[Owasp-leaders] OWASP Mobile Top Ten 2014: M10 Proposal - Positive Feedback

Jonathan Carter jonathan.carter at owasp.org
Wed Nov 5 22:16:04 UTC 2014


Hi everyone,
Here is another proposal put forward by the group that has received 
positive feedback from the community:

*Potential Renaming M10: From “Lack of Binary Protection” to “Unauthorized 
Code Modification and Disclosure”:*

•*Rationale for renaming M10 based on community feedback*:
     –“Lack of protection” may not be a risk in itself; protection is 
viewed as a mitigation approach

     – M10 naming should focus on describing the underlying 
technical/business risk:
            - Mobile application code on the client-side is vulnerable to 
malicious code modification, run-time manipulation, code injection, and 
sensitive code disclosure/leakage
            - Results in violation of application integrity or 
confidentiality
     –This is a *distinct risk for client-side Mobile apps* (vs server-side 
Web apps) where binary code is directly accessible for the attacker
     –*Vital for ‘Builders’ and ‘Defenders’ to understand how their 
client-side app code is exposed to these risks*

•*There is a large amount of community data supporting the underlying 
technical/business risk*, e.g.,
     –86% of all Android Malware is legit apps that have been repackaged 
with malware (NC State University/IEEE Security & Privacy)
    –87% of all Top 100 iOS apps and 97% of all Top 100 Android apps have 
been found as rogue, modified versions (Arxan)
     –~25% of apps in Google Play are unauthorized clones (Columbia School 
of Engineering)
     –86% of mobile apps are exposed to these issues (HP Fortify)

•*OWASP community has well-documented exploits and attack techniques for 
this M10 showing how client-side binary code in iOS and Android apps can be 
modified and manipulated*, e.g.,
    –AppSecUSA 2014: “Runtime Manipulation of Android and iOS Applications” 
by Aspect Security
    –Black Hat: “viaForensics: "Dark Art of iOS Application Hacking” 
(binary code manipulation) by viaForensics
    –"Pentesting iOS Apps - Runtime Analysis and Manipulation” by NESO 
Security Labs
    –"Building Custom Android Malware for Penetration Testing” (malicious 
injection) by IOActive
    –"Stealing Sensitive Data from Android Phones - the Hacker Way” 
(malicious injection) by TCS

•*OWASP community has many projects that allude to M10*:
    - OpenSAMM;
    - BSIMM;
    - iGoat;
    - ASVS;
    - Mitre Project;

•*OWASP’s existing M10 technical content can be easily rephrased to fit 
this new name*

OWASP Community Has Shown Many Exploit Paths for “Unauthorized Code 
Modification and Disclosure” 

Attack vectors that directly connect to M10 include:

*Unauthorized Code Modification, Run-Time Manipulation, or Code Injection:*
method swizzling; method hooking; malware payload insertion; binary 
patching; application re-signing and re-packaging

*Unauthorized Code Disclosure or Leakage:*
Application decryption; Java/.NET based metadata decompilation; String 
analysis; Symbol dumping; Static or Dynamic key lifting

There Are Many Open Source Tools Available to Accomplish “Unauthorized Code 
Modification and Disclosure” 

*App Decryption / unpackaging / conversion*:
Clutch; APKTool; dex2jar

*Static Binary Analysis, disassembly, decompilation:* 
IDA Pro; Hopper
JEB, JD GUI, Baksmali
Class / Symbol / string dumping

*Runtime binay analysis: *
GDB, ADB
Introspy, Snoop-in

*Runtime manipulation, hooking, code injection, swizzling, patching:*
Cydia Substrate, Theos Suite
Cycript, CInject
Hex editors

*Malware / trojan injection:*
Dendroid, AndroRAT

*Jailbreak detection evasion:*
xCon, tsProtector

*Integrated binary modification toolsets:*
AppUse, Snoop-In, iNalyzer, iRET

•“Breakers” are already capable of using these tools to accomplish exploits

•“Builders” and “Defenders” have lacked adequate education about the risks 
with “Unauthorized Code Modification or Disclosure”

•*OWASP has a responsibility to bridge this education gap*


*“Unauthorized Code Modification and Disclosure” Exploits Can Result in 
Significant Business Risks*

Unauthorized Code Modification, Run-Time Manipulation, or Injectiion:
•Application binaries can be *modified*
•*Run-time behavior* of applications can be altered
•*Malicious code* can be injected or hooked into applications

Unauthorized Code Disclosure or Leakage
    •*Sensitive information* can be exposed
    •Applications can be reverse-engineered back to the *source code*  
    •Code can be lifted and *reused or repackaged*

Potential Business Consequences:
   •Information Loss
   •IP Theft
   •Piracy
   •Revenue Loss
   •Fraud
   •Brand Damage

*Mitigation of “Unauthorized Code Modification and Disclosure”*  

•Multiple potential mitigation approaches to “Unauthorized Code 
Modification and Disclosure”

•These include, for instance:
    –Avoid sensitive code on the client-side, while recognizing that this 
may not be desirable or possible for the optimal functionality and user 
experience
    –Utilize techniques that complicate reverse-engineering and analysis of 
the client-side code to raise the bar for exploitation
    –Utilize techniques inside the app that prevent or detect unauthorized 
code modification, run-time manipulation, or malicious code injection
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141105/58b57ab3/attachment.html>


More information about the OWASP-Leaders mailing list