If you ever heard of web application security, you probably heard of OWASP. And if you heard of OWASP, you probably heard about the OWASP Top 10. The Open Web Application Security Project, or OWASP for short, is an international non-profit organization dedicated to web-application security. OWASP is widely known for publishing materials covering their projects – one of their projects is OWASP Top 10 which is a regularly-updated report outlining security concerns for web application security. The OWASP Top 10, as the name suggests, focuses on the Top 10 risks which threaten web applications. The 2017 edition of OWASP has been covered extensively on this blog, but there’s also something we haven’t talked about – OWASP also releases an OWASP Mobile Top 10. This blog post will cover what it is.
What is the OWASP Mobile Top 10?
The OWASP Mobile Top 10 is just like the OWASP Top 10, but for mobile applications. Here’s what it contains (the list contains flaws from the most to the least severe):
- Improper Platform Usage – this category covers the failure to use proper platform security controls (i.e it might cover the misuse of TouchID or some other security control that is part of the mobile system)
- Imsecure Data Storage – insecure data storage refers to, obviously, insecure storage of data. But what does that mean exactly? Well, it’s pretty simple to explain – any data that is (or was) stored insecurely (for example, on a lost mobile device that was attained by a malicious party) could be at risk.
- Insecure Communication – this one is also pretty self-explanatory. Any communication that is conducted over an insecure medium should be considered compromised. Here “an insecure medium” could mean a compromised or a monitored wi-fi network, communicating via an unencrypted channel that is monitored, using compromised network devices for communication etc.
- Insecure Authentication – this type of vulnerability refers to a poor or a missing authentication scheme that could allow an attacker to anonymously perform malicious actions.
- Insufficient Cryptography – this vulnerability category includes anything that does not include sufficient cryptographic measures (e.g anyone with access to unencrypted or decrypted data etc.) The attack vectors for this vulnerability include all of the attack vectors available since an attack that might be viable for an attacker to execute depends on the vulnerable application.
- Insecure Authorization – this vulnerability category is pretty self-explanatory too. If a malicious party understands how a certain authorization scheme (e.g register, login forms etc.) is vulnerable, they can log in to an application as a user, or, in the worst case scenario, an administrator or a manager of some sort.
- Poor Code Quality – now this vulnerability category is a little bit more interesting because the threats for this vulnerability category might differ depending on the code that is vulnerable: a nefarious party might pass some malicious code in an input box of a mobile application and then gain access to it, perform some type of data theft, etc. This vulnerability category is very specific to the application that is being attacked by the nefarious party because it depends on the code of the mobile application.
- Code Tampering – this vulnerability category is frequently exploited by making direct changes to the application’s library (i.e if the code for a mobile game is hosted on GitHub and it’s used in the mobile game, an attacker could modify the code such that it steals information etc.)
- Reverse Engineering – this vulnerability category is not a vulnerability in and of itself, but it can lead to a suite of different vulnerabilities when discovered by an attacker because when searching for vulnerabilities, some attackers typically download an app from an app store and analyze (reverse engineer) the app within their own local environment using their own tools. A mobile application that is reverse engineered and found to have some vulnerabilities is bound to be of interest to an attacker.
- Extraneous Functionality – a nefarious party might seek to understand code functionality in order to better understand what it does, where it connects to, maybe what API endpoints it uses etc. to discover functions that might be extraneous and exploit them afterwards.
The OWASP Mobile Top 10 is just like the OWASP Top 10, but for mobile applications. The above list of the top 10 mobile flaws was last compiled in 2016 so it’s pretty old, but it’s still applicable nonetheless – if you are developing mobile applications, please keep this list in mind and your should do just fine security-wise. I also might start creating OWASP Mobile Security series just like I did a couple of years earlier, so thank you for reading and stay tuned!