Difference between revisions of "Mobile Top 10 2014-M9"

From OWASP
Jump to: navigation, search
(Created page with "{{Top_10_2010:SummaryTableHeaderBeginTemplate}} {{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}} {{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}...")
 
Line 5: Line 5:
 
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
 
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Anyone with access to data that has been encrypted improperly</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Anyone with access to HTTP/S traffic, cookie data, etc.</td>
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack vectors include physical access to the device and network traffic capture</td>
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}> Attack vectors include physical access to the device and network traffic capture</td>
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Encryption of mobile application data that can be successfully returned to plaintext by an unauthorized party</td>
+
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Malicious or accidental session hijacking</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Return of sensitive data to plaintext</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Unauthorized users gaining access to other users' accounts</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Loss of customer data, sensitive IP, or other critical information</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Customers losing control of their accounts and/or data</td>
 
{{Top_10_2010:SummaryTableEndTemplate}}
 
{{Top_10_2010:SummaryTableEndTemplate}}
  
  
{{Top_10_2010:SubsectionColoredTemplate|Am I Vulnerable to Weak Cryptography?||year=2014}}
+
{{Top_10_2010:SubsectionColoredTemplate|Improper Session Handling||year=2014}}
The M6 category covers the various ways that insecure cryptography is used within mobile applications.
+
The M9 category deals with session handling and the various ways it can be handled insecurely.
 
   
 
   
 
Insecure use of cryptography is common in most any application that uses encryption, and there are two mistakes in this area that lead to the most insecurity:
 
Insecure use of cryptography is common in most any application that uses encryption, and there are two mistakes in this area that lead to the most insecurity:

Revision as of 02:34, 27 January 2014

Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
SEVERE
Application / Business Specific
Anyone with access to HTTP/S traffic, cookie data, etc. Attack vectors include physical access to the device and network traffic capture Malicious or accidental session hijacking Unauthorized users gaining access to other users' accounts Customers losing control of their accounts and/or data


Improper Session Handling

The M9 category deals with session handling and the various ways it can be handled insecurely.

Insecure use of cryptography is common in most any application that uses encryption, and there are two mistakes in this area that lead to the most insecurity:

  1. The Creation and Use of Custom Encryption Algorithms
  2. Use of Insecure and/or Deprecated Algorithms
  3. Poor Key Management

Creation and Use of Custom Encryption Protocols

There is no easier way to mishandle encryption--mobile or otherwise--than to try to create and use your own encryption algorithms or protocols.

Always use modern algorithms that are accepted as strong by the security community, and whenever possible leverage the state of the art encryption APIs within your mobile platform.

Use of Insecure and/or Deprecated Algorithms

Many cryptographic algorithms and protocols should not be used because they have been shown to have significant weaknesses or are otherwise insufficient for modern security requirements. These include:

  • RC2
  • MD4
  • MD5
  • SHA1

Poor Key Management

The best algorithms don't matter if you mishandle your keys. Many make the mistake of using the correct encryption algorithm, but implementing their own protocol for employing it. Some examples of problems here include:

  • Including the keys in the same attacker-readable directory as the encrypted content
  • Making the keys otherwise available to the attacker
  • Failing to use built-in encryption functionality

References

References