When developing a mobile app, there are no better cyber security guidelines to follow then OWASP Mobile Top 10 Security Risks. In the modern cyber security industry, you would be hard pressed to find people who didn’t hear about The Open Web Application Security Project or OWASP. They create written materials and tools to help spread knowledge and help fight various security vulnerabilities plaguing modern web applications for any large company and for startup alike.
In 2014 OWASP also started looking at mobile security. Their latest mobile OWASP top 10 was released in 2016 and is still pretty much very relevant. In this article, we will provide a brief overview of this vulnerability list for mobile platforms and will look at what the future has in store for OWASP and mobile security in 2017.
OWASP Mobile Top 10 – spreading awareness and helping bring security up across the board
OWASP started in 2001 as an online community focused on delivering unbiased and free analysis and guidelines on cyber security. Since then, their famous Top 10 Web Application Vulnerability lists have received near universal praise and endorsement from numerous specialists in the field of cyber security and largely considered to be the standard to adhere to.
Their lists help with security awareness and clue developers on where to look and what to prioritize in order to create more secure web apps. Custom cyber security tools and clear technical guidelines, such as OWASP mobile security testing guide, make OWASP useful and trustworthy for technical communities.
M1: Improper Platform Usage
Mobile platforms provide a number of features that developers can access. However, improper use of these features can leave your app exposed to attacks. OWASP describes this vulnerability as common and easily exploitable. Of course, the actual ease of exploit and severity of the impact largely depends on the type of specific exploit and an extent to which perpetrator managed to gain control.
M2: Insecure Data Storage
M4: Unintended data leakage from OWASP Mobile top 10 risks for 2014 was merged with M2: Insecure data storage, creating the current category that kept the same name, but became much more clear and comprehensive.
The attack vector here varies greatly. From third party apps using cache, cookies and other information to gather protected data, to adversary being able to physically obtain the device and view information, you need to handle data storage correctly in multiple ways. This includes authentication, encryption, and properly handling all caching features.
M3: Insecure Communication
This is an extremely common vulnerability present in the majority of apps with client-server structure. While developers often diligent about protecting authentication procedure and data at rest, they rarely bother to encrypt data in motion.
By not encrypting data in transit, you subject your app to the man in the middle attack. Such an attack can typically come from a network device, such as a router, a malware on your own device, or even a separate agent sharing the same network as you are.
M4: Insecure Authentication
This category encompasses both weaknesses in authentication procedure and session handling. For mobile apps, perpetrators usually create custom tools in order to bypass the client-side app entirely and submit a request directly to the server.
Authentication schemes for mobile apps are usually much more lean than for regular web apps. Since most apps will need to work offline, a user is provided with an offline authentication option that can be exploited.
M5: Insufficient Cryptography
This category deals with the vulnerability that can have an extremely nasty business impact because it results in perpetrator obtaining decrypted information from a mobile device. Depending on the app, extremely personal information can be compromised, leading to user backlash and even potential lawsuits.
OWASP states that incorrect use of encryption is extremely common in mobile apps. Weak encryption algorithms, as well as flawed encryption/decryption procedure can be easily exploited.
M6: Insecure Authorization
On the first glance, this category may sound similar to M4. However, it is actually completely different as it deals with server-side vulnerabilities during the authentication procedure.
Vulnerabilities regarding authentication gained prominence in cyber security landscape as of late. They are extremely common and can be hard to detect, while also posing a severe business impact. This is why they gained an additional prominence in both OWASP Web Application and Mobile Top 10.
M7: Client Code Quality
This category focuses on vulnerabilities created due to coding mistakes. No code is perfect and perpetrators can find those errors and exploit them to gain access to the system.
Perfect examples of this are buffer overflows and memory leaks. Letting a buffer overflow slip through testing can allow the perpetrator to gain control over the whole map, potentially leading to theft of private data, and even control over devise itself.
M8: Code Tampering
This category covers any modifications that adversary can perform on the code of the app. There are a variety of ways to do this, including method/class hooking, dynamic hooking, patching, etc.
Perpetrators can use code tampering to gain access to premium features, violating copyright and completely bypassing existing distribution model for the app.
M9: Reverse Engineering
Reverse engineering is extremely widespread and not always done with malicious intentions. Sometimes people do it to study, sometimes they do it to write their own completely legitimate apps.
But often perpetrators will use the technique to gain the information needed to exploit security vulnerabilities and decrypt data. Information on encryption algorithms used, as well as general workings of a back-end server are particularly critical to protect.
M10: Extraneous Functionality
This category has been added to the list in 2016 in order to cover and extremely severe, yet surprisingly common vulnerability – functionality found in the app that shouldn’t be there.
This vulnerability arises when developers don’t remove additional features, created during the development process to make it easier to test the app. One example of such feature is a developer account that allows to completely bypass security checks and provides a wide set of privileges. It essentially is a backdoor that gives attacker full control over the app.
The future of OWASP Mobile top 10
The current OWASP mobile security top 10 list is extremely refined and comprehensive. However, cyber security landscape constantly changes, mobile in particular. Both perpetrators and developers tend to adapt at a breakneck pace, and raising awareness of a particular issue can mean that more people will be ready to deal with it in the future.