OWASP Mobile Security Project

December 12, 2011, by | Start Discussion

What is the “Mobile Security Project”?
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

Top 10 Mobile Risks
The first version was released on September 23 rd, 2011 at AppSec USA by Jack Mannino, Zach Lanier and Mike Zusman. The Top 10 Risks is focused on areas of risks rather than a individual vulnerabilities, also is based on the OWASP Risk Rating Methodology.

 

  1. Insecure Data Storage
  2. Weak Server Side Controls
  3. Insufficient Transport Layer Protection
  4. Client Side Injection
  5. Poor Authorization and Authentication
  6. Improper Session Handling
  7. Security Decisions Via Untrusted Inputs
  8. Side Channel Data Leakage
  9. Broken Cryptography
  10. Sensitive Information Disclosure

 

 M1    Insecure Data Storage
 Sensitive data left unprotected, applies to locally stored data + cloud synced.
Impact
 Confidentiality of Data Lost  Credentials Disclosed  Privacy Violations  Non-compliance

 

 M2    Weak Server Side Controls
 Applies to the backend services. Not mobile specifically, but essential to get right.
Impact
 Confidentiality of Data Lost  Integrity of Data not Trusted  –  –

 

 M3    Insufficient Transport Layer Protection
 Complete lack of encryption for transmitted data. Weakly encrypted data in transit.
Impact
 Man-in-the-Middle Attacks  Tampering with Data in Transit  Confidentiality of Data Lost  –

 

 M4    Client Side Injection
 Applications using browser libraries. Some familiar faces (XSS, HTML Injection, SQLi).
Impact
 Device Compromise  Toll Fraud  Privilege Escalation  –

 

 M5    Poor Authorization and Authentication
 Can be part mobile or part architecture. Some applications rely solely on immutable, potentially compromised values (IMEI, IMSI, UUID).
Impact
 Privilege Escalation  Unauthorized Access  –  –

 

 M6    Improper Session Handling
 Mobile applications sessions are generally much longer. They use generally HTTP Cookies, OAtuh Tokens, SSO Authentication Services.
Impact
 Privilege Escalation  Unauthorized Access  Circumvent Licensing and Payments  –

 

 M7    Security Decisions Via Untrusted Inputs
 Can be leveraged to bypass permissions and security models. Several attack vectors like Malicious Apps, Client Side Injection.
Impact
 Consuming Paid Resources  Data Exfiltration  Privilege Escalation

 

 M8    Side Channel Data Leakage
 Mix of not disabling platform features and programmatic flaws. Sensitive data ends up in unintended places.
Impact
Data Retained Indefinitely Privacy Violations  –  –

 

 M9    Broken Cryptography
Two primary categories: A) Broken implementations using strong crypto libraries, B) Custom, easily defeated crypto implementations.
Impact
 Confidentiality of Data Lost  Privilege Escalation Circumvent Licensing and Payments  –

 

 M10    Sensitive Information Disclosure
 Applications can be reverse engineered with relative ease. Code obfuscation raises the bar, but doesn't eliminate the risk.
Impact
 Credentials Disclosed  Intellectual Property Exposed  –

 OWASP Mobile Security Project also has the Top 10 Mobile Controls and Design Principles.

  1. Identify and Protect Sensitive Data on the Mobile Device
  2. Handle Password Credentials Securely on the Device
  3. Ensure Sensitive Data is Protected in Transit
  4. Implement User Authentication/Authorization and Session Management Correctly
  5. Keep the Backend APIs (Services) and the Platform (Server) Secure
  6. Perform Data Integration with Third Party Services/Applications Securely
  7. Pay Specific Attention to the Collection and Storage of Consent for the Collection and Use of the User's Data
  8. Implement Controls to Prevent Unauthorised Access to Paid-for Resources
  9. Ensure Secure Distribution/Provisioning of Mobile Applications
  10. Carefully Check any Runtime Interpretation of Code for Errors

The roadmap of this project includes: Threat Model, Top 10 Mobile Risks, Top 10 Mobile Controls and more.

You will find all the information here:
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project


Security Analyst working in an International Bank and participating in some Projects like Vulnerability Database, Zero Science Lab, OWASP. Fanatic of open standards.

Leave a Reply