Do you think mobile vulnerabilities are so different from web vulnerabilities that it warrants is own list?
While vulnerabilities are often similar across the various computing platforms, each has unique idiosyncrasies, built-in defenses, attack vectors and threats. So I do feel we need a different OWASP Top Ten list for web and mobile especially because they have to be designed differently and assessing mobile applications has unique challenges like:
- The tester must have access to actual devices or emulators. This means there is large number of permutations of OS, hardware, networks, configurations, and software that adds extra complexity to security testing.
- It is challenging to test on a platform with limited memory, storage, and power
- New versions of Mobile Operating Systems are continually released multiple and the vulnerabilities that exist in OS A are more often than not, very different than a vulnerability in OS B.
- Diffferent devices also have different hardware sensors, cameras, chipsets etc. The variety of networks on which the testing is to be done is also one of the factors - Wi-Fi is easy to test with a proxy; however, 3g or 4g network traffic is hard to intercept and Illegal in many countries.
Mobile Top Ten focuses on native vulnerabilities that could be present in web or hybrid mobile applications. The 2014 Mobile Top 10 list had at least one weakness (M1: Weak Server Side Control) that was a common between Web and Mobile; however it was removed in 2016.
Do you agree with the list?
I do. Having tested hundreds of mobile applications for our clients, the three that I come across most often and tend to raise concerns with me are Improper Platform Usage, Data storage, Code Tampering and Extraneous Functionality. I have countless examples of applications that have hidden features in the live appstore binary because the developers assume that consumers would not be able to trigger or misuse those features. This is risky because there are lots of tools that can help even script kiddies to exploit critical applications and gain access to data or features that should otherwise not be accessible to anyone. In the near future, I expect to see ransomware attacks on Mobile applications increase considerably. Additionally, the need for improved authentication that extends biometric data verification (i.e. fingerprints ) will increase.
What are some of the key areas that are often overlooked in mobile application security?
For Mobile application vulnerabilities, key focus areas for me include:
- Improper storage of sensitive application data to determine if data is not stored using a strong cryptographic algorithm
- Authentication/Authorization attacks to ensure that an attacker can’t anonymously gain access to functionality in the application or backend server
- Unintended Data Leakage to ensure the Operating System doesn’t leak data to third party servers over multiple communication channels
- Input Attacks such as buffer overruns, SQL and command injection, format strings, OS commanding, and special/problematic character sets
- Crypto implementation attacks to assess the robustness of encryption algorithms and determine if an attacker can gain access to the sensitive plain-text information • Binary protection attacks to determine if the application can be reverse engineered or modified easily to gain access to features that would otherwise not be available for a normal user
- Client-side injections to determine if the mobile device is susceptible to malicious code execution locally
- Design attacks on internal APIs, alternate routes around security checks, open ports, loop condition forcing, and content spoofing
- Race conditions and attacks that take advantage of time discrepancies
References: OWASP MOBILE 2016 RC - https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
OWASP MOBILE 2014 - https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks