Mobile Top 10 2014-M4

From OWASP
Revision as of 03:48, 27 January 2014 by Jason Haddix (Talk | contribs)

Jump to: navigation, search
Back To The Mobile Top Ten Main Page
Unintended Data Leakage
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
SEVERE
Application / Business Specific
Threat Description Attack Vector Description Security Weakness Description Technical Impacts Business Impacts
Am I Vulnerable to Unintended Data Leakage?

Unintended data leakage (formerly side-channel data leakage) is a branch of Insecure Data Storage. It includes all manner of vulnerabilities that can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge.

In the mobile development world this is most seen in undocumented (or under-documeted) internal processes such as:

  • The way the OS caches data, images, key-presses, logging, and buffers.
  • The way the development framework caches data, images, key-presses, logging, and buffers.
  • The way or amount of data ad, analytic, social, or enablement frameworks cache data, images, key-presses, logging, and buffers.
How Do I Prevent Unintended Data Leakage?

It is important to threat model your OS, platforms, and frameworks, to see how they handle the following types of features:

  • URL Caching (Both request and response)
  • Keyboard Press Caching
  • Copy/Paste buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties


It is especially important to discern what a given OS or framework does by default. By identifying this and applying mitigating controls, you can avoid unintended data leakage. Specific examples to follow.


Example Scenarios

OS: iOS

  • URL Caching (Both request and response)
  • Keyboard Press Caching
  • Copy/Paste buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties

OS: Android

  • URL Caching (Both request and response)
  • Keyboard Press Caching
  • Copy/Paste buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties

References

References