What is OWASP and its Major Risks?
OWASP stands for Open Web Application Security Project. It is an international non-profit organization that dedicates itself to the security of web applications. The core principles of OWASP includes their materials to be available freely and easily accessible on their website. Their motive is to make it possible for any user to improve their web application security. The materials they offer include documentation, videos, tools, and forums. OWASP Top 10 is the best-known project. The OWASP foundation organizes many leading education and training programs in the field of cybersecurity as well.
OWASP Mobile Top 10 Risks
1. Improper Platform Usage
Several features are provided by the mobile platforms that developers can access but improper usage of these features can leave your app exposed to attacks. This vulnerability can be described as common and easily exploitable. It covers misuse of a platform feature or failure to use the platform security controls. This may include Android intents, platform permissions, misuse of Touch ID, the Key chain, or some other security control which happens to be a part of the mobile operating system. The acuteness of the impact and the actual ease of exploit depends upon the type of a particular exploit and an extent to which an attacker with malicious intentions managed to gain control.
To prevent this risk secure coding and configuration practices must be used on the server-side of the mobile application and make sure that all platform features are used correctly and properly.
2. Insecure Data Storage
This can result in data loss in the worst case for many users. It may also result in the technical impacts like extraction of the app’s confidential data via mobile malware, modified or alters apps, or forensic tools. The nature of the business impact that occurs is dependent upon the information that is stolen. Identity theft, Privacy violation, Fraud, Reputation damage, External policy violation, or Material loss can be the business impacts due to Insecure Data Storage methods. Nowadays attack vector varies greatly. From third party applications using the cache, cookies, and other information to gather protected data, to adversary being able to physically obtain the device and view information. The data storage must be handled correctly in multiple ways that include encryption, authentication, and handling all caching features. Insecure data becomes extremely easy to exploit.
To prevent this, it is important to threaten model your mobile app, OS, platforms, and frameworks to understand the information assets the app processes and how the APIs handle those assets.
3. Insecure Communication
Insecure Communication is the most common vulnerability present in the majority of applications with client-server structure. Developers are often punctual about protecting their data using authentication procedures and data at rest, but they rarely bother to encrypt the information/data properly. If the data is not protected or encrypted, the server-side user might face a Man-in-the-middle attack. These attacks typically come from network devices like router, malicious software, etc. While designing a mobile app, data is commonly exchanged in a client-server format. When the solution transmits its data/information, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to gain access to sensitive data while it’s traveling across the network.
This can be prevented by assuming that the network layer is not secure and is susceptible to eavesdropping, use strong industry-standard cipher suites with appropriate key lengths, always use certificates signed by a trusted CA provider, Always require SSL chain verification, etc.
4. Insecure Authentication
Insecure Authentication encompasses both weaknesses in session handling and authentication procedure. For mobile applications, perpetrators usually create customized tools to bypass the client-side applications entirely and submit a request directly to the user. Poor authentication schemes allow an adversary to anonymously execute functionality within the mobile app or back end server used by the mobile app. Weaker authentication for mobile applications is fairly prevalent due to a mobile device’s input form factor. Authentication schemes for mobile apps are much leaner than for regular web applications. Since most applications will need to work offline, a user is provided with an offline authentication option that can be exploited. This can cause in perpetrator to gain full control of the system. They can anonymously steal or delete data, or issue commands to the app or the server, etc. This may lead to severe technical and business impact.
The best way to prevent this problem is to use online authentication whenever possible while processing all authentication requests server-side.
5. Insufficient Cryptography
Insufficient Cryptography deals with the vulnerability that can have an extremely nasty impact on the business. Insufficient cryptography will result in the unauthorized retrieval of confidential information from the mobile device. This may have several different business impacts such as Privacy Violations, Information and Code Theft, Intellectual Property Theft, or Damage to the reputation.
To prevent your data from this vulnerability, avoid the storage of any sensitive data on a mobile device where possible, apply cryptographic standards that will withstand the test of time for at least 10 years into the future and follow the NIST (The National Institute of Standards and Technology) guidelines on recommended algorithms. Following the best practices and standards is the best way to avoid Insufficient Cryptography.
6. Insecure Authorization
During the authentication procedures, Insecure Authorization deals with server-side vulnerabilities. This vulnerability is extremely common and hard to detect. Once the attacker comes to know how the authorization scheme is vulnerable, they log in to the application as a legitimate user. They manage to successfully pass the authentication control. Once they are past the authentication, they force-browse to a vulnerable endpoint to execute administrative functionality. This process is done using mobile malware within the device or botnets owned by the attacker. The technical impact of poor authorization is similar to the technical impact of poor authentication. The technical impact can be wide-ranging in nature. For example, over-privileged execution of local administration functionality may destroy systems or access to confidential information.
The best way to prevent this is to make sure that user rights are always checked, verify any requests from a client independently server-side, make sure that they are an authorized user.
7. Client Code Quality
Focuses on vulnerabilities created due to coding mistakes. Hackers can find errors or loopholes in the code and exploit them to gain access to the system. e.g Buffer Overflows and memory leaks. Exploitations that fall into this category result in the foreign code execution or DOS (denial of service) on remote server endpoints. However, if buffer overflows/overruns do exist within the mobile device and the input can be derived from an external party, this could have a severely high technical impact.
The only way for dealing with this is to maintain consistent coding standards across the board and to write a well-commented code that is easy to read. While using buffers, validate that the lengths of any incoming buffer data will not exceed the length of the target buffer. Through automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools and prioritize solving buffer overflows and memory leaks over other ‘code quality’ problems.
8. Code Tampering
Any modifications that an attacker can perform on the code of the application is called Code Tampering. Attackers or hackers use code tampering to gain access to premium features, violating copyrights, etc, and completely bypassing the existing distribution model for the app. This vulnerability can be difficult to detect. An attacker will exploit code modification using malicious forms of the applications hosted in third-party application stores. The attacker may also trick the user into installing the application through phishing attacks. An attacker will do the following things to exploit this category: Make direct binary changes to the application package’s core binary, create direct binary changes to the resources within the app’s package, redirect or replace system APIs to intercept and execute foreign code that is malicious.
The best way to prevent this is by using anti-tampering techniques and root and jailbreak detection.
9. Reverse Engineering
Reverse Engineering is extremely widespread and not always done with malicious intentions. Sometimes people do it for study purposes whereas sometimes they do it for writing their own completely legitimate applications. An attacker will download the targeted application from an application store and analyze it within its local environment using a suite of different tools.
To prevent effective reverse engineering, use an obfuscation tool. Every application is susceptible to this vulnerability.
10. Extraneous Functionality
This vulnerability has been added to the list in the year 2016 to cover an extremely severe but Common vulnerability. The attacker will download and examine the mobile app within its local environment. They will examine log files, configuration files, and perhaps the binary itself to discover any type of hidden switches or test code that was being left behind by the developers. They will try and exploit these switches and hidden functionality in the back end of the system to perform an attack. One example of this feature is a developer account that allows us to completely bypass security checks and provide a wide set of privileges. It’s a backdoor that gives the attacker full control over the app.
To prevent this vulnerability, perform a manual secure code review using security champs or subject matter experts most knowledgeable with this code. These vulnerabilities are easy to exploit but easy to catch and remove too