[Owasp-Mobile-Project] Mobile Top 10

Mike Zusman mike.zusman at intrepidusgroup.com
Thu Sep 16 10:40:06 EDT 2010 

I agree that scope is something that needs to be well defined. For example, some times when assessing a mobile app, you may find that there is minimal attack surface on the client, while the back-end web application or web service is riddled with vulnerabilities. For example, the infamous "iPad hack" that disclosed AT&T subscriber info was just a basic web-app flaw. I feel that one Mobile Top Ten item could just be a pointer to the original OWASP Top 10 :-)

I agree that we need to distinguish between applications designed to be installed and run on a specific platform, versus web apps optimized to run in a mobile web browser. Personally, I feel that mobile web apps can be excluded at this time, since they would get adequate coverage in the traditional OWASP top ten. We also need to distinguish between applications that come pre-installed on a device (web browser, email, SMS, etc) and the third-party apps that can be downloaded and installed. I feel that our initial efforts should be focused on the third-party apps.

I don't think the Top 10 should be device or platform specific, but should instead address general programming and design flaws. Other sections of the project can delve into platform specifics. Encryption is an important issue, but we need to focus our efforts: are we going to push for better crypto in the hardware/OS layer, or focus on correcting common crypto flaws made by third-party devs?

Additionally, before we talk about encryption and storing sensitive data, we should ask ourselves what we consider sensitive data. Then we should try to understand if there is a legitimate reason to store sensitive data on the device. I picked a random credit union banking app from the Android market place to analyze, and it was using some weak-sauce crypto to "securely" cache account information on the device merely to provide for a snappier user experience. We also have more types of sensitive data when dealing with mobile, for example, location data. A developer might not think twice about storing your physical location history on the device in plain text, even though some folks might voice huge concerns over such data accumulation. 

</initial_braindump>

Cheers,
Mike


________________________________________
From: owasp-mobile-project-bounces at lists.owasp.org [owasp-mobile-project-bounces at lists.owasp.org] On Behalf Of Sherif Koussa [sherif.koussa at gmail.com]
Sent: Thursday, September 16, 2010 9:42 AM
To: owasp-mobile-project at lists.owasp.org
Subject: Re: [Owasp-Mobile-Project] Mobile Top 10

I am thinking we might want to start with some scoping effort, in the sense of what would be included and what not, for example, are we only considering mobile apps? or also mobile browsers? By mobile, are we including devices like iPad....etc? or we strictly focused on mobile celluar smart devices?

Also, information leakage on mobile devices is kind of higher priority as far as mobile devices are concerned than for example unvalidate redirects and forwards, not to say the later is not a problem but I believe information leakage is kind of more important.

Another point, lack of local data encryption on the device is an issue that is more important on the mobile front rather than the regular desktop\laptopn front. According to some statistics I tried to gather, there are about 600K laptops lost or stolen every year, however, as far as cell phones I saw stats from 12M to 30M lost or stolen cell phones every year. Maybe some folks from carrier companies may confirm this stats. What makes this problem more prevelant is the fact that most corporate or laptops with sensitive information on it will have some kind of username and password or other protection mechanism for it which might act as mitigating control. However, there are very small numbers of cell phones would need a password or a PIN to be able to use the device. Bottom line is: we might want to spell this out as lack of encryption on the "client" as well as the server.

Another thought. In the original Top 10, the good old Buffer Overflow was kicked for obvious reasons. However, with Windows Mobile(C\C++), iPhone (objective C) and Symbian (Symbian C++) we might want to rethink adding back Buffer Overflows. not sure if there are so many exploits out there though that use mobile buffer overflows.

My 2 cents :)

Regards,
Sherif

On Wed, Sep 15, 2010 at 11:08 PM, Jack Mannino <jack at nvisiumsecurity.com<mailto:jack at nvisiumsecurity.com>> wrote:
Good Evening,

To follow up on the other thread, has anyone begun to draft up ideas for the Mobile Top 10?  I'm really curious to see what some other people think about this or have experienced firsthand.

-Jack

_______________________________________________
Owasp-mobile-project mailing list
Owasp-mobile-project at lists.owasp.org<mailto:Owasp-mobile-project at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-mobile-project

More information about the Owasp-mobile-project mailing list