What is the OWASP Mobile Security Top 10?
Mobile security focuses on the best practices and tools to be implemented with regards to the industry standard for designing mobile applications. The OWASP Mobile Security project has been devised to provide developers and security personnel with the resources and most current information they need to develop and maintain secure application software. More specifically, the top ten current issues have been summarized in order to raise awareness about mobile security. These issues have been outlined below.
What are the OWASP Mobile Security Top 10?
M1 Improper Platform Usage
Improper use of platform features and security controls are typically a result of an exposed web service or API call used within the mobile application. This endpoint can be leveraged via the mobile interface to perform attacks such as cross-site scripting or to exploit other existing OWASP Top 10 vulnerabilities.
Practicing secure coding techniques may prevent adversaries from taking advantage of platform misuses in features/controls such as platform permissions, misuse of TouchID, or some other mobile security control.
M2 Insecure Data Storage
Physically obtaining a victim’s device in addition to specialized tools is all that is needed to view and access filesystems on a mobile device. This can be a result of poor encryption libraries which in turn may lead to sensitive data exposure and theft of other information assets.
Understanding how the application handles and processes information and features such caching of data, logging and buffers, browser cookie objects, and more is critical to preventing the impacts of insecure data storage.
M3 Insecure Communication
Lack of secure data transmission and inconsistent use of SSL/TLS as it traverses a mobile device’s carrier network or the internet are commonly the culprits of insecure communication resulting in data interception and may further attacks such as account/identity theft.
Applying SSL/TLS while transmitting sensitive information, session tokens, etc. is essential as well as using industry standard cipher suites and trusted signed certificates can assist in mitigating the effects of these flaws.
M4 Insecure Authentication
Insecure authentication can be exploited to execute functionality within the mobile application or on the backend. This can often be done via automated attacks and tools that submit several requests to check what bypasses implemented authentication schemes and mechanisms.
Failure to identify users and implement secure session management are common causes. Nevertheless, performing authentication requests on the server-side rather than locally can help to circumvent attacks that rely on rooting mobile devices. Encrypting client-side data, however, is an added layer of security in the event a mobile device is physically obtained.
M5 Insufficient Cryptography
Insufficient cryptography allows an attacker to potentially revert the sensitive data to its original state resulting in unauthorized access to user’s data. Generally, an adversary with physical access to a mobile device that does not implement strong encryption algorithms can exploit this flaw quite easily.
In order to prevent an attack that leverages this vulnerability, developers must be sure to handle sensitive data with caution by avoiding local storage of sensitive data on the mobile device and applying strong cryptographic standards that conform with recommended algorithms and industry best practices.
M6 Insecure Authorization
Poor authorization may allow an adversary to execute privileged actions which could result in access to sensitive information and reputational damage. This can be done by leveraging a vulnerable endpoint to execute an administrative action which may be found manually or through an automated tool.
Verifying roles and permissions of users strictly on the backend and ensuring that requests are being submitted only by those who have authorization to do so can help to prevent insecure authorization.
M7 Client Code Quality
These types of vulnerabilities are more difficult to exploit and they are typically a result of poor programming practices in mobile applications. The attacks made to exploit client code quality may include buffer overflows for example, however often require specific tools to identify.
These vulnerabilities can be prevented by enforcing good programming practice and standards such as organized documentation, consistent coding patterns, and employing static code analysis tools to validate buffer storage.
M8 Code Tampering
Adversaries can exploit code tampering using existing mobile applications on third-party stores/sites. Doing so can lead to addition of malicious features and changes or modification to application resources and data.
Detecting code tampering is key to preventing it. This can be done by integrating a system that detects any alterations to the application’s code and implements a reactive solution in the case it is detected.
M9 Reverse Engineering
If an attacker can analyze the application code and dissect it using specialized tools within their own lab, it may be discovered that the mobile application is vulnerable to reverse engineering. If the vulnerability can be exploited, it may lead to further information disclosure and attacks against backend systems.
Often obfuscation tools are used to prevent adversaries from performing reverse engineering and furthering attacks leveraging this vulnerability.
M10 Extraneous Functionality
By also thoroughly examining the mobile application through configuration and log files, adversaries may be able to exploit extraneous functionality within the backend and throughout the application. This can expose how an application truly functions and potentially result in the anonymous execution of privileged actions.
The impacts of this vulnerability can be mitigated through manual code review before production release of the application. Analyzing API endpoints and examining files and logs will also help to ensure that hidden functionality is harder to discover and exploit.
How to Improve Mobile App Security
In addition to the specific recommendations listed above, there are also more general tips for enhancing the strength and security of your mobile applications. Some ways include, but are not limited to:
Strong encryption standards
Secure storage of sensitive data and information
Implementing code analysis and manual verification
Imposing access controls and separation of privileges
Maintaining good coding practices and frequent testing
Making high-level authentication a priority
If you’re interested in what you can do to further secure your mobile applications or are unsure of where to start, please contact us for more information. Everyday popular mobile apps on the Google Play and App Store are found to be vulnerable to the OWASP Mobile Top 10, making it harder to protect consumers from the risks. Our mobile application testing is based on the OWASP Mobile Security Testing guide and checklist to ensure that the requirements of a secure and robust application are met.
The OWASP Mobile Security Project can be found here.