[Owasp-mobile-security-project] Consideration for Top 10

[Sarath Geethakumar]

Fellow Security Enthusiasts,

I have been a silent member of the OWASP mobile security poject for a while
now, mainly because of my travel and work schedule.
However, I really see that this group has been doing an amazing work with
some of the top 10 vulnerabilities listed on the OWASP wiki.

My name is Sarath Geethakumar and I'm an Information Security Specialist at
American Express. My research and area of work encompasses mobile and
wireless security.I would like to take this opportunity to put forth another
threat/vulnerability to be considered for OWASP Top 10 mobile threats (or
learn from this group, if this issue has a fix that I'm not aware of).

We have been hearing a lot of news and information regarding Fake banking
applications and trojans in Android market place.
These trojans and malware go undetected as they speak the same language as a
legit banking app - XML based communication with backend webservice or web
application.


This brings us to one of the most challenging mobile security issues faced
by developers and security architects today: *Lack of Data Source and Client
side integrity attestation*
(I'm not sure if this point is already under consideration or ever
considered, as I could not find any direct points addressing this issue on
the wiki).
*
*
In simple words, How can the backend detect and identify the source of
origin of a request? We had faced similar issues with web applications,
probably a while ago, and which we termed as CSRF (cross site request
forgery). Though we were able to incorporate security controls and features
for CSRF, we are still to deal with the same in mobile application space,
i.e. to identify where or which app a request originated from.

I have heard and seen a couple of potential fixes in the past, all of which
failed to fix the root cause of this issue. Putting unique identifiers,
encryption keys on device/code etc are definitely not the solution. From a
threat modeling perspective, any request coming from a mobile device can be
forged or compromised if the device is rooted or if the application is
compromised or recompiled with malicious intention.

To aggravate the situation, current mobile devices have dual core processors
and good amount of RAM to facilitate on-device application modification and
recompilation. This has been successfully demonstrated by apps like "Privacy
Blocker" which has the ability to scan other apk's and modify then on the
device itself. This issue is not only a threat to banking applications but
also for any application that relies on data provided by mobile device for
purposes of tracking, licensing, etc etc.....
*
*
*Cutting my point short, I would like to open a discussion on this topic so
as to consider "Lack of data source and client side integrity attestation"
as a potential candidate for OWASP's Top 10 mobile threats.*
*
*
I'm pretty sure that this will open the floor for some good discussion.
Looking forward to hearing your thoughts and comments. Would love to know if
someone already knows a fix or potential fix for the same.

PS: Pardon any delay in mail responses, as my access to personal mail is
very limited during working hours.

Thanks & Regards,
Sarath Geethakumar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mobile-security-project/attachments/20110617/b089fe66/attachment.html