[HACKING] Mobile Application Vulnerability Research Guide(OWASP Mobile Security Project)

오늘은 간만에 모바일 보안, 즉 스마트폰에 대한 이야기를 하려합니다.
(요즘 바빠서 글 쓸 시간이 없네요.. )

올해 OWASP는 Mobile Security Project로 Mobile Application Security Guide, 즉 취약점 점검, 모의해킹, 보안을 위한 체크리스트를 공개했습니다.

내용을 보시면 아시곘지만.. 악성코드 분석 이런 내용보다는 앱을 공격하고 취약점을 진단하는 내용에 포커싱이 맞춰져 있습니다. 총 91개의 항목으로 구성되어 있고 모바일 취약점 진단하시는 분이라면 조금 도움될 수 있는 문서인 것 같네요.

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project > file

Intro

사실 취약점 분석이나 해킹의 과정이 절차가 있진 않습니다. 물론 개인적인 생각이지만..
Recon / Scanning 등 순서에 따라 하기보단 그냥 막 찔러보는게 제 스타일인 것 같네요.
[ 정보는 테스트하면서 수집하는거죠 :) ]

다만 취약점 분석 중 확실히 도움되는 부분 중 하나는 잘 정리된 체크리스트입니다.
어떤 어플리케이션 / 시스템의 취약성을 제거하는데는, 놓치는 것이 없도록 확인할 수 있는 체크리스트가 좋은 역할을 하죠. 그럼 한번 보도록 하겠습니다.

Mobile Security Check List

크게 Client 쪽 체크리스트, Server 단 체크리스트로 나뉘어져 있고 약간 "최소 꼭 확인해야할 것"
 정도의 느낌으로 해석하시면 될 것 같습니다.

No	Vulnerability	Platform	Classification	SIDE
1	Application is Vulnerable to Reverse Engineering Attack/Lack of Code	All	Static Ckecks	Client-Side
2	Account Lockout not Implemented	All	Dynamic Ckecks	Client-Side
3	Application is Vulnerable to XSS	All	Static + Dynamic Ckecks	Client-Side
4	Authentication bypassed	All	Dynamic Ckecks	Client-Side
5	Hard coded sensitive information in Application Code (including Crypt	All	Static Ckecks	Client-Side
6	Malicious File Upload	All	Dynamic Ckecks	Client-Side
7	Session Fixation	All	Dynamic Ckecks	Client-Side
8	Application does not Verify MSISDN	WAP	Unknown	Client-Side
9	Privilege Escalation	All	Dynamic Ckecks	Client-Side
10	SQL Injection	All	Static + Dynamic Check	Client-Side
11	Attacker can bypass Second Level Authentication	All	Dynamic Ckecks	Client-Side
12	Application is vulnerable to LDAP Injection	All	Dynamic Ckecks	Client-Side
13	Application is vulnerable to OS Command Injection	All	Dynamic Ckecks	Client-Side
14	iOS snapshot/backgrounding Vulnerability	iOS	Dynamic Ckecks	Client-Side
15	Debug is set to TRUE	Android	Static Ckecks	Client-Side
16	Application makes use of Weak Cryptography	All	Static Ckecks	Client-Side
17	Cleartext information under SSL Tunnel	All	Dynamic Ckecks	Client-Side
18	Client Side Validation can be bypassed	All	Dynamic Ckecks	Client-Side
19	Invalid SSL Certificate	All	Static Ckecks	Client-Side
20	Sensitive Information is sent as Clear Text over network/Lack of Data	All	Dynamic Ckecks	Client-Side
21	CAPTCHA is not implemented on Public Pages/Login Pages	All	Dynamic Ckecks	Client-Side
22	Improper or NO implementation of Change Password Page	All	Dynamic Ckecks	Client-Side
23	Application does not have Logout Functionality	All	Dynamic Ckecks	Client-Side
24	Sensitive information in Application Log Files	All	Dynamic Ckecks	Client-Side
25	Sensitive information sent as a querystring parameter	All	Dynamic Ckecks	Client-Side
26	URL Modification	All	Dynamic Ckecks	Client-Side
27	Sensitive information in Memory Dump	All	Dynamic Ckecks	Client-Side
28	Weak Password Policy	All	Dynamic Ckecks	Client-Side
29	Autocomplete is not set to OFF	All	Static Ckecks	Client-Side
30	Application is accessible on Rooted or Jail Broken Device	All	Dynamic Ckecks	Client-Side
31	Back-and-Refresh attack	All	Dynamic Ckecks	Client-Side
32	Directory Browsing	All	Static + Dynamic Chec	Client-Side
33	Usage of Persistent Cookies	All	Dynamic Ckecks	Client-Side
34	Open URL Redirects are possible	All	Dynamic Ckecks	Client-Side
35	Improper exception Handling: In code	All	Static Ckecks	Client-Side
36	Insecure Application Permissions	All	Static Ckecks	Client-Side
37	Application build contains Obsolete Files	All	Static Ckecks	Client-Side
38	Certificate Chain is not Validated	All	Static + Dynamic Chec	Client-Side
39	Last Login information is not displayed	All	Dynamic Ckecks	Client-Side
40	Private IP Disclosure	All	Static Ckecks	Client-Side
41	UI Impersonation through RMS file modification	JAVA	Dynamic Ckecks	Client-Side
42	UI Impersonation through JAR file modification	Android	Dynamic Ckecks	Client-Side
43	Operation on a resource after expiration or release	All	Dynamic Ckecks	Client-Side
44	No Certificate Pinning	All	Dynamic Ckecks	Client-Side
45	Cached Cookies or information not cleaned after application removal/	All	Dynamic Ckecks	Client-Side
46	ASLR Not Used	iOS	Static Ckecks	Client-Side
47	Clipboard is not disabled	All	Dynamic Ckecks	Client-Side
48	Cache smashing protection is not enabled	iOS	Static Ckecks	Client-Side
49	Android Backup Vulnerability	Android	Static Ckecks	Client-Side
50	Unencrypted Credentials in Databases (sqlite db)	All	Dynamic Ckecks	Client-Side
51	Store sensitive information outside App Sandbox (on SDCard)	All	Dynamic Ckecks	Client-Side
52	Allow Global File Permission on App Data	Android	Dynamic Ckecks	Client-Side
53	Store Encryption Key LocAlly/Store Sensitive Data in ClearText	All	Dynamic Ckecks	Client-Side
54	Bypass Certificate Pinning	All	Dynamic Ckecks	Client-Side
55	Third-party Data Transit on Unencrypted Channel	All	Dynamic Ckecks	Client-Side
56	Failure to Implement Trusted Issuers	Android	Static Ckecks	Client-Side
57	Allow All Hostname Verifier	Android	Static Ckecks	Client-Side
58	Ignore SSL Certificate Error	All	Static Ckecks	Client-Side
59	Weak Custom Hostname Verifier	Android	Static Ckecks	Client-Side
60	App/Web Caches Sensitive Data Leak	All	Dynamic Ckecks	Client-Side
61	Leaking Content Provider	Android	Dynamic Ckecks	Client-Side
62	Redundancy Permission Granted	Android	Static Ckecks	Client-Side
63	Use Spoof-able Values for Authenticating User (IMEI, UDID)	All	Dynamic Ckecks	Client-Side
64	Use of Insecure and/or Deprecated Algorithms	All	Static Ckecks	Client-Side
65	Local File Inclusion (might be through XSS Vulnerability)	All	Static + Dynamic Chec	Client-Side
66	Activity Hijacking	Android	Static Ckecks	Client-Side
67	Service Hijacking	Android	Static Ckecks	Client-Side
68	Broadcast Thief	Android	Static Ckecks	Client-Side
69	Malicious Broadcast Injection	Android	Static Ckecks	Client-Side
70	Malicious Activity/Service Launch	Android	Static Ckecks	Client-Side
71	Using Device Identifier as Session	All	Dynamic Ckecks	Client-Side
72	Symbols Remnant	iOS	Static Ckecks	Client-Side
73	Lack of Check-sum Controls/Altered Detection	Android	Dynamic Ckecks	Client-Side
74	Insecure permissions on Unix domain sockets	Android	Static Ckecks	Client-Side
75	Insecure use of network sockets	Android	Static Ckecks	Client-Side
76	Cleartext password in Response	All	Dynamic Ckecks	Server-Side
77	Direct Reference to internal resource without authentication	All	Dynamic Ckecks	Server-Side
78	Application has NO or improper Session Management/Failure to Invali	All	Dynamic Ckecks	Server-Side
79	Cross Domain Scripting Vulnerability	All	Dynamic Ckecks	Server-Side
80	Cross Origin Resource Sharing	All	Dynamic Ckecks	Server-Side
81	Improper Input Validation - Server Side	All	Dynamic Ckecks	Server-Side
82	Detailed Error page shows internal sensitive information	All	Dynamic Ckecks	Server-Side
83	Application Allows HTTP Methods besides GET and POST	All	Dynamic Ckecks	Server-Side
84	Cross Site Request Forgery (CSRF)/SSRF	All	Dynamic Ckecks	Server-Side
85	Cacheable HTTPS Responses	All	Dynamic Ckecks	Server-Side
86	Path Attribute not set on a Cookie	All	Dynamic Ckecks	Server-Side
87	HttpOnly Attribute not set for a cookie	All	Dynamic Ckecks	Server-Side
88	Secure Attribute not set for a cookie	All	Dynamic Ckecks	Server-Side
89	Application is Vulnerable to Clickjacking/Tapjacking attack	All	Dynamic Ckecks	Server-Side
90	Server/OS fingerprinting is possible	All	Dynamic Ckecks	Server-Side
91	Lack of Adequate Timeout Protection	All	Dynamic Ckecks	Server-Side

Reference

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

---

HAHWUL Security engineer, Gopher and H4cker!