Difference between revisions of "Mobile Top 10 2014-M10"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
<center>[https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Back To The Mobile Top Ten Main Page]</center>
 
{{Top_10_2010:SubsectionColoredTemplate|<center>Lack of Binary Protections</center>||year=2014}}
 
{{Top_10_2010:SubsectionColoredTemplate|<center>Lack of Binary Protections</center>||year=2014}}
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}

Revision as of 03:50, 27 January 2014

Back To The Mobile Top Ten Main Page
Lack of Binary Protections
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
SEVERE
Application / Business Specific
Threat Description Attack Vector Description Security Weakness Description Technical Impacts Business Impacts
Am I Vulnerable to Lack of Binary Protections?


The Lack of Binary Protections category considers many security protections (or lack thereof) that are easy to implement but often go unused for mobile applications. Most of these protections are chosen at compile time. In general you should be aware of the following for mobile applications when compiling for production:

  • How to fully enable ASLR and Exploit mitigation protections.
  • How to remove path and symbol information from the binary.
  • How to use/enable framework provided memory management (to avoid memory leaks and code quality issues).
  • How to implement simple certificate pinning.
  • How to implement simple jailbreak/root detection.
  • How to implement simple anti-debugging code.
  • How to implement framework provided code obfuscation.


How Do I Prevent Lack of Binary Protections?


iOS Specific Examples:

Android Specific Examples


Example Scenarios

Example Scenarios


References

References