Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The OWASP Top 10 (in 10 minutes or less)

Ed George
November 17, 2022

The OWASP Top 10 (in 10 minutes or less)

In this lightning session, we will take a dive intoOWASP's top 10 threats for mobile security for both iOS and Android

Ed George

November 17, 2022
Tweet

More Decks by Ed George

Other Decks in Technology

Transcript

  1. @sp4ghetticode / spght.dev The OWASP Mobile Top 10 …in 10

    minutes (or less?)
  2. @sp4ghetticode / spght.dev Who am I? • Ed Holloway-George •

    Snr. Android Dev @ ASOS • Short lived iOS career building a “Facebook for Dogs” 😅 • I like to talk about mobile security a lot • Find more talks/blogs on my website: 🍝 spght.dev/talks 🍝 Introduction
  3. @sp4ghetticode / spght.dev Before we start… What even is OWASP?

    • Open Web Application Security Project • Non-profit founded in 2001 • Provides free security resources for all • Maintain ‘Top 10’ list(s) of the greatest security threats in tech • Current “Mobile Top 10” list created in 2016
  4. @sp4ghetticode / spght.dev OWASP Mobile Top 10 owasp.org/www-project-mobile-top-10 1. Improper

    Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 
 6. Insecure Authorisation 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10.Extraneous Functionality
  5. @sp4ghetticode / spght.dev #1 Improper Platform Usage The biggest threat

    to Mobile Security is you • Ever skipped reading docs? • Ever used a platform method incorrectly? • Ever just ‘LGTM’ a code-review and missed something? Incorrectly exported Intents/Services/etc Keychain access policy too weak
  6. @sp4ghetticode / spght.dev #1 Improper Platform Usage How to fix

    it • Have a solid ✅ code-review process • Use SAST tools like Snyk, AppSweep, SonarQube • Consider using the OWASP MASTG (for all threats!) • And if in doubt, just RTFM… 😅
  7. @sp4ghetticode / spght.dev #2 Insecure Data Storage Where you store

    data is quite important… • Storing data via platform is often insecure by default • Trivial to access data in certain locations • Commonly used incorrectly as storage for sensitive data SharedPreferences / DataStore UserDefaults
  8. @sp4ghetticode / spght.dev #2 Insecure Data Storage How to fix

    it • Avoid storing sensitive data in the first place! • Utilise storage backed by use of secure hardware • Consider root/jailbreak detection in extreme cases EncryptedSharedPreferences / KeyStore Keychain
  9. @sp4ghetticode / spght.dev #3 Insecure Communication Sending you data incorrectly

    is bad • Bluetooth, NFC, the internet & everything in-between • Sending data over HTTP and not HTTPS? • Are you pinning certificates? • Allowing self-signed / user certificates? • Or are you just printing traffic directly to the logs 🤪 Yes, I’ve seen the last one on prod apps many times…
  10. @sp4ghetticode / spght.dev #3 Insecure Communication How to fix it

    • Assume all communication channels are insecure until you can prove otherwise • Utilise pinning / certificate transparency • Never allow self-signed or user certificates on prod StrictMode to penalize HTTP usage NSPinnedDomains in Info.plist
  11. @sp4ghetticode / spght.dev #4 Insecure Authentication Are you who you

    say you are? • How does your app know who you are? • APIs should utilise access tokens • Are you storing passwords or PINs locally • Password policies? How weak are they?
  12. @sp4ghetticode / spght.dev #4 Insecure Authentication How to fix it

    • Use revokable tokens in API calls • Don’t do any authentication locally if possible • PINs should be a minimum length of 5 (ideally more) • Don’t offer ‘remember-me’ functionality without an opt-in
  13. @sp4ghetticode / spght.dev #5 Insufficient Cryptography Ceaser Ciphers probably won’t

    cut it. • Do not use out-dated cryptography • SHA-1, MD5, RC2, etc - All exploitable in 2022 • Don’t confuse encryption with hashing • Hashing is 1-way algorithm to verify data • Encrypting is 2-way algorithm to secure data • Don’t come up with your own algorithm 😅
  14. @sp4ghetticode / spght.dev #5 Insufficient Cryptography How to fix it

    • Use decent crypto libs by people that know what they’re doing • E.g. Google - tink library • Use strong industry standard algortihms • AES-256 • RSA-2048 • Please, please don’t copy paste tutorial code… • Ask me about Hyundai after! 🚗🇰🇷
  15. @sp4ghetticode / spght.dev #6 Insecure Authorisation ‘sudo me a sandwich’

    • Allowing a user to perform an action they don’t have permission for • User role verification on the device is bad • Telling the server what roles you have, also very bad
  16. @sp4ghetticode / spght.dev #6 Insecure Authorisation How to fix it

    • User actions need authorised API calls • Don’t transmit the user’s role / perms to the server • Backend should be source-of-truth for identity • Always use min-amount of perms needed for an API call
  17. @sp4ghetticode / spght.dev #7 Client Code Quality ‘Regretti that spaghetti’

    • Your 💩 code is bad news for everyone 🍝 • Are you following coding best practises? • Know the pitfalls of your language • SQL Injection • Buffer Overflow • etc.
  18. @sp4ghetticode / spght.dev #7 Client Code Quality How to fix

    it • Code reviews (again) • SAST tools (again) • Linting • Experience 👴👵 • Not foolproof of course…
  19. @sp4ghetticode / spght.dev #8 Code Tampering “At least fix my

    bugs while you’re there…” • The unwanted modification of your app’s code/resources • The unintended use of your app through the use of a ‘rooted/jailbroken’ device • More common in Android world • Used by malicious actors to distribute modded apps with spyware + more nasty surprises 😈
  20. @sp4ghetticode / spght.dev #8 Code Tampering How to fix it

    • Use root detection libraries • Use paid services to alert you of tampering attempts • Make sure you use decent code obfuscation DexGuard, RootBeer iXGuard
  21. @sp4ghetticode / spght.dev #9 Reverse Engineering i.e. I know what

    you did last summer and why… • First, decompiling your app to see how it works • Using that knowledge to exploit the app or your services • Recompiling with changes (i.e. code tampering) • Using other tools to exploit vulnerabilities
  22. @sp4ghetticode / spght.dev #9 Reverse Engineering How to fix it

    • Follow similar steps to code tampering • Root detection • Obfuscation • Runtime application self-protection (RASP)
  23. @sp4ghetticode / spght.dev #10 Extraneous Functionality Your app is an

    easter-egg hunt for hackers • Hackers look for ‘back-doors’ in your app’s code • Hidden feature flags • Hard-coded debug accounts/passwords/etc • Any other nice goodies you left behind…
  24. @sp4ghetticode / spght.dev #10 Extraneous Functionality How to fix it

    • Don’t ship anything you wouldn’t want someone to enable by themselves • Ensure you strip out any hard-coded credentials or anything you use for QA-ing the app • Some SAST tools will pick this up • GOOD CODE REVIEWS! • “LGTM” 🤪
  25. @sp4ghetticode / spght.dev spght.dev/talks For more in-depth OWASP Top 10

    talks/blogs
  26. @sp4ghetticode / spght.dev Thanks! spght.dev/talks

  27. @sp4ghetticode / spght.dev EOF spght.dev/talks