[Owasp-leaders] OWASP Mobile Top Ten 2014: M10 Proposal - Positive Feedback

Jason Haddix jason.haddix at owasp.org
Wed Nov 5 22:50:46 UTC 2014


Hey Jonathan,

Please move all feedback to the mobile list, we are spamming the leaders
list.

Anyone interested in that conversation can come discuss it on:

https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks

(requires request for access, which Jack Mannino manages)



On Wed, Nov 5, 2014 at 2:32 PM, Neil Smithline <neil.smithline at owasp.org>
wrote:

> This seems an improvement to me.
>
> Neil
>
> PS: Thx for doing an excellent job at managing this discussion.
>
>
> Neil Smithline
> 408-634-5764
> http://www.neilsmithline.com
>
> On Wed, Nov 5, 2014 at 5:16 PM, Jonathan Carter <jonathan.carter at owasp.org
> > wrote:
>
>> Hi everyone,
>> Here is another proposal put forward by the group that has received
>> positive feedback from the community:
>>
>> *Potential Renaming M10: From “Lack of Binary Protection” to
>> “Unauthorized Code Modification and Disclosure”:*
>>
>> •*Rationale for renaming M10 based on community feedback*:
>>      –“Lack of protection” may not be a risk in itself; protection is
>> viewed as a mitigation approach
>>
>>      – M10 naming should focus on describing the underlying
>> technical/business risk:
>>             - Mobile application code on the client-side is vulnerable to
>> malicious code modification, run-time manipulation, code injection, and
>> sensitive code disclosure/leakage
>>             - Results in violation of application integrity or
>> confidentiality
>>      –This is a *distinct risk for client-side Mobile apps* (vs
>> server-side Web apps) where binary code is directly accessible for the
>> attacker
>>      –*Vital for ‘Builders’ and ‘Defenders’ to understand how their
>> client-side app code is exposed to these risks*
>>
>> •*There is a large amount of community data supporting the underlying
>> technical/business risk*, e.g.,
>>      –86% of all Android Malware is legit apps that have been repackaged
>> with malware (NC State University/IEEE Security & Privacy)
>>     –87% of all Top 100 iOS apps and 97% of all Top 100 Android apps have
>> been found as rogue, modified versions (Arxan)
>>      –~25% of apps in Google Play are unauthorized clones (Columbia
>> School of Engineering)
>>      –86% of mobile apps are exposed to these issues (HP Fortify)
>>
>> •*OWASP community has well-documented exploits and attack techniques for
>> this M10 showing how client-side binary code in iOS and Android apps can be
>> modified and manipulated*, e.g.,
>>     –AppSecUSA 2014: “Runtime Manipulation of Android and iOS
>> Applications” by Aspect Security
>>     –Black Hat: “viaForensics: "Dark Art of iOS Application Hacking”
>> (binary code manipulation) by viaForensics
>>     –"Pentesting iOS Apps - Runtime Analysis and Manipulation” by NESO
>> Security Labs
>>     –"Building Custom Android Malware for Penetration Testing” (malicious
>> injection) by IOActive
>>     –"Stealing Sensitive Data from Android Phones - the Hacker Way”
>> (malicious injection) by TCS
>>
>> •*OWASP community has many projects that allude to M10*:
>>     - OpenSAMM;
>>     - BSIMM;
>>     - iGoat;
>>     - ASVS;
>>     - Mitre Project;
>>
>> •*OWASP’s existing M10 technical content can be easily rephrased to fit
>> this new name*
>>
>> OWASP Community Has Shown Many Exploit Paths for “Unauthorized Code
>> Modification and Disclosure”
>>
>> Attack vectors that directly connect to M10 include:
>>
>> *Unauthorized Code Modification, Run-Time Manipulation, or Code
>> Injection:*
>> method swizzling; method hooking; malware payload insertion; binary
>> patching; application re-signing and re-packaging
>>
>> *Unauthorized Code Disclosure or Leakage:*
>> Application decryption; Java/.NET based metadata decompilation; String
>> analysis; Symbol dumping; Static or Dynamic key lifting
>>
>> There Are Many Open Source Tools Available to Accomplish “Unauthorized
>> Code Modification and Disclosure”
>>
>> *App Decryption / unpackaging / conversion*:
>> Clutch; APKTool; dex2jar
>>
>> *Static Binary Analysis, disassembly, decompilation:*
>> IDA Pro; Hopper
>> JEB, JD GUI, Baksmali
>> Class / Symbol / string dumping
>>
>> *Runtime binay analysis: *
>> GDB, ADB
>> Introspy, Snoop-in
>>
>> *Runtime manipulation, hooking, code injection, swizzling, patching:*
>> Cydia Substrate, Theos Suite
>> Cycript, CInject
>> Hex editors
>>
>> *Malware / trojan injection:*
>> Dendroid, AndroRAT
>>
>> *Jailbreak detection evasion:*
>> xCon, tsProtector
>>
>> *Integrated binary modification toolsets:*
>> AppUse, Snoop-In, iNalyzer, iRET
>>
>> •“Breakers” are already capable of using these tools to accomplish
>> exploits
>>
>> •“Builders” and “Defenders” have lacked adequate education about the
>> risks with “Unauthorized Code Modification or Disclosure”
>>
>> •*OWASP has a responsibility to bridge this education gap*
>>
>>
>> *“Unauthorized Code Modification and Disclosure” Exploits Can Result in
>> Significant Business Risks*
>>
>> Unauthorized Code Modification, Run-Time Manipulation, or Injectiion:
>> •Application binaries can be *modified*
>> •*Run-time behavior* of applications can be altered
>> •*Malicious code* can be injected or hooked into applications
>>
>> Unauthorized Code Disclosure or Leakage
>>     •*Sensitive information* can be exposed
>>     •Applications can be reverse-engineered back to the *source code*
>>     •Code can be lifted and *reused or repackaged*
>>
>> Potential Business Consequences:
>>    •Information Loss
>>    •IP Theft
>>    •Piracy
>>    •Revenue Loss
>>    •Fraud
>>    •Brand Damage
>>
>> *Mitigation of “Unauthorized Code Modification and Disclosure”*
>>
>> •Multiple potential mitigation approaches to “Unauthorized Code
>> Modification and Disclosure”
>>
>> •These include, for instance:
>>     –Avoid sensitive code on the client-side, while recognizing that this
>> may not be desirable or possible for the optimal functionality and user
>> experience
>>     –Utilize techniques that complicate reverse-engineering and analysis
>> of the client-side code to raise the bar for exploitation
>>     –Utilize techniques inside the app that prevent or detect
>> unauthorized code modification, run-time manipulation, or malicious code
>> injection
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Jason Haddix
OWASP Mobile Top Ten Project Leader
Mobile Security Researcher
(805) 698 2885
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141105/e15b8318/attachment.html>


More information about the OWASP-Leaders mailing list