Back

[HACKING] Mobile Application Vulnerability Research Guide(OWASP Mobile Security Project)

오늘은 간만에 모바일 보안, 즉 스마트폰에 대한 이야기를 하려합니다. (요즘 바빠서 글 쓸 시간이 없네요.. )

올해 OWASP는 Mobile Security Project로 Mobile Application Security Guide, 즉 취약점 점검, 모의해킹, 보안을 위한 체크리스트를 공개했습니다.

내용을 보시면 아시곘지만.. 악성코드 분석 이런 내용보다는 앱을 공격하고 취약점을 진단하는 내용에 포커싱이 맞춰져 있습니다. 총 91개의 항목으로 구성되어 있고 모바일 취약점 진단하시는 분이라면 조금 도움될 수 있는 문서인 것 같네요.

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project > file

Intro

사실 취약점 분석이나 해킹의 과정이 절차가 있진 않습니다. 물론 개인적인 생각이지만.. Recon / Scanning 등 순서에 따라 하기보단 그냥 막 찔러보는게 제 스타일인 것 같네요. [ 정보는 테스트하면서 수집하는거죠 :) ]

다만 취약점 분석 중 확실히 도움되는 부분 중 하나는 잘 정리된 체크리스트입니다. 어떤 어플리케이션 / 시스템의 취약성을 제거하는데는, 놓치는 것이 없도록 확인할 수 있는 체크리스트가 좋은 역할을 하죠. 그럼 한번 보도록 하겠습니다.

Mobile Security Check List

크게 Client 쪽 체크리스트, Server 단 체크리스트로 나뉘어져 있고 약간 “최소 꼭 확인해야할 것” 정도의 느낌으로 해석하시면 될 것 같습니다.

No Vulnerability Platform Classification SIDE
1 Application is Vulnerable to Reverse Engineering Attack/Lack of Code All Static Ckecks Client-Side
2 Account Lockout not Implemented All Dynamic Ckecks Client-Side
3 Application is Vulnerable to XSS All Static + Dynamic Ckecks Client-Side
4 Authentication bypassed All Dynamic Ckecks Client-Side
5 Hard coded sensitive information in Application Code (including Crypt All Static Ckecks Client-Side
6 Malicious File Upload All Dynamic Ckecks Client-Side
7 Session Fixation All Dynamic Ckecks Client-Side
8 Application does not Verify MSISDN WAP Unknown Client-Side
9 Privilege Escalation All Dynamic Ckecks Client-Side
10 SQL Injection All Static + Dynamic Check Client-Side
11 Attacker can bypass Second Level Authentication All Dynamic Ckecks Client-Side
12 Application is vulnerable to LDAP Injection All Dynamic Ckecks Client-Side
13 Application is vulnerable to OS Command Injection All Dynamic Ckecks Client-Side
14 iOS snapshot/backgrounding Vulnerability iOS Dynamic Ckecks Client-Side
15 Debug is set to TRUE Android Static Ckecks Client-Side
16 Application makes use of Weak Cryptography All Static Ckecks Client-Side
17 Cleartext information under SSL Tunnel All Dynamic Ckecks Client-Side
18 Client Side Validation can be bypassed All Dynamic Ckecks Client-Side
19 Invalid SSL Certificate All Static Ckecks Client-Side
20 Sensitive Information is sent as Clear Text over network/Lack of Data All Dynamic Ckecks Client-Side
21 CAPTCHA is not implemented on Public Pages/Login Pages All Dynamic Ckecks Client-Side
22 Improper or NO implementation of Change Password Page All Dynamic Ckecks Client-Side
23 Application does not have Logout Functionality All Dynamic Ckecks Client-Side
24 Sensitive information in Application Log Files All Dynamic Ckecks Client-Side
25 Sensitive information sent as a querystring parameter All Dynamic Ckecks Client-Side
26 URL Modification All Dynamic Ckecks Client-Side
27 Sensitive information in Memory Dump All Dynamic Ckecks Client-Side
28 Weak Password Policy All Dynamic Ckecks Client-Side
29 Autocomplete is not set to OFF All Static Ckecks Client-Side
30 Application is accessible on Rooted or Jail Broken Device All Dynamic Ckecks Client-Side
31 Back-and-Refresh attack All Dynamic Ckecks Client-Side
32 Directory Browsing All Static + Dynamic Chec Client-Side
33 Usage of Persistent Cookies All Dynamic Ckecks Client-Side
34 Open URL Redirects are possible All Dynamic Ckecks Client-Side
35 Improper exception Handling: In code All Static Ckecks Client-Side
36 Insecure Application Permissions All Static Ckecks Client-Side
37 Application build contains Obsolete Files All Static Ckecks Client-Side
38 Certificate Chain is not Validated All Static + Dynamic Chec Client-Side
39 Last Login information is not displayed All Dynamic Ckecks Client-Side
40 Private IP Disclosure All Static Ckecks Client-Side
41 UI Impersonation through RMS file modification JAVA Dynamic Ckecks Client-Side
42 UI Impersonation through JAR file modification Android Dynamic Ckecks Client-Side
43 Operation on a resource after expiration or release All Dynamic Ckecks Client-Side
44 No Certificate Pinning All Dynamic Ckecks Client-Side
45 Cached Cookies or information not cleaned after application removal/ All Dynamic Ckecks Client-Side
46 ASLR Not Used iOS Static Ckecks Client-Side
47 Clipboard is not disabled All Dynamic Ckecks Client-Side
48 Cache smashing protection is not enabled iOS Static Ckecks Client-Side
49 Android Backup Vulnerability Android Static Ckecks Client-Side
50 Unencrypted Credentials in Databases (sqlite db) All Dynamic Ckecks Client-Side
51 Store sensitive information outside App Sandbox (on SDCard) All Dynamic Ckecks Client-Side
52 Allow Global File Permission on App Data Android Dynamic Ckecks Client-Side
53 Store Encryption Key LocAlly/Store Sensitive Data in ClearText All Dynamic Ckecks Client-Side
54 Bypass Certificate Pinning All Dynamic Ckecks Client-Side
55 Third-party Data Transit on Unencrypted Channel All Dynamic Ckecks Client-Side
56 Failure to Implement Trusted Issuers Android Static Ckecks Client-Side
57 Allow All Hostname Verifier Android Static Ckecks Client-Side
58 Ignore SSL Certificate Error All Static Ckecks Client-Side
59 Weak Custom Hostname Verifier Android Static Ckecks Client-Side
60 App/Web Caches Sensitive Data Leak All Dynamic Ckecks Client-Side
61 Leaking Content Provider Android Dynamic Ckecks Client-Side
62 Redundancy Permission Granted Android Static Ckecks Client-Side
63 Use Spoof-able Values for Authenticating User (IMEI, UDID) All Dynamic Ckecks Client-Side
64 Use of Insecure and/or Deprecated Algorithms All Static Ckecks Client-Side
65 Local File Inclusion (might be through XSS Vulnerability) All Static + Dynamic Chec Client-Side
66 Activity Hijacking Android Static Ckecks Client-Side
67 Service Hijacking Android Static Ckecks Client-Side
68 Broadcast Thief Android Static Ckecks Client-Side
69 Malicious Broadcast Injection Android Static Ckecks Client-Side
70 Malicious Activity/Service Launch Android Static Ckecks Client-Side
71 Using Device Identifier as Session All Dynamic Ckecks Client-Side
72 Symbols Remnant iOS Static Ckecks Client-Side
73 Lack of Check-sum Controls/Altered Detection Android Dynamic Ckecks Client-Side
74 Insecure permissions on Unix domain sockets Android Static Ckecks Client-Side
75 Insecure use of network sockets Android Static Ckecks Client-Side
76 Cleartext password in Response All Dynamic Ckecks Server-Side
77 Direct Reference to internal resource without authentication All Dynamic Ckecks Server-Side
78 Application has NO or improper Session Management/Failure to Invali All Dynamic Ckecks Server-Side
79 Cross Domain Scripting Vulnerability All Dynamic Ckecks Server-Side
80 Cross Origin Resource Sharing All Dynamic Ckecks Server-Side
81 Improper Input Validation - Server Side All Dynamic Ckecks Server-Side
82 Detailed Error page shows internal sensitive information All Dynamic Ckecks Server-Side
83 Application Allows HTTP Methods besides GET and POST All Dynamic Ckecks Server-Side
84 Cross Site Request Forgery (CSRF)/SSRF All Dynamic Ckecks Server-Side
85 Cacheable HTTPS Responses All Dynamic Ckecks Server-Side
86 Path Attribute not set on a Cookie All Dynamic Ckecks Server-Side
87 HttpOnly Attribute not set for a cookie All Dynamic Ckecks Server-Side
88 Secure Attribute not set for a cookie All Dynamic Ckecks Server-Side
89 Application is Vulnerable to Clickjacking/Tapjacking attack All Dynamic Ckecks Server-Side
90 Server/OS fingerprinting is possible All Dynamic Ckecks Server-Side
91 Lack of Adequate Timeout Protection All Dynamic Ckecks Server-Side

Reference

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Licensed under CC BY-NC-SA 4.0
Last updated on Jul 10, 2021 01:05 +0900