This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Mobile Security Project Platform Specific Guidance Draft"

From OWASP
Jump to: navigation, search
(Data Protection)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
== Authentication ==
 +
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
== Session Management ==
 +
 +
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
== Access Control ==
 +
 +
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
== Input Validation ==
 +
 +
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
== Output Encoding/Escaping ==
 +
 +
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
== Cryptography ==
 +
 +
 
{| border="1" cellpadding="5" cellspacing="0"
 
{| border="1" cellpadding="5" cellspacing="0"
 
|-
 
|-
|colspan="4"|Local Storage
+
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 
 +
S
 +
 
 +
K
 +
 
 +
 
 +
1
 +
 
 +
2
 +
 
 +
3
 +
 
 +
4
 +
 
 +
5
 +
 
 +
6
 +
 
 +
7
 +
 
 +
8
 +
 
 +
9
 +
 
 +
10
 +
 
 +
||
 +
C
 +
 
 +
O
 +
 
 +
N
 +
 
 +
T
 +
 
 +
R
 +
 
 +
O
 +
 
 +
L
 +
 
 +
 
 +
1
 +
 
 +
2
 +
 
 +
3
 +
 
 +
4
 +
 
 +
5
 +
 
 +
6
 +
 
 +
7
 +
 
 +
8
 +
 
 +
9
 +
 
 +
10
 +
 
 +
|}
 +
 
 +
== Error Handling and Logging ==
 +
 
 +
 
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 
 +
S
 +
 
 +
K
 +
 
 +
 
 +
1
 +
 
 +
2
 +
 
 +
3
 +
 
 +
4
 +
 
 +
5
 +
 
 +
6
 +
 
 +
7
 +
 
 +
8
 +
 
 +
9
 +
 
 +
10
 +
 
 +
||
 +
C
 +
 
 +
O
 +
 
 +
N
 +
 
 +
T
 +
 
 +
R
 +
 
 +
O
 +
 
 +
L
 +
 
 +
 
 +
1
 +
 
 +
2
 +
 
 +
3
 +
 
 +
4
 +
 
 +
5
 +
 
 +
6
 +
 
 +
7
 +
 
 +
8
 +
 
 +
9
 +
 
 +
10
 +
 
 +
|}
 +
 
 +
== Data Protection ==
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|Data Protection
 
|-
 
|-
 
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized.  
 
|colspan="4"|Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized.  
Line 7: Line 546:
 
* What formats are allowed?
 
* What formats are allowed?
 
|-
 
|-
|iOS||Android||colspan="2"|Mappings
+
|iOS [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_iOS_Code_Draft#Data_Protection (code examples)]||Android [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project_Platform_Specific_Guidance_AndroidCode_Draft#Data_Protection (code examples)]||colspan="2"|Mappings
 
|-valign="top"
 
|-valign="top"
 
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications.  
 
|Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications.  
* Apple overview page on iOS Data Management
+
* Apple overview page on [http://developer.apple.com/technologies/ios/data-management.html iOS Data Management]
 
* Apple information about File and the Filesystem on iOS
 
* Apple information about File and the Filesystem on iOS
 
* Apple information about Shared files
 
* Apple information about Shared files
Line 19: Line 558:
 
* Android Javadoc for Context.openFileOutput() describing file permission options
 
* Android Javadoc for Context.openFileOutput() describing file permission options
 
||R
 
||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls#section_control_1 1]
 +
 +
 +
|}
 +
 +
== Communication Security ==
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 
I
 
I
  
Line 84: Line 661:
 
|}
 
|}
  
 +
== HTTP Security ==
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
  
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
 +
== Security Configuration ==
 +
{| border="1" cellpadding="5" cellspacing="0"
 +
|-
 +
|colspan="4"|GUIDANCE TITLE
 +
|-
 +
|colspan="4"|PLATFORM INDEPENDENT DESCRIPTION
 +
|-
 +
|iOS||Android||colspan="2"|Mappings
 +
|-valign="top"
 +
|IOS TEXT||ANDROID TEXT||R
 +
I
 +
 +
S
 +
 +
K
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
||
 +
C
 +
 +
O
 +
 +
N
 +
 +
T
 +
 +
R
 +
 +
O
 +
 +
L
 +
 +
 +
1
 +
 +
2
 +
 +
3
 +
 +
4
 +
 +
5
 +
 +
6
 +
 +
7
 +
 +
8
 +
 +
9
 +
 +
10
 +
 +
|}
 +
----
 +
''''' COPY/PASTE TEMPLATE STUFF BELOW '''''
 +
== EXAMPLE HEADING ==
 
{| border="1" cellpadding="5" cellspacing="0"
 
{| border="1" cellpadding="5" cellspacing="0"
 
|-
 
|-

Latest revision as of 12:38, 20 October 2011

Authentication

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Session Management

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Access Control

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Input Validation

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Output Encoding/Escaping

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Cryptography

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Error Handling and Logging

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Data Protection

Data Protection
Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized.
  • Where can applications store local data on the device?
  • What formats are allowed?
iOS (code examples) Android (code examples) Mappings
Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications.
  • Apple overview page on iOS Data Management
  • Apple information about File and the Filesystem on iOS
  • Apple information about Shared files
  • Apple information about Protected files
  • Apple's Introduction to Property Lists
 Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications.
  • Android documentation on Data Storage
  • Android Javadoc for Context.openFileOutput() describing file permission options
 R

I

S

K


C

O

N

T

R

O

L


1


Communication Security

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

HTTP Security

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Security Configuration

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

COPY/PASTE TEMPLATE STUFF BELOW

EXAMPLE HEADING

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Mobile_Security_Project_Platform_Specific_Guidance_Draft&oldid=119408"