Mobile Application Threat Analysis

Size: px

Start display at page:

Download "Mobile Application Threat Analysis"

Darren James
10 years ago
Views:

1 The OWASP Foundation Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2 Threat Modeling Assets Threat agents Architecture Threats 2

3 Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 3

4 1. What do we want to protect and why? What are the assets worth protecting? What would be the business impact if compromised? Data Money, privacy, credentials Transactions and processes IPR, innovations, algorithms Reputation, customer experience Resources 4

5 Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 5

6 2. Where could the attack happen? What is the attack surface? Local storage? (Including logs, caches etc) Connection to back end server? Connection to third party services? Malicious user? Web browsing and content handlers? Exposed API or RPC? Third party components part of the application? 6

Connection to third party services? Malicious user?

7 Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 7

8 3. What could go wrong? What are the most feasible attack scenarios? How each of the assets (from step 1) could be compromised Considering confidentiality, integrity, availability and nonrepudiation for information assets? Considering STRIDE* for processes and data flows? Considering attack surfaces (from step 2)? Considering the system as a whole? * STRIDE = Spoofing / Tampering / Repudiation / Information disclosure / Denial of service / Elevation of privilege 8

nonrepudiation for information assets? Considering STRIDE* for processes and data flows?

9 Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 9

10 4. Do we have appropriate protection? Consider each scenario individually Is there a best practice protection mechanism? Is it implemented in the system? Build an attack tree when necessary Legend Threat Attack Vector Protection phone_call_fraud modification_of_info identity_theft disclosure_of_info malicious_health_tips stealing_auth_cred sync_modification_from_client_to_server modified_phone_nr forged_authz exploiting_internal_interfaces publish_and_refresh_sync unauthorized_use stolen_id mitm api_protection eavesdropping application_pin stolen_session_token guessing_or_stealing_password rerouting_comms modified_app local_storage_access ip_bound_session social_engineering server_side_attack faking_app_in_app_store exploiting_unencrypted_comm secure_session_storage local_data_encryption attack_from_another_app rooting_device ssl_protection physical_access 10

sync_modification_from_client_to_server modified_phone_nr forged_authz exploiting_internal_interfaces publish_and_refresh_sync unauthorized_use stolen_id mitm api_protection eavesdropping

11 Attack Tree 11

12 OWASP Top Ten Mobile Risks (DRAFT) 1. Insecure or unnecessary client-side data storage 2. Lack of data protection in transit 3. Personal data leakage 4. Failure to protect resources with strong authentication 5. Failure to implement least privilege authorization policy 6. Client-side injection 7. Client-side DOS 8. Malicious third-party code 9. Client-side buffer overflow 10. Failure to apply server-side controls 12

Failure to protect resources with strong authentication 5.

13 and: Abuse of client side paid resources Failure to properly handle inbound SMS messages Failure to properly handle outbound SMS messages Malicious / fake applications from app store Ability of one application to view data or communicate with other applications Switching networks during a transaction Failure to protect sensitive data at rest Failure to disable insecure platform features in application (caching of keystrokes, screen data) 13

data or communicate with other applications Switching networks during a transaction Failure to protect

14 Thought Process for Discovering Threats 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? 14

15 5. What is the risk we accept? What are the residual risks that can be accepted? Not every scenario is worth protecting For scenarios not having good protection, consider DREAD: Damage Reproducibility Exploitability Affected users Discoverability Is there a known threat agent motivated to perform an attack? 15

Not every scenario is worth protecting For scenarios not having good

16 Attack Tree 16

17 Summary & Conclusion

18 1. What do we want to protect and why? 2. Where could the attack happen? 3. What could go wrong? 4. Do we have appropriate protection? 5. What is the risk we accept? Assets Threat agents Architecture Threats 18

19 Questions? Resources: OWASP Mobile Security Project ENISA: Top Ten Smartphone Risks Microsoft: STRIDE, DREAD 19

Threat Modeling. Frank Piessens ([email protected] ) KATHOLIEKE UNIVERSITEIT LEUVEN

Threat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN Threat Modeling Frank Piessens ([email protected] ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process