OWASP Mobile Security Project Platform Specific Guidance Draft

From OWASP
Revision as of 07:36, 20 October 2011 by Dancornell (Talk | contribs)

Jump to: navigation, search

Contents

Authentication

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Session Management

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Access Control

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Input Validation

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Output Encoding/Escaping

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Cryptography

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Error Handling and Logging

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Data Protection

Data Protection
Mobile devices have the ability to store information in files, databases and other constructs. Because devices can be lost or transferred to other users without being wiped, application developers should be very careful about storing sensitive information locally on the device. Avoiding storing sensitive information on the device is preferable because then the risk of compromise is minimized.
  • Where can applications store local data on the device?
  • What formats are allowed?
iOS (code examples) Android (code examples) Mappings
Applications are given access to their own portion of the iOS filesystem that is within the application sandbox and inaccessible to other applications. Files can be designated for Sharing and such files are accessible in the Documents/ directory in iTunes. Files can also be marked as Protected so that they can only be accessed when the device is unlocked. Property List (plist) files can be used to store user preferences and other configuration information in a way that can be moved between OS X and iOS applications.
  • Apple overview page on iOS Data Management
  • Apple information about File and the Filesystem on iOS
  • Apple information about Shared files
  • Apple information about Protected files
  • Apple's Introduction to Property Lists
Android applications have a variety of local storage options. They can store files in both internal storage that will be protected by the default Android/Linux permissions model that segregates access to application files via Linux file/group permissions or external storage on an SD card that will not be covered by those protections. Unless there are special circumstances, files should be created with Context.MODE_PRIVATE or Context.MODE_APPEND, which will use Linux permissions to make them readable and writable only to the application that created the file (and the root user on rooted devices). Files that are created using the Context.MODE_WORLD_READABLE can be read by other applications and should not be used to store data that a malicious application should not have access to. Files that are created using the Context.MODE_WORLD_WRITABLE can be written to by other applications and data read from these files should not be trusted. In addition, Android applications can create SQLite databases for storing application information. Also, Shared Preferences can be used to store key/value data. Finally, Content Providers can be used to store data for a given application as well as for sharing with other applications.
  • Android documentation on Data Storage
  • Android Javadoc for Context.openFileOutput() describing file permission options
R

I

S

K


C

O

N

T

R

O

L


1


Communication Security

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

HTTP Security

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10

Security Configuration

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10


COPY/PASTE TEMPLATE STUFF BELOW

EXAMPLE HEADING

GUIDANCE TITLE
PLATFORM INDEPENDENT DESCRIPTION
iOS Android Mappings
IOS TEXT ANDROID TEXT R

I

S

K


1

2

3

4

5

6

7

8

9

10

C

O

N

T

R

O

L


1

2

3

4

5

6

7

8

9

10