OWASP Mobile Top 10 Vulnerabilities
I think OWASP is a great project and IT students should learn about OWASP at University because this project has a lot of interesting resources that IT engineers should take into account at work. OWASP is really interesting for developers but it’s also interesting for systems and security engineers because we can learn how to develop software secure but we can also learn what are the main vulnerabilities to protect the systems. I’ve already written about OWASP Top 10 and I would also like to write about OWASP Top 10 for Mobile Apps.
The first and leading mobile security vulnerability is M1 – Improper Platform Usage which refers to the misuse of any platform feature or failure to incorporate platform security controls. Next to the OWASP Top 10 Mobile list is M2 - Insecure Data Storage because it is crucial to store data securely in a place that won’t be accessible to another app or an individual. Therefore, we should never think attackers won’t have access to filesystems.
M3 - Insecure Communication is the third in the list. If the data is sent unencrypted in cleartext, attackers monitoring the network can capture and read all the information being sent. To avoid data from being stolen, we should rely on industry-standard encryption protocols. M4 – Insecure Authentication comes next on the security vulnerabilities list where we should verify the identity of the user securely before granting access.
The fifth security vulnerability is M5 – Insufficient Cryptography because there are mobile apps using weak algorithms for encryption and decryption or the cryptographic process ifself has implementation flaws. Like M4 - Insecure Authentication, M6 – Insecure Authorization leads to data theft where attackers log in as legitimate users and perform privilege escalation attacks. It’s highly recommended to ensure that for each request, the mobile app verifies the identity of the user.
Another vulnerability relating to faulty code implementations is the M7 – Client Code Quality. Nobody is perfect thus there could be code-level mistakes in mobile apps with issues such as buffer overflows, remote code execution, etc. Therefore, we should test and review the source code. We should also pay attention to tampered version of mobile apps because this is the M8 – Code Tampering security risk where we should implement anti-tamper techniques such as checksums, digital signatures, code hardening, and other validation methods.
The M9 – Reverse Engineering is also a mobile security risk that we have to prevent because reverse engineering allow attackers to understand, inspect, and modify the code to include harmful functionality. Finally, M10 – Extraneous Functionality is a security risk which allows attackers use backdoors or additional functionalities leave by developers unintentionally.
Regards my friends! Do you know OWASP Mobile Top 10?