OWASP top 10 mobile risks

Paweł Rzepa

Important notes

• The goal of this presentation is to provide you a basic knowledge about mobile risks and easy methodology to find those risks in your applications.

• If you want to add anything important/interesting and related to the topic – feel free to interrupt me ;).

What are we going to talk about…

Before we start… the threat model

M2 - Insecure data storage

Insecure data storage – what it is?

• Simple words definition: valuable pieces of data (e.g. passwords, cookies, personal information) are stored in the data-stores on the device in insecure (plain text or reversable encoding) format.

Insecure data storage – what to look for?

• Look for any sensitive information in:– SQLite databases (local)– XML Data Stores– Plain text configuration files– Cookie stores– SD Card

Insecure data storage – how to find?

• Install and run application for some time• Monitor changes in /sdcard before and after

installing an application• Analyze package files on different stages:

adb pull /data/data/<apk_package_name>

Insecure data storage - demo

Insecure data storage – real example

• Outlook stored all attachements as unencrypted and world readable files on external storage.

Insecure data storage - mitigations

• Don’t store data unless it’s absolutely necessarry.

• Use encryption for local storage (use method setStorageEncryption).

• For databases consider using SQLcipher for Sqlite data encryption.

• Ensure any shared preferences properties are NOT MODE_WORLD_READABLE.

M3 - Insufficient transport layer protection

Insufficient transport layer protection – what it is?

• Simple words definition: application does NOT implement TLS or it does incorrectly.

What do you mean „incorrectly”?

• Insecure implementations are:– Using known weak ciphers / version (e.g.

SSLv2/SSLv3, RC4)– Securing only part of the communication (e.g. only

authentication)– Lack of certificate inspection

Certificate inspection in web applications – chain of trust.• In web applications the validation of certificate is on the

side of a browser.• It is done by a „chain of trust”.

• But how a mobile app can know if it is communicating with a proper server?

Cert Pinning - theory

• Embedded in source code expected X509 certificate or public key.

if (presented_cert == pinned_cert)Start_connection();elseDrop_connection();

Cert Pinning - reality

• Guys from Leibniz Universität Hannover tested 100 apps and…

• 21 apps trust all certificates• 20 apps accept all hostnames• And in the end they asked developers why it


More: https://www.owasp.org/images/7/77/Hunting_Down_Broken_SSL_in_Android_Apps_-_Sascha_Fahl%2BMarian_Harbach%2BMathew_Smith.pdf

Insufficient transport layer protection- how to find?

• Passive analysis with Wireshark/Burp (to check if all traffic is encrypted)

• Use Mallodroid:./mallodroid.py –f AppToCheck.apk –d ./javaout

• Look for end point implementation flaws using SSLyze (or https://www.ssllabs.com/ssltest/ for public domain):

sslyze --regular www.example.com:443

Insufficient transport layer protection- example

Insufficient transport layer protection-few facts from reality

• According to the FireEye research from July 17 2014, among 1000 most-downloaded free applications in the Google Play store:

Source: https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html

Insufficient transport layer protection- mitigations• Any sensitive data MUST be transfered over TLS• How to do it properly? Follow the rules: https


M4 - Unintended data leakage

Unintended data leakage – what it is?

• Simple word definition: OS/frameworks puts sensitive information in an insecure location in the device.

• Important note: insecure data storage talks about developer conscious efforts to store data in insecure manner, while unintended data leakage refers to OS/framework specific quirks which can cause data leakages.

Unintended data leakage – common leakage points

• URL Caching • Copy/Paste buffer Caching• Logging• Analytics data sent to 3rd parties (e.g. ads

sending GPS location)

Unintended data leakage – how to find?

• Extract data from leaking content providers using Drozer:

dz> run app.provider.finduri <package_name>

• Use logcat to verify what is being logged using ADB:adb logcat [output filter] | grep cookie,username…

• Use listener (Burp/Wireshark) to monitor what is being sent to 3rd parties.

• Use Intent Sniffer to see if any confidential data is sent via Intents.

Unintended data leakage - demo

Unintended data leakage - mitigations

• NEVER log any sensitive information (observe what you’re storing in crashlogs).

• Disable copy/paste function for sensitive part of the application.

• Disable debugging (android:debuggable="false").

M5 - Poor Authorization and Authentication

Poor Authorization and Authentication – what is it?

• Simple words definition: if you’re able to bypass authentication and/or laverage your privileges then… your app has poor authorization and/or authentication.

Poor Authorization and Authentication – how to find?

• Try to bypass authentication by accessing exported activities using Drozer:

dz> run app.activity.start –component <component_name>

• Intercept traffic with Burp and modify parameter to login as other user/see unauthorized content (e.g. by manipulating device ID).

• Test account lockout policy• Test strong password policy

Poor Authorization and Authentication - demo

Poor Authorization and Authentication – real example

• A flaw in application can become an entry point to compromise an operating system.

• For example a Viber app:https://www.youtube.com/watch?time_continue=40&v=rScheIQDD0k

And always remember to…

• …stay reasonable when you’re going to follow advices from the Internet…

Poor Authorization and Authentication - mitigations• Assume that client-side authorization and

authentication controls can be bypassed - they must be re-enforced on the server-side whenever possible!

• Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a user’s password on the device. It should be optional and not be enabled by default.

• Do not allow for offline brute force attacks.

M6 - Broken Cryptography

Broken Cryptography – what it is?

• Simple words definition: using insecure implementation or implementing it in a insecure way.

• Few reminders (yeah I know you know it…):– encoding != encryption– obfuscation != encryption

Broken Cryptography – how to find?

• Decompile the apk using dex2jar (or luyten for more verbose result) and review jar file in JD-GUI.

• Look for decryption keys (in attacker-readable folder or hardcoded within binary).

• Try to break encryption algorithm if an application uses custom encryption.

• Look for usage of insecure and/or deprecated algorithms (e.g. RC4, MD4/5, SHA1 etc.).

Broken Cryptography - example

• Encrypted db is definitely a good idea…

Page 39: Owasp mobile top 10

Broken Cryptography - example

• …but not when you’re hardcoding passwords to decrypt it in code…

Broken Cryptography – real example

• NQ Vault

Broken Cryptography - mitigations

• Use known, strong cryptography implementations.

• Do not hardcode keys/credentials/OAUTH tokens.

• Do not store keys on a device. Use password based encryption instead.

M7 - Client side injection

Client side injection – what it is?

• Simple words definition: malicious code can be provided as an input and executed by the application (on the client side).

• The malicious code can come from:– Other application via intent/content provider– Shared file– Server response– Third party website

Client side injection – what to inject?

• SQL injection to local db• XSS/WebView injection• Directory traversal

• Intent injection

A new Android’s toy – the Intents• Android application can talk

(Inter-Process-Communication) to any other component (e.g. other application, system service, running new activity etc.) via special objects called Intents.

Intent i = new Intent(Intent.ACTION_VIEW,Uri.parse(„https://owasp.org”));Intent i = new Intent(android.provider.MediaStore.Action_IMAGE_CAPTURE);

Client side injection – how to find?

• SQL injections:dz> run scanner.provider.injection –a <package_name>

• Data path traversaldz> run scanner.provider.traversal –a <package_name>

• Intent injectionsdz> run app.package.manifest –a <package_name>dz> run app.activity.info –a <package_name>

dz> run app.service.info --permission null –a <package_name>dz> run intents.fuzzinozer --package_name <package_name> --


Client side injection - demo

Client side injection – real example• The UniversalMDMClient (built-in application Samsung KNOX

– a security feature to seperate personal and professional activities).

• Crafted URI with „smdm://” prefix allows for remote installation of ANY application, while a user thinks he’s installing an update for UniversalMDMClient.

• How it works in practice? https://www.youtube.com/watch?time_continue=56&v=6O9OBmsv-CM

Client side injection - mitigations

• Always validate on a server side any user input!• For internal communication use only explicit

Intents.• Avoid using Intent-filter. Even if the Activity has

atribute „exported=false” another application can define the same filter and a system displays a dialog, so the user can pick which app to use.

M9 - Improper session handling

Improper session handling – what it is?

• Simple words definition: if your session token can be guessed, retrieved by third party or never expires then you have a problem.

Improper session handling – how to find?

• Intercept requests with proxy (e.g. Burp) and verify if:– Verify if a session expires (copy a cookie and try to use it

after 30 minutes)– Verify if a session is destroyed after authentication state

changes (e.g. switching from any logged in user to another logged in user)

– Verify if you are able to guess any other session (e.g. it’s easy to impersonate other user when application uses device ID as a session token)

Improper session handling – few facts from reality

• What we know is that „sessions have to expire”…

• …but how long should it REALLY last?• According to experiment* the average application

session (counted from opening an app to closing it) lasts… 71.56 seconds.

* - http://www.mendeley.com/research/falling-asleep-angry-birds-facebook-kindle-large-scale-study-mobile-application-usage/

Improper session handling - mitigations

• Invalidate session on a server side.• Set session expiration time adjusted to your

application.• Destroy all unused session tokens.• Use only high entropy, tested token

generation resources.

Thank you!

