owasp mobile top 10 risks
DESCRIPTION
A PowerPoint version of the slides and notes are available here: http://stratigossecurity.com/2013/07/14/owasp-mobile-security-project-top-10-risks-presentation/ OWASP Top 10 Mobile Risks M1 Insecure Data Storage M2 Weak Server Side Controls M3 Insufficient Transport Layer Protection M4 Client Side Injection M5 Poor Authorization and Authentication M6 Improper Session Handling M7 Security Decisions Via Untrusted Inputs M8 Side Channel Data Leakage M9 Broken Cryptography M10 Sensitive Information Disclosure Creative Commons - Attribution licensed - Beau Woods - @beauwoodsTRANSCRIPT
![Page 1: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/1.jpg)
1
![Page 2: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/2.jpg)
2
![Page 3: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/3.jpg)
3
![Page 4: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/4.jpg)
4
![Page 5: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/5.jpg)
Path: Collected and uploaded personal informationConcur: Stored password in plain text
5
![Page 6: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/6.jpg)
Recommendation for future versions• Expand to specific risks
6
![Page 7: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/7.jpg)
Google Wallet NFC MITMPayPal failure to validate certificatesApple iOS AppStore MITM led to circumventing purchases
7
![Page 8: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/8.jpg)
Recommendation for future versions• Improve or eliminate
8
![Page 9: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/9.jpg)
Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assetsAudible: Used plaintext password to authenticate and used HTTP GET methodOOB: Remember, mobile devices can potentially intercept phone calls, SMS and email
9
![Page 10: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/10.jpg)
10
![Page 11: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/11.jpg)
Recommendation for future versions• Improve or eliminate
11
![Page 12: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/12.jpg)
Android: Information sent to advertisers http://news.techeye.net/mobile/many-android-apps-send-your-private-information-to-advertisersApple: Collected and stored mobile tower data; called before US Congress to answer questionsAudible: Stored URL with password in logfile, also in GET request stored in web server log
Recommendation for future versions• Consider combining with M10• Consider incorporating the idea of collecting unnecessary but potentially sensitive
or private information
12
![Page 13: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/13.jpg)
13
![Page 14: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/14.jpg)
Recommendation for future versions• Consider combining with M8
14
![Page 15: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/15.jpg)
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/
15
![Page 16: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/16.jpg)
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/
16
![Page 17: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/17.jpg)
http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile-application/
17
![Page 18: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/18.jpg)
18
![Page 19: OWASP Mobile Top 10 Risks](https://reader034.vdocuments.site/reader034/viewer/2022042601/5495f235ac79593b2e8b4f90/html5/thumbnails/19.jpg)
19