Difference between revisions of "Mobile Top 10 2014-M4"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
{{Top_10_2010:SubsectionColoredTemplate|<center>Unintended Data Leakage</center>||year=2014}}
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
 
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}}
 
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}}

Revision as of 02:34, 27 January 2014

Unintended Data Leakage
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
SEVERE
Application / Business Specific
Threat Description Attack Vector Description Security Weakness Description Technical Impacts Business Impacts
Am I Vulnerable to Unintended Data Leakage?

Unintended data leakage (formerly side-channel data leakage) is a branch of Insecure Data Storage. It includes all manner of vulnerabilities that can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge.

In the mobile development world this is most seen in undocumented (or under-documeted) internal processes such as:

  • The way the OS caches data, images, key-presses, logging, and buffers.
  • The way the development framework caches data, images, key-presses, logging, and buffers.
  • The way or amount of data ad, analytic, social, or enablement frameworks cache data, images, key-presses, logging, and buffers.
How Do I Prevent Unintended Data Leakage?

It is important to threat model your OS, platforms, and frameworks, to see how they handle the following types of features:

  • URL Caching (Both request and response)
  • Keyboard Press Caching
  • Copy/Paste buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties


It is especially important to discern what a given OS or framework does by default. By identifying this and applying mitigating controls, you can avoid unintended data leakage. Specific examples to follow.


Example Scenarios

OS: iOS

  • URL Caching (Both request and response)
  • Keyboard Press Caching
  • Copy/Paste buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties

OS: Android

  • URL Caching (Both request and response)
  • Keyboard Press Caching
  • Copy/Paste buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties

References

References