[Owasp-leaders] OWASP Mobile Top Ten 2014: M10 Proposal - Positive Feedback

Neil Smithline neil.smithline at owasp.org
Wed Nov 5 22:32:41 UTC 2014


This seems an improvement to me.

Neil

PS: Thx for doing an excellent job at managing this discussion.


Neil Smithline
408-634-5764
http://www.neilsmithline.com

On Wed, Nov 5, 2014 at 5:16 PM, Jonathan Carter <jonathan.carter at owasp.org>
wrote:

> Hi everyone,
> Here is another proposal put forward by the group that has received
> positive feedback from the community:
>
> *Potential Renaming M10: From “Lack of Binary Protection” to “Unauthorized
> Code Modification and Disclosure”:*
>
> •*Rationale for renaming M10 based on community feedback*:
>      –“Lack of protection” may not be a risk in itself; protection is
> viewed as a mitigation approach
>
>      – M10 naming should focus on describing the underlying
> technical/business risk:
>             - Mobile application code on the client-side is vulnerable to
> malicious code modification, run-time manipulation, code injection, and
> sensitive code disclosure/leakage
>             - Results in violation of application integrity or
> confidentiality
>      –This is a *distinct risk for client-side Mobile apps* (vs
> server-side Web apps) where binary code is directly accessible for the
> attacker
>      –*Vital for ‘Builders’ and ‘Defenders’ to understand how their
> client-side app code is exposed to these risks*
>
> •*There is a large amount of community data supporting the underlying
> technical/business risk*, e.g.,
>      –86% of all Android Malware is legit apps that have been repackaged
> with malware (NC State University/IEEE Security & Privacy)
>     –87% of all Top 100 iOS apps and 97% of all Top 100 Android apps have
> been found as rogue, modified versions (Arxan)
>      –~25% of apps in Google Play are unauthorized clones (Columbia School
> of Engineering)
>      –86% of mobile apps are exposed to these issues (HP Fortify)
>
> •*OWASP community has well-documented exploits and attack techniques for
> this M10 showing how client-side binary code in iOS and Android apps can be
> modified and manipulated*, e.g.,
>     –AppSecUSA 2014: “Runtime Manipulation of Android and iOS
> Applications” by Aspect Security
>     –Black Hat: “viaForensics: "Dark Art of iOS Application Hacking”
> (binary code manipulation) by viaForensics
>     –"Pentesting iOS Apps - Runtime Analysis and Manipulation” by NESO
> Security Labs
>     –"Building Custom Android Malware for Penetration Testing” (malicious
> injection) by IOActive
>     –"Stealing Sensitive Data from Android Phones - the Hacker Way”
> (malicious injection) by TCS
>
> •*OWASP community has many projects that allude to M10*:
>     - OpenSAMM;
>     - BSIMM;
>     - iGoat;
>     - ASVS;
>     - Mitre Project;
>
> •*OWASP’s existing M10 technical content can be easily rephrased to fit
> this new name*
>
> OWASP Community Has Shown Many Exploit Paths for “Unauthorized Code
> Modification and Disclosure”
>
> Attack vectors that directly connect to M10 include:
>
> *Unauthorized Code Modification, Run-Time Manipulation, or Code Injection:*
> method swizzling; method hooking; malware payload insertion; binary
> patching; application re-signing and re-packaging
>
> *Unauthorized Code Disclosure or Leakage:*
> Application decryption; Java/.NET based metadata decompilation; String
> analysis; Symbol dumping; Static or Dynamic key lifting
>
> There Are Many Open Source Tools Available to Accomplish “Unauthorized
> Code Modification and Disclosure”
>
> *App Decryption / unpackaging / conversion*:
> Clutch; APKTool; dex2jar
>
> *Static Binary Analysis, disassembly, decompilation:*
> IDA Pro; Hopper
> JEB, JD GUI, Baksmali
> Class / Symbol / string dumping
>
> *Runtime binay analysis: *
> GDB, ADB
> Introspy, Snoop-in
>
> *Runtime manipulation, hooking, code injection, swizzling, patching:*
> Cydia Substrate, Theos Suite
> Cycript, CInject
> Hex editors
>
> *Malware / trojan injection:*
> Dendroid, AndroRAT
>
> *Jailbreak detection evasion:*
> xCon, tsProtector
>
> *Integrated binary modification toolsets:*
> AppUse, Snoop-In, iNalyzer, iRET
>
> •“Breakers” are already capable of using these tools to accomplish exploits
>
> •“Builders” and “Defenders” have lacked adequate education about the risks
> with “Unauthorized Code Modification or Disclosure”
>
> •*OWASP has a responsibility to bridge this education gap*
>
>
> *“Unauthorized Code Modification and Disclosure” Exploits Can Result in
> Significant Business Risks*
>
> Unauthorized Code Modification, Run-Time Manipulation, or Injectiion:
> •Application binaries can be *modified*
> •*Run-time behavior* of applications can be altered
> •*Malicious code* can be injected or hooked into applications
>
> Unauthorized Code Disclosure or Leakage
>     •*Sensitive information* can be exposed
>     •Applications can be reverse-engineered back to the *source code*
>     •Code can be lifted and *reused or repackaged*
>
> Potential Business Consequences:
>    •Information Loss
>    •IP Theft
>    •Piracy
>    •Revenue Loss
>    •Fraud
>    •Brand Damage
>
> *Mitigation of “Unauthorized Code Modification and Disclosure”*
>
> •Multiple potential mitigation approaches to “Unauthorized Code
> Modification and Disclosure”
>
> •These include, for instance:
>     –Avoid sensitive code on the client-side, while recognizing that this
> may not be desirable or possible for the optimal functionality and user
> experience
>     –Utilize techniques that complicate reverse-engineering and analysis
> of the client-side code to raise the bar for exploitation
>     –Utilize techniques inside the app that prevent or detect unauthorized
> code modification, run-time manipulation, or malicious code injection
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141105/1ea86632/attachment-0001.html>


More information about the OWASP-Leaders mailing list