This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Mobile Top 10 2014-M4"
From OWASP
Jason Haddix (talk | contribs) (Created page with "{{Top_10_2010:SummaryTableHeaderBeginTemplate}} {{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}} {{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}...") |
Jason Haddix (talk | contribs) |
||
| Line 15: | Line 15: | ||
Unintended data leakage (formerly side-channel data leakage) is a branch of Insecure Data Storage. It includes all manner of vulnerabilities that can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge. | Unintended data leakage (formerly side-channel data leakage) is a branch of Insecure Data Storage. It includes all manner of vulnerabilities that can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge. | ||
| − | In the mobile development world this is most seen in undocumented internal processes such as: | + | In the mobile development world this is most seen in undocumented (or under-documeted) internal processes such as: |
* The way the OS caches data, images, key-presses, logging, and buffers. | * The way the OS caches data, images, key-presses, logging, and buffers. | ||
| Line 22: | Line 22: | ||
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=2|risk=8}} | {{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=2|risk=8}} | ||
| − | + | It is important to threat model your OS, platforms, and frameworks, to see how they handle the following types of features: | |
| + | |||
| + | * URL Caching (Both request and response) | ||
| + | * Keyboard Press Caching | ||
| + | * Copy/Paste buffer Caching | ||
| + | * Application backgrounding | ||
| + | * Logging | ||
| + | * HTML5 data storage | ||
| + | * Browser cookie objects | ||
| + | * Analytics data sent to 3rd parties | ||
| + | |||
| + | |||
| + | It is especially important to discern what a given OS or framework does by default. By identifying this and applying mitigating controls, you can avoid unintended data leakage. Specific examples to follow. | ||
| + | |||
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=3|risk=8}} | {{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=3|risk=8}} | ||
| − | + | ||
| + | ==OS: iOS == | ||
| + | * URL Caching (Both request and response) | ||
| + | * Keyboard Press Caching | ||
| + | * Copy/Paste buffer Caching | ||
| + | * Application backgrounding | ||
| + | * Logging | ||
| + | * HTML5 data storage | ||
| + | * Browser cookie objects | ||
| + | * Analytics data sent to 3rd parties | ||
| + | |||
| + | ==OS: Android == | ||
| + | * URL Caching (Both request and response) | ||
| + | * Keyboard Press Caching | ||
| + | * Copy/Paste buffer Caching | ||
| + | * Application backgrounding | ||
| + | * Logging | ||
| + | * HTML5 data storage | ||
| + | * Browser cookie objects | ||
| + | * Analytics data sent to 3rd parties | ||
| + | |||
{{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=8}} | {{Mobile_Top_10_2012:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2012:StyleTemplate}}|number=4|risk=8}} | ||
References | References | ||
Revision as of 05:22, 27 January 2014
| Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
|---|---|---|---|---|---|
| Application Specific | Exploitability EASY |
Prevalence COMMON |
Detectability EASY |
Impact SEVERE |
Application / Business Specific |
| Threat Description | Attack Vector Description | Security Weakness Description | Technical Impacts | Business Impacts | |
Am I Vulnerable To Side Channel Data Leakage?
Unintended data leakage (formerly side-channel data leakage) is a branch of Insecure Data Storage. It includes all manner of vulnerabilities that can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge.
In the mobile development world this is most seen in undocumented (or under-documeted) internal processes such as:
- The way the OS caches data, images, key-presses, logging, and buffers.
- The way the development framework caches data, images, key-presses, logging, and buffers.
- The way or amount of data ad, analytic, social, or enablement frameworks cache data, images, key-presses, logging, and buffers.
How Do I Prevent Side Channel Data Leakage?
It is important to threat model your OS, platforms, and frameworks, to see how they handle the following types of features:
- URL Caching (Both request and response)
- Keyboard Press Caching
- Copy/Paste buffer Caching
- Application backgrounding
- Logging
- HTML5 data storage
- Browser cookie objects
- Analytics data sent to 3rd parties
It is especially important to discern what a given OS or framework does by default. By identifying this and applying mitigating controls, you can avoid unintended data leakage. Specific examples to follow.
Example Scenarios
OS: iOS
- URL Caching (Both request and response)
- Keyboard Press Caching
- Copy/Paste buffer Caching
- Application backgrounding
- Logging
- HTML5 data storage
- Browser cookie objects
- Analytics data sent to 3rd parties
OS: Android
- URL Caching (Both request and response)
- Keyboard Press Caching
- Copy/Paste buffer Caching
- Application backgrounding
- Logging
- HTML5 data storage
- Browser cookie objects
- Analytics data sent to 3rd parties
References
References
