OWASP mobile top 10 risks
In 2013, OWASP polled the industry for new vulnerability statistics in the field of mobile applications. The following risks were finalized in 2014 as the top 10 dangerous risks as per the result of the poll data and the mobile application threat landscape:
- Weak Server Side Controls: Internet usage via mobile has surpassed fixed Internet access. This is largely due to the emergence of hybrid and HTML5 mobile applications. Application servers that form the backbone of these applications must be secured on their own. The OWASP top 10 web application project defines the most prevalent vulnerabilities in this realm. Vulnerabilities such as injections, insecure direct object reference, insecure communication, and so on may lead to a complete compromise of the application server, and adversaries who have gained control over the compromised servers can push malicious content to all the application users and compromise user devices as well.
- Insecure Data Storage: Insecure Data Storage, as the name says, is about the protection of the data in storage. Mobile applications are used for all kinds of tasks, such as playing games, fitness monitors, online banking, stock trading and so on, and most of the data used by these applications is stored in the device itself inside SQLite files, XML data stores, log files, and so on. Or, they are pushed on to cloud storage. The types of sensitive data stored by these applications may range from location information to bank account details. Application programming interfaces (APIs) that handle the storage of this data must securely implement encryption/hashing techniques so that an adversary with direct access to these data stores via theft or malware will not be able to decipher the sensitive information stored in them.
- Insufficient Transport Layer Protection: All the hybrid and HTML 5 apps work on the client-server architecture; emphasis for data in motion is a must as the data will have to traverse through various channels and will be susceptible to eavesdropping and tampering by adversaries. Controls such as SSL/TLS, which enforce confidentiality and integrity of the data, must be verified for correct implementations on the communication channel from the mobile application and its server.
- Unintended Data Leakage: Certain functionalities of mobile applications may place sensitive data of the users in locations where it can be accessed by other applications or even by malware. These functionalities may be there in order to enhance usability or user experience but may have adverse effects in the long run. Actions such as OS data caching, key press logging, copy/paste buffer caching, and implementations of web beacons or analytics cookies for advertisement delivery can be misused by adversaries to gain information about victims.
- Poor Authorization and Authentication: As mobile devices are the most personal devices, developers utilize this to store important data such as credentials locally in the device itself and come up with specific mechanisms to authenticate and authorize users locally for the services that the user is requesting via the application. If these mechanisms are poorly developed, adversaries may circumvent these controls and unauthorized actions can be performed. As the code is available to adversaries, they can perform binary attacks and recompile the code to access authorized content directly.
- Broken Cryptography: This relates to weak controls that are used to protect the data. The usage of weak cryptographic algorithms, such as RC2, MD5, and so on, that can be cracked by adversaries will lead to encryption failure. Improper encryption key management when the key is stored in locations accessible to other applications or the use of a predictable key generation technique will also break the implemented cryptography techniques.
- Client Side Injection: Injection vulnerabilities are the most common web vulnerabilities according to OWASP web top 10. These are due to malformed inputs that cause unintended actions, such as altering database queries, command execution, and so on. In the case of mobile applications, malformed inputs can be serious threat at the local application level and on the server side as well (such as the risk of Weak Server Side Controls). Injections at the local application level that mainly target data stores may result in conditions such as access of paid content locked for trial users or file inclusions, which may lead to abusing functionalities such as SMS, and so on.
- Security Decisions via Untrusted Inputs: The implementation of certain functionalities such as use of hidden variables to check the authorization status can be bypassed by tampering them during transit via web service calls or inter-process communication calls. This may lead to privilege escalations and unintended behavior of the mobile application.
- Improper Session Handling: The application server sends back the session token on successful authentication with the mobile application. These session tokens are used by the mobile applications to request for services. If these session tokens remain active for a longer duration and adversaries obtain them via malware or theft, the user account can be hijacked.
- Lack of Binary Protections: Mobile application source code is available to everyone. An attacker can reverse engineer the application and insert malicious code components and recompile them. If these tampered applications are installed by a user, they would be susceptible to data theft, become victims of unintended actions, and so on. Most of the applications do not ship with mechanisms such as checksum controls, which help in deducing whether the application is tampered or not.
In 2015, there was another poll under the OWASP Mobile security group named the Umbrella Project. This leads us to have M10 to M2; the trends lock binary protection to take over weak server-side controls; however, we will have to wait until the 2015 final list. More details can be found at https://www.owasp.org/images/9/96/OWASP_Mobile_Top_Ten_2015_-_Final_Synthesis.pdf.
Vulnerable applications to practice
The open source community has been proactively designing plenty of mobile applications that can be utilized for practical tests. These are specifically designed to understand the OWASP top 10 risks. Some of these applications are as follows:
- iMAS: This is a collaborative research project initiated by the MITRE Corporation (http://www.mitre.org/). It is for application developers and security researchers who would like to learn more about attack and defense techniques in iOS. More information about iMAS can be found at https://github.com/project-imas/about.
- GoatDroid: A simple functional mobile banking application for training with location tracking developed by Jack and Ken for Android application security is a great starting point for beginners. More information about GoatDroid can be found at https://github.com/jackMannino/OWASP-GoatDroid-Project.
- iGoat: OWASP's iGOAT project is similar to the WebGoat web application framework. It's designed to improve the iOS assessment techniques for developers. More information on iGoat can be found at https://code.google.com/p/owasp-igoat/.
- Damn Vulnerable iOS Application (DVIA): This is an iOS application that provides a platform for developers, testers, and security researchers to test their penetration testing skills. This application covers all of OWASP's top 10 mobile risks and also contains several challenges that one can solve and come up with custom solutions for. More information on this can be found at http://damnvulnerableiosapp.com/.
- MobiSec: This is a live environment for the penetration testing of mobile environments. This framework provides devices, applications, and supporting infrastructure. It provides a great exercise for testers to view vulnerabilities from different points of view. More information on MobiSec can be found at http://sourceforge.net/p/mobisec/wiki/Home/.