harder than that of monitoring a local coffee shops traffic. In general targeted attacks are easier to perform. </td> |
− | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> | + | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Unfortunately, mobile applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception. |
− | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> | + | |
− | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> | + | Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration. </td> |
+ | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Such flaws expose individual users’ data and can lead to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks.</td> | ||
+ | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants.</td> | ||
{{Top_10_2010:SummaryTableEndTemplate}} | {{Top_10_2010:SummaryTableEndTemplate}} | ||
Revision as of 14:53, 28 January 2013
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
---|---|---|---|---|---|
Application Specific | Exploitability DIFFICULT |
Prevalence COMMON |
Detectability EASY |
Impact MODERATE |
Application / Business Specific |
When designing a mobile application, commonly data is exchanged in a client-server fashion. When this data is exchanged it traverses both the carrier network and the internet. For sensitive data, if the application is coded poorly, users local to your network, any devices (routers, cell towers, etc), or other threat agents can use techniques to view this sensitive data while it's travelling across the wire. | The exploitabilty factor of monitoring a network for insecure communications ranges. Monitoring traffic over a carriers network is harder than that of monitoring a local coffee shops traffic. In general targeted attacks are easier to perform. | Unfortunately, mobile applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception. Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration. | Such flaws expose individual users’ data and can lead to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks. | Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants. |
Am I Vulnerable To Insufficient Transport Layer Protection?
Am I Vulnerable Description
How Do I Prevent Insufficient Transport Layer Protection?
How do I prevent
Example Scenarios
Example Scenarios
References
References