OWASP Top 10 Mobile Risks- 2016
Table of Contents
- M1: Improper Platform Usage
- M2: Insecure Data Storage
- M3: Insecure Communication
- M4: Insecure Authentication
- M5: Insufficient Cryptography
- M6: Insecure Authorization
- M7: Client Code Quality
- M8: Code Tampering
- M9: Reverse Engineering
- M10: Extraneous Functionality
M1: Improper Platform Usage
Hackers can misuse the features of a mobile OS or the platform that doesn’t have security controls in place. Improper platform usage can lead to misuse of TouchID, Android intents, permissions, keys, or other security measures.
M2: Insecure Data Storage
Data storage in mobiles becomes vulnerable when developers assume that the filesystems can’t be accessed by users or hackers. However, filesystems can be accessed. Hence the mobile development teams should keep the filesystems secure and implement encryption libraries.
M3: Insecure Communication
Network traffic in mobile apps is usually not protected. SSL and TLS protocols are used for authentication, but for all purposes. As a result, the data and session IDs sometimes remain vulnerable to exposure.
M4: Insecure Authentication
When the authentication in mobile apps or devices is missing or poorly configured, it can lead to execution of malicious functionality by the hackers to the app or its backend. Additionally, weak authentication techniques in mobile apps can be compromised. For instance, some apps allow users to set any password, whether it is 1234 or qwerty. Hackers can use techniques like dictionary attacks to crack these.
M5: Insufficient Cryptography
Insufficient cryptography means having poor encryption algorithms within the mobile encryption processes. It can allow hackers to turn the encrypted code or data into unencrypted form.
Hackers can use insufficient cryptography to access and retrieve confidential data from mobile devices, and violate the privacy of the users or the companies.
M6: Insecure Authorization
Insecure authentication allows the attackers to exploit the vulnerabilities in the authentication process and login to the app as a valid user. They can carry out further attacks in the application to gain admin functionalities. The attacks usually start using malware.
M7: Client Code Quality
Client code quality means there is poor quality code used in a mobile application which can cause vulnerabilities and exploitation of the app. Attackers generally exploit the memory leaks and buffer overflows.
M8: Code Tampering
Code tampering is done by making users download and install third-party mobile apps from untrusted sources. Once installed, the attackers carry out phishing attacks to tamper the code.
M9: Reverse Engineering
Hackers download and install an app from the Google Play Store or App Store for doing its analysis in a local environment. They use relevant tools like Hopper, IDA Pro, otool, and strings to analyze the app for vulnerabilities. This is called reverse engineering.
The aim with performing reverse engineering is to get details of the backend server of the app, steal intellectual property, attack the backend server, and expose cryptographic constants.
M10: Extraneous Functionality
Hackers put efforts to learn about the extraneous functionality in mobile applications to identify the hidden test code and switches at the backend. This is done by installing the app in a local environment. Here, they test the log files, configuration files, etc. to find vulnerabilities and exploit the backend.