OWASP Mobile Top 10 – Vulnerabilities & Threats

Overview

Leverage Security Brigade’s Mobile Application Security Testing Services to help you validate your mobile applications and back-end infrastructure against OWASP Mobile Top 10 Application security issues and get your applications certified.

OWASP Mobile Top 10 Security Issues

The OWASP Mobile Top 10 for 2016 list of security issues is put together based on a global survey of security practitioners and app developers. The goal is to identify the key areas of concern in-terms of mobile application security vulnerabilities.

OWASP (Open Web Application Security Project) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web and mobile application security.

In this article, we will walk through each of the OWASP Mobile Top 10 Security Issues and provide a brief explanation along with some real-world examples of vulnerabilities and exploits for each issue.

Improper Platform Usage

This issue focuses on the abuse of core operating system functionality or rather the failure to implement existing security controls. This may include attackers abusing Android Intents, App Permissions, iOS Keychain, iOS Touch ID or other such security features.

Common Attack Scenarios

  • Data Leakage by Exploiting Android Intent
  • Android Intent Sniffing
  • iOS Keychain Risk
  • iOS TouchID Risk

Example: Citrix Worx – Bypass Apple’s Touch ID on iPhone

It was discovered, that it was possible to bypass Apple’s Touch ID for Citrix Worx Apps. In this particular implementation the the secret token retrieved from verifying the Touch ID was stored incorrectly. Hence an attacker could simply cancel the Touch ID prompt and the application would believe that the authentication was successful.

Read More

Insecure Data Storage

This issue focuses on the abuse of locally stored data that can be accessed or manipulated by an attacker. This could be done either via physical access to the device or through the use of malicious applications.  The data could be stored in the form of SQLite databases, Log files, Plist files, XML data stores, Manifest files, etc.

Common Attack Scenarios

  • Compromised File System
  • The exploitation of Unsecured Data

Example: Tinder Reveals The Exact Location of Users

As part of one of its releases, Tinder introduced a new feature to show you people in close proximity to you that are using the app. In this implementation, the application was retrieving and storing the exact location (GPS coordinates) of each individual and storing in locally on the device.

Insecure Communication

This issue focuses on how data is transmitted to and from mobile applications i.e. the API calls, SMS transmission, USSD requests, Bluetooth, etc. It looks at the different ways in which hackers can intercept the data at any point in the transmission chain or locally on the device itself through malicious applications and the abuse scenarios possible as result.

Common Attack Scenarios

  • Stealing of Information
  • Man in The Middle (MITM) Attacks
  • Admin Account Compromise

Example: Misafe smart watches transmit data in plain-text

It was discovered, that the Misafe smart watch transmitted sensitive data in an unencrypted and unauthenticated manner in their API calls. An attacker intercepting the communication, would be able to access real-time GPS coordinates, initiate phone calls, spy on the user along with accessing other personally identifiable information.

Read More

Insecure Authentication

This issue focuses on the way in which an application authenticates its user at the time of login, but also how they remember the user in the future. It looks at ways in which an attacker can log into the app as an unauthorized user by bypassing the authentication controls in place.

Common Attack Scenarios

  • Input Form Factor
  • Insecure User Credentials

Example: Grab Android App 2FA Bypass

As part of its two factor authentication (2FA), Grab implemented a 4 digit token that would be shared with users over an SMS message. In this implementation, they did not apply any rate limiting or brute-froce prevention to the OTP validation code. As a result, an attacker could brute-force all 9999 possible entries and bypass the OTP implementation.

Insufficient Cryptography

This issue focuses on the encryption algorithms being used in the application to either store information, generate tokens or transmit information securely. It looks for flaws in the encryption implementations either within the algorithms themselves, the dependency on hard-coded tokens or certificates, or weak handshake mechanisms.

Common Attack Scenarios

  • Stealing App and User Data
  • Access Encrypted Files

Example: OLA App Hard-coded Encryption Keys

It was discovered, that the mobile application of OLA Cabs, was using a hard-coded token as part of its encryption algorithm to encrypt user passwords.  As such it was possible for an attacker to use the same hard-coded key to decrypt passwords of any other user.

Insecure Authorization

This issue focuses on the way in which an application validates the permission or authorization of a user to carry out certain tasks or functionality. It looks as ways in which an attacker can legitimately log into the application but manipulate the local storage or API parameters to trigger functionality of either another user or a more privileged user.

Common Attack Scenarios

  • Unregulated Access to Admin Endpoints
  • IDOR Access

Example: Viper smart start – Staring someone elses car!

It was discovered that the Viper Smart Start application, relied on a simple “id” parameter when initiating the server call to start the car. Attackers were able to manipulate the ID value to access account information and trigger actions in other user’s accounts. It was also possible to change data about the car and open the car remotely.

Read More

Client Code Quality

This risk focuses on vulnerabilities that emerge from inconsistent coding practices resulting in bad documentation and in-turn bad security practices. These inconsistencies can result in buffer overflows, format string vulnerabilities, etc.

Common Attack Scenarios

  • Safe Web Code, Compromised in Mobiles
  • Gaps in Third-Party Libraries
  • Client Input Insecurity

Example: WhatsApp Buffer Overflow – Installing Spyware

It was discovered that due to bad coding practices by WhatsApp, a buffer overvlow vulnerability could allow a remote attacker to run malicious code on any device by simply triggering a phone call to the target (with an appropriate payload).

This security issue along with other simmilar issues in WhatsApp’s media handling, have been known to be used by the NSO Group to install spyware on phones.

Code Tampering

This issue looks at methods by which attackers can tamper or modify applications to add backdoor or unauthorized functionality into legitimate applications.  These malicious applications can provided unrestricted access to the application, local data or even the complete device.

Common Attack Scenarios

  • Malware Infusion
  • Data Theft

Example: Pokemon Go

In this attack, user’s were able to create a “cheat” version of the famous game where they could override the local GPS and transport themselves to any location within the application. This allowed user’s to cheat the platform an gain access to Pokemon’s without making a move.

Reverse Engineering

This issue focuses on the hacker’s ability to reverse engineer your applications to better understand its functionality and learn secrets about the application’s internals processes, API calls, etc.

Common Attack Scenarios

  • Reverse Engineering Risks
  • Dynamic Inspection at Runtime
  • Code Stealing
  • Premium Features

Example: Citrix Worx – Bypass Apple’s Touch ID on iPhone

It was discovered, that it was possible to bypass Apple’s Touch ID for Citrix Worx Apps. In this particular implementation the the secret token retrieved from verifying the Touch ID was stored incorrectly. Hence an attacker could simply cancel the Touch ID prompt and the application would believe that the authentication was successful.

Read More

Extraneous Functionality

This issue focuses on scenarios where the development team pushes an application to production but includes various debug functionality, staging information, test infrastructure, comments, documentation, etc. This functionalities have no real value for the end-user but may serve the attacker in getting more information and access to the application infrastructure and in-turn comprising key components.

Example: Wifi File Transfer Allows Remote Connections

It was discovered that the “Wifi File Transfer App” allows remote connections from the computer to access sensitive data. As there was no authentication being used, once connected, an attacker would have completed access to the device.

Talk to An Expert

Speak to our experts to understand more about our security offerings.