Around two weeks ago, we started a new initiative at Appknox. The intention was to start a collection of detailed articles about the various threats as listed by the OWASP Top 10 Project. While we have been discussing about the web, today we'll also start off a new collection of threats pertaining to mobile platforms.
Mobile has grown tremendously all across the globe. In certain regions like India and South-east Asia, there are more cellphones than people! Along with devices, mobile apps have also grown manifold. Suddenly, consumers are more confident with the convenience offered by their mobiles phones. Whether you are at home, at the office, driving in your car or in a hotel room in another country - you can easily manage your work and personal data, bank online, shop for new clothes, travel and much more.
While this extreme level of growth and convenience is exciting, it has also brought with it an extreme number of security risks as user credentials, bank data and other information are easily flying between devices and backend systems all across the world.
What is OWASP?
Open Web Application Security Project, or OWASP as it is commonly known, is a community-based foundation which aims at spreading awareness about application and software security. OWASP runs several community-run open-source projects to improve the knowledge of security enthusiasts all over the globe. The foundation organizes several leading education and training programs in the field of cybersecurity also. The thousands of members and numerous local chapters of OWASP ensure that security experts and developers remain aware of the ongoing security threats and prepare for their mitigation in advance.
Below, you’ll find the top 10 mobile security risks as defined by the OWASP Top 10 Project for Mobile. Understanding these risks can help you prepare your app and protect yourself, your data and your users. Starting next week, we will be discussing each threat in detail. For now, here are the most commonly found security threats in mobile:
Top 10 Mobile Security Risks as per OWASP TOp 10 Project
#M1 Improper Platform Usage
This OWASP threat refers to the unintended use of any platform feature or the instances when the security controls on the platform are not being used. It may include platform permissions, android intents, misuse of Keychain, misuse of TouchID or any other missing security control.
Example: Citrix Worx Apps
One relevant example of improper platform usage comes from Citrix Worx Apps. Researchers discovered that one could bypass the TouchID for the Citrix Worx Apps. This could be done by rebooting your iPhone and opening one of the Citrix apps. After starting authentication and instantly cancelling the TouchID, one can restart the app and proceed without TouchID. Upon further analysis, it was discovered that the secret that was being collected by passing the TouchID was stored incorrectly. That is why the app was assuming that it has authenticated the user properly.
#M2 Insecure Data Storage
This threat category covers any security loophole which might lead to unintended data leakage or insecure data storage. This may include insufficient file data protection, wrong options for keychain accessibility among others. Vulnerabilities associated with insecure data storage may lead to several business risks like fraud, identity theft, external policy violations, reputation damage and material loss.
We can refer to a vulnerability in Tinder while talking about insecure data storage. Tinder's new feature displayed people logged on the app near your location. But this feature revealed the exact location of the people nearby and this was a huge problem in terms of privacy. In fact, hackers created a whole new website to showcase this data storage vulnerability and it showed the user's exact location even after the issue was fixed.
#M3 Insecure Communication
Insecure communication generally includes lack of certificate planning, i.e. poor handshake, use of HTTP instead of HTTPS, improper SSL usage, clearly communicating sensitive assets etc. All of these security loopholes might lead to attackers lurking in and stealing valuable customer or business information from sensitive communication.
Example: Misafe smartwatches
One suitable example regarding this comes from Misafe, which is a smartwatch brand dedicated to kids. Communication on the company's servers was not properly encrypted and was missing correct authentication. Due to this vulnerability, attackers could find out the real-time location of kids, call them on their watch, spy and send recorded audio messages and retrieve other personal information such as age, gender, date of birth etc.
#M4 Insecure Authentication
This OWASP threat category pertains to authentication issues and problems related to bad session management. This may include failure to identify the user when required, failing to maintain identity once authenticated, and other loopholes in session management.
Example: Grab Android App
Upon analysis, a security expert was able to bypass the 2-factor authentication of the Grab Android app by brute-forcing the 4 digit code. Surprisingly, there was literally no limit to how many times that 4 digit code could be entered. With the obtained level of access through improper authentication, hackers could gain information about users like ride information, payment details etc.
#M5 Insufficient Cryptography
Insufficient cryptography means that either the sensitive information is not properly encoded or the attempted cryptography is insufficient. This might be caused if a developer uses an outdated cryptographic algorithm or used a custom algorithm that might contain several vulnerabilities.
Example: Ola App
Leading security services provider Appknox scanned the app of the leading car rental service Ola and found some serious issues related to cryptographic keys. The app was using the 'ProdkeyProdkey12' cryptographic key. This key was also being used to encrypt the password of users. This meant that if the users were using the same password for their other different accounts, that was also vulnerable. Appknox was also able to intercept server requests and also send fake requests to receive money.
#M6 Insecure Authorization
While authentication checks the identity of users, authorization, on the other hand, checks for the permissions the authenticated user has. Insecure authorization in a mobile app means that threat actors could gain a level of access that would allow them to access files or execute commands which they shouldn't be able to access or execute otherwise.
Example: Viper Smart Start
Improper authorization was discovered in Viper, a leading vehicle security and remote start brand for cars. With the present vulnerability, a threat actor could log into the app's server and gain elevated access to change the details about the car, gather location info, and even remotely open the car.
#M7 Client Code Quality
This term refers to all the code-level implementation errors related to the mobile client. It may include vulnerabilities like format string vulnerabilities, buffer overflows, and several other code-level flaws. Neat coding practices can help overcome these code-related issues. Proper documentation and uniform coding standards across the organization are a good starting point to reduce this risk.
A client code quality issue was discovered by Whatsapp engineers when they found out that it was possible to construct a buffer overflow by utilizing custom packets to Whatsapp while making calls. Later it was found that hackers were using this vulnerability to install spyware on the devices. An Israeli company named NSO Group was actually selling this flaw as a service!
#M8 Code Tampering
Code tampering includes duplicating an existing application by tampering with its code, creating backdoors for malicious intents and then republishing the tampered application to some third-party app store. By using these back doors, hackers may gain access to sensitive user information, and even hack corporate data by impersonating their official apps. In order to overcome this flaw, anti-tampering solutions must be implemented by the app developers.
Example: Postbank Finanzassistant
Banking apps are generally the biggest targets when it comes to code tampering. An attacker would usually create a tampered version of some banking app that can transmit sensitive PII (Personally Identifiable Information) to third-party sites. This would generally result in some serious banking fraud.
#M9 Reverse Engineering
Might include analysis of the final core binary to determine its source code, libraries, algorithms and other assets. Reverse engineering makes it easier to exploit other vulnerabilities in the application. It can reveal information about backend servers, cryptographic constants and ciphers, and intellectual property.
An attacker analyzes the binary code of a mobile app in order to discover its source code, internal algorithms, libraries and other important assets before reverse-engineering the app. Reverse engineering also reveals information like ciphers and cryptographic keys used, details about backend servers and so on. This level of information about the app allows the attackers to exploit the minutest of the vulnerabilities present in its code. Complex coding techniques like obfuscation must be used in order to eliminate this risk.
Example: Pokemon Go
Reverse engineering was employed by Pokemon Go's fans when they reverse-engineered the app and fed false geolocation information in order to discover rare Pokemons easily and also tampered with time to allow the eggs to hatch faster. These alterations to the game dynamics caused a lot of damage to the game's reputation.
#M10 Extraneous Functionality
Developers often embed certain hidden backdoors and security controls to their apps during the development cycle. These add-on functionalities are not intended to go as far as the production environment but often the developers would forget about this. These backdoors once identified by hackers in the production environment can be exploited to gain extra privileges and access sensitive information. That is why it becomes essential for developers to disable debug logs and review related configurations before releasing their apps.
Example: Wifi File Transfer App
An app called the Wifi File Transfer app uses the port opening functionality to allow mobile devices to connect to computers and share files. However, due to an extraneous functionality flaw, threat actors could access the entire data present on the device and that too without having any kind of authentication.
Without a doubt, the OWASP Mobile Top 10 security flaws are just the tip of a massive iceberg, but they still act as a promising starting point when it comes to mobile app security. These flaws provide an important and trusted benchmark for developers and security experts and promote the inclusion of security in the app development process right from the beginning. Given the complexity of the techniques used by modern-day attackers, knowledge about these leading attack vectors becomes a must.