OWASP Mobile Top 10 Risks
-
Upload
beau-woods -
Category
Technology
-
view
1.380 -
download
4
description
Transcript of OWASP Mobile Top 10 Risks
1
2
3
4
Path: Collected and uploaded personal informationConcur: Stored password in plain text
5
Recommendation for future versions• Expand to specific risks
6
Google Wallet NFC MITMPayPal failure to validate certificatesApple iOS AppStore MITM led to circumventing purchases
7
Recommendation for future versions• Improve or eliminate
8
Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assetsAudible: Used plaintext password to authenticate and used HTTP GET methodOOB: Remember, mobile devices can potentially intercept phone calls, SMS and email
9
10
Recommendation for future versions• Improve or eliminate
11
Android: Information sent to advertisers http://news.techeye.net/mobile/many-android-apps-send-your-private-information-to-advertisersApple: Collected and stored mobile tower data; called before US Congress to answer questionsAudible: Stored URL with password in logfile, also in GET request stored in web server log
Recommendation for future versions• Consider combining with M10• Consider incorporating the idea of collecting unnecessary but potentially sensitive
or private information
12
13
Recommendation for future versions• Consider combining with M8
14
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/
15
http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/
16
http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile-application/
17
18
19