Mobile OWASP Top 10 (2016) : Android

Mobile OWASP Top 10 (2016) : Android


Android is the name of the operating system used on many smartphones and tablets. It is owned and maintained by Google. Google bought Android in 2005 and launched it for phones and tablets in 2007, the same year Apple released the first iPhone. An operating system is basically what appears on the screen on a touchscreen device – the underlying software that you interact with. This is different to apps you can download to use for it like you can on most smartphones.

Mobile OWASP Top 10 (2016)

1. Improper Platform Usage

Misuse of a platform feature or lack of platform security control for the Android or iOS operating system. Issues may include incorrect use of the keychain on iOS or Android intents.

Best practice

ANDROID – Implement intents carefully
Intents are used for inter-component signaling. Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated.
iOS – Use the keychain carefully
iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted.

2. Insecure Data Storage

The vulnerability that leaks personal information and provides access to hackers.
Data from testing 400,000 mobile apps. 1In 10 apps leak private, sensitive data like email, username, or password.

Best practice

Implement secure data storage
Transmit and display but do not persist to memory. Ensure that an analog leak does not present itself where screenshots of the data are written to disk. Store only in RAM (clear at application close).
Securely store data in RAM
Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use.

3. Insecure Communication

Insecure communication refers to communications being sent in cleartext as well as other as other insecure methods.

Best Practice

Implement secure transmission of sensitive data
Best practices call for app providers to use SSL/TLS effectively to secure the transmission of passwords, login Ids, and other sensitive data over the network, and even go further and leverage app-layer encryption to protect user data.

4.Insecure Authentication

Mobile apps need to securely identify a user and maintain that user’s identity, especially when users are calling and sending sensitive data such as financial information.

Best practice

Hide account numbers and use tokens
Given the widespread use of mobile apps in public places, displaying partial number (e.g *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers.

Example: Ola
India’s largest startup with $1.1B in funding was hacked to allow unlimited free rides.
Hacker used MITM Proxy to view API calls over HTTP.
No OAuth token mechanism or encryption was in place to guard APIs.

5 Insufficient Cryptography

The process behind encryption and decryption may allow a hacker to decrypt sensitive data.
The algorithm behind encryption and decryption may be weak in nature.

Best practice

Implement secure data storage
If storing sensitive data on the device is a requirement, add an additional layer of verified, third-party encryption. By adding another layer of encryption, you have more control over the implementation and mitigate attacks focused on the main OS encryption classes.

6. Insecure Authorization

Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.
Implement proper web server configuration
Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems attackers can gain from a server makes staging an attack easier.

7. Client Code Quality

Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that’s running on the mobile device.
Vulnerabilities in the Vitamio SDK

Best practice

Test third-party libraries
Third-party libraries can contain vulnerabilities and weakness. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.

8. Code Tampering

When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.

Example PokemonGO
50M downloads in 19 days on Android alone.
Within 3 days of initial release, the malicious DroidJack software found on third-party app stores.
Remote Access Tool (RAT) can open a silent, backdoor for hackers.

Best practice

Implement anti-tampering techniques
Employ anti-tamper and tamper-detection techniques to prevent the illegitimate application from executing. Use checksums, digital signature, and another validation mechanism to help detect file tampering.

9. Reverse Engineering

Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.

Example Tinder
Hackers decompiled mobile app and recompiled it so they didn’t have to pay for premium content.
It is possible, hackers will find a way.

Best practice

Increase code complexity and use obfuscation
Reverse engineerings apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.

10. Extraneous Functionality
Developers frequently include hidden backdoors or security controls they do not plan on releasing into production.
This error creates risk when a feature is released to the wild that was never intended to be shared.

Example MediaTek
Manufacturer of hardware chips and processors for mobile devices.
A debug tool, left open for carriers to test network connections, was left open on shipped devices.

Best practice

Carefully manage debug logs
Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack.

We are Khanna Security Solution Pvt. Ltd Company deals in the Cyber Security. So if you are facing Mobile related problems and want to perform a Mobile application testing feel free to Contact Us.
More Security Related Blogs Click Here
Read Janus Vulnerability In Android (CVE-2017-13156) Click Here.

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *