[HACKING] Mobile Application Vulnerability Research Guide(OWASP Mobile Security Project)
오늘은 간만에 모바일 보안, 즉 스마트폰에 대한 이야기를 하려합니다. (요즘 바빠서 글 쓸 시간이 없네요.. )
올해 OWASP는 Mobile Security Project로 Mobile Application Security Guide, 즉 취약점 점검, 모의해킹, 보안을 위한 체크리스트를 공개했습니다.
내용을 보시면 아시곘지만.. 악성코드 분석 이런 내용보다는 앱을 공격하고 취약점을 진단하는 내용에 포커싱이 맞춰져 있습니다. 총 91개의 항목으로 구성되어 있고 모바일 취약점 진단하시는 분이라면 조금 도움될 수 있는 문서인 것 같네요.
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project > file
Intro
사실 취약점 분석이나 해킹의 과정이 절차가 있진 않습니다. 물론 개인적인 생각이지만.. Recon / Scanning 등 순서에 따라 하기보단 그냥 막 찔러보는게 제 스타일인 것 같네요. [ 정보는 테스트하면서 수집하는거죠 :) ]
다만 취약점 분석 중 확실히 도움되는 부분 중 하나는 잘 정리된 체크리스트입니다. 어떤 어플리케이션 / 시스템의 취약성을 제거하는데는, 놓치는 것이 없도록 확인할 수 있는 체크리스트가 좋은 역할을 하죠. 그럼 한번 보도록 하겠습니다.
Mobile Security Check List
크게 Client 쪽 체크리스트, Server 단 체크리스트로 나뉘어져 있고 약간 "최소 꼭 확인해야할 것" 정도의 느낌으로 해석하시면 될 것 같습니다.
| No | Vulnerability | Platform | Classification | SIDE |
|---|---|---|---|---|
| 1 | Application is Vulnerable to Reverse Engineering Attack/Lack of Code | All | Static Ckecks | Client-Side |
| 2 | Account Lockout not Implemented | All | Dynamic Ckecks | Client-Side |
| 3 | Application is Vulnerable to XSS | All | Static + Dynamic Ckecks | Client-Side |
| 4 | Authentication bypassed | All | Dynamic Ckecks | Client-Side |
| 5 | Hard coded sensitive information in Application Code (including Crypt | All | Static Ckecks | Client-Side |
| 6 | Malicious File Upload | All | Dynamic Ckecks | Client-Side |
| 7 | Session Fixation | All | Dynamic Ckecks | Client-Side |
| 8 | Application does not Verify MSISDN | WAP | Unknown | Client-Side |
| 9 | Privilege Escalation | All | Dynamic Ckecks | Client-Side |
| 10 | SQL Injection | All | Static + Dynamic Check | Client-Side |
| 11 | Attacker can bypass Second Level Authentication | All | Dynamic Ckecks | Client-Side |
| 12 | Application is vulnerable to LDAP Injection | All | Dynamic Ckecks | Client-Side |
| 13 | Application is vulnerable to OS Command Injection | All | Dynamic Ckecks | Client-Side |
| 14 | iOS snapshot/backgrounding Vulnerability | iOS | Dynamic Ckecks | Client-Side |
| 15 | Debug is set to TRUE | Android | Static Ckecks | Client-Side |
| 16 | Application makes use of Weak Cryptography | All | Static Ckecks | Client-Side |
| 17 | Cleartext information under SSL Tunnel | All | Dynamic Ckecks | Client-Side |
| 18 | Client Side Validation can be bypassed | All | Dynamic Ckecks | Client-Side |
| 19 | Invalid SSL Certificate | All | Static Ckecks | Client-Side |
| 20 | Sensitive Information is sent as Clear Text over network/Lack of Data | All | Dynamic Ckecks | Client-Side |
| 21 | CAPTCHA is not implemented on Public Pages/Login Pages | All | Dynamic Ckecks | Client-Side |
| 22 | Improper or NO implementation of Change Password Page | All | Dynamic Ckecks | Client-Side |
| 23 | Application does not have Logout Functionality | All | Dynamic Ckecks | Client-Side |
| 24 | Sensitive information in Application Log Files | All | Dynamic Ckecks | Client-Side |
| 25 | Sensitive information sent as a querystring parameter | All | Dynamic Ckecks | Client-Side |
| 26 | URL Modification | All | Dynamic Ckecks | Client-Side |
| 27 | Sensitive information in Memory Dump | All | Dynamic Ckecks | Client-Side |
| 28 | Weak Password Policy | All | Dynamic Ckecks | Client-Side |
| 29 | Autocomplete is not set to OFF | All | Static Ckecks | Client-Side |
| 30 | Application is accessible on Rooted or Jail Broken Device | All | Dynamic Ckecks | Client-Side |
| 31 | Back-and-Refresh attack | All | Dynamic Ckecks | Client-Side |
| 32 | Directory Browsing | All | Static + Dynamic Chec | Client-Side |
| 33 | Usage of Persistent Cookies | All | Dynamic Ckecks | Client-Side |
| 34 | Open URL Redirects are possible | All | Dynamic Ckecks | Client-Side |
| 35 | Improper exception Handling: In code | All | Static Ckecks | Client-Side |
| 36 | Insecure Application Permissions | All | Static Ckecks | Client-Side |
| 37 | Application build contains Obsolete Files | All | Static Ckecks | Client-Side |
| 38 | Certificate Chain is not Validated | All | Static + Dynamic Chec | Client-Side |
| 39 | Last Login information is not displayed | All | Dynamic Ckecks | Client-Side |
| 40 | Private IP Disclosure | All | Static Ckecks | Client-Side |
| 41 | UI Impersonation through RMS file modification | JAVA | Dynamic Ckecks | Client-Side |
| 42 | UI Impersonation through JAR file modification | Android | Dynamic Ckecks | Client-Side |
| 43 | Operation on a resource after expiration or release | All | Dynamic Ckecks | Client-Side |
| 44 | No Certificate Pinning | All | Dynamic Ckecks | Client-Side |
| 45 | Cached Cookies or information not cleaned after application removal/ | All | Dynamic Ckecks | Client-Side |
| 46 | ASLR Not Used | iOS | Static Ckecks | Client-Side |
| 47 | Clipboard is not disabled | All | Dynamic Ckecks | Client-Side |
| 48 | Cache smashing protection is not enabled | iOS | Static Ckecks | Client-Side |
| 49 | Android Backup Vulnerability | Android | Static Ckecks | Client-Side |
| 50 | Unencrypted Credentials in Databases (sqlite db) | All | Dynamic Ckecks | Client-Side |
| 51 | Store sensitive information outside App Sandbox (on SDCard) | All | Dynamic Ckecks | Client-Side |
| 52 | Allow Global File Permission on App Data | Android | Dynamic Ckecks | Client-Side |
| 53 | Store Encryption Key LocAlly/Store Sensitive Data in ClearText | All | Dynamic Ckecks | Client-Side |
| 54 | Bypass Certificate Pinning | All | Dynamic Ckecks | Client-Side |
| 55 | Third-party Data Transit on Unencrypted Channel | All | Dynamic Ckecks | Client-Side |
| 56 | Failure to Implement Trusted Issuers | Android | Static Ckecks | Client-Side |
| 57 | Allow All Hostname Verifier | Android | Static Ckecks | Client-Side |
| 58 | Ignore SSL Certificate Error | All | Static Ckecks | Client-Side |
| 59 | Weak Custom Hostname Verifier | Android | Static Ckecks | Client-Side |
| 60 | App/Web Caches Sensitive Data Leak | All | Dynamic Ckecks | Client-Side |
| 61 | Leaking Content Provider | Android | Dynamic Ckecks | Client-Side |
| 62 | Redundancy Permission Granted | Android | Static Ckecks | Client-Side |
| 63 | Use Spoof-able Values for Authenticating User (IMEI, UDID) | All | Dynamic Ckecks | Client-Side |
| 64 | Use of Insecure and/or Deprecated Algorithms | All | Static Ckecks | Client-Side |
| 65 | Local File Inclusion (might be through XSS Vulnerability) | All | Static + Dynamic Chec | Client-Side |
| 66 | Activity Hijacking | Android | Static Ckecks | Client-Side |
| 67 | Service Hijacking | Android | Static Ckecks | Client-Side |
| 68 | Broadcast Thief | Android | Static Ckecks | Client-Side |
| 69 | Malicious Broadcast Injection | Android | Static Ckecks | Client-Side |
| 70 | Malicious Activity/Service Launch | Android | Static Ckecks | Client-Side |
| 71 | Using Device Identifier as Session | All | Dynamic Ckecks | Client-Side |
| 72 | Symbols Remnant | iOS | Static Ckecks | Client-Side |
| 73 | Lack of Check-sum Controls/Altered Detection | Android | Dynamic Ckecks | Client-Side |
| 74 | Insecure permissions on Unix domain sockets | Android | Static Ckecks | Client-Side |
| 75 | Insecure use of network sockets | Android | Static Ckecks | Client-Side |
| 76 | Cleartext password in Response | All | Dynamic Ckecks | Server-Side |
| 77 | Direct Reference to internal resource without authentication | All | Dynamic Ckecks | Server-Side |
| 78 | Application has NO or improper Session Management/Failure to Invali | All | Dynamic Ckecks | Server-Side |
| 79 | Cross Domain Scripting Vulnerability | All | Dynamic Ckecks | Server-Side |
| 80 | Cross Origin Resource Sharing | All | Dynamic Ckecks | Server-Side |
| 81 | Improper Input Validation - Server Side | All | Dynamic Ckecks | Server-Side |
| 82 | Detailed Error page shows internal sensitive information | All | Dynamic Ckecks | Server-Side |
| 83 | Application Allows HTTP Methods besides GET and POST | All | Dynamic Ckecks | Server-Side |
| 84 | Cross Site Request Forgery (CSRF)/SSRF | All | Dynamic Ckecks | Server-Side |
| 85 | Cacheable HTTPS Responses | All | Dynamic Ckecks | Server-Side |
| 86 | Path Attribute not set on a Cookie | All | Dynamic Ckecks | Server-Side |
| 87 | HttpOnly Attribute not set for a cookie | All | Dynamic Ckecks | Server-Side |
| 88 | Secure Attribute not set for a cookie | All | Dynamic Ckecks | Server-Side |
| 89 | Application is Vulnerable to Clickjacking/Tapjacking attack | All | Dynamic Ckecks | Server-Side |
| 90 | Server/OS fingerprinting is possible | All | Dynamic Ckecks | Server-Side |
| 91 | Lack of Adequate Timeout Protection | All | Dynamic Ckecks | Server-Side |
Reference
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project