Which Top 10 Security Threats Apply to Android Apps?

Question

I know this question may seem a bit malicious in nature, but I'm just trying to learn best practices in Android/mobile app development, and security is definitely a big issue in software. If you still, after reading this question (!), think it is malicious in nature, just keep in mind I'm not asking how to implement any of these attacks, I'm just asking which attacks a good Android/mobile developer needs to be cognizant of.

Below is a list of the "official" OWASP Top 10 security threats for applications (link is here). I was wondering which of these (if any) apply to Android development, or if there are any other major attacks not listed here:

• Injection
• Cross-Site Scripting (XSS)
• Broken Authentication and Session Management
• Insecure Direct Object References
• Cross-Site Request Forgery (CSRF)
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Unvalidated Redirects and Forwards

Please note: I'm not talking about websites that are built for being displayed in mobile devices. I'm talking about actual applications that are deployed on mobile devices. In the case of Android, this means APKs.

Answer 1

The OWASP Top Ten is intended for web applications and Android apps are different.

OWASP does, however, have a fast-growing mobile intitiative and they are presently working on the Mobile Top Ten. Here is a list of the candidate top ten for the current year:

1. Insecure Data Storage
2. Weak Server Side Controls
3. Insufficient Transport Layer Protection
4. Client Side Injection
5. Poor Authorization and Authentication
6. Improper Session Handling
7. Security Decisions Via Untrusted Inputs
8. Side Channel Data Leakage
9. Broken Cryptography
10. Sensitive Information Disclosure

There is a wonderful set of slides that explain these in great detail.

In addition to the OWASP Mobile Top Ten, I can point you to Application Security for the Android Platform, just published by O'Reilly in December 2011 that discusses current secure mobile application design on Android, and provides a discussion about the threats inherit to that platform and how to code apps in a secure manner to avoid them (disclaimer: I'm the author of this book :)).

Answer 2

It's hard to answer your question in specifics because from what you've posted you are curious about your Android Application and your Java server, but you're asking a very generic question. Much of what the OWASP has published is very high level so getting any real substantive answers is going to be hard without knowing the specifics of how your Android application and server work. Generally, people aren't going to attack a phone when they can go after the server and own all of the data that will pass through all of the phones not just a single handset.

So injection, XSS, CSRF, etc mostly apply to the server side. You could perform injection into the Android SQLite database if your program uses it (see how the specifics of your app come into play here). XSS, CSRF could apply if you app is a web based client, or using webview for any part of it (again specifics matter).

Injection on the server for Java can easily be remedied by using PreparedStatements/PreparedCall. Don't use Statement. If you're using JPA, Hibernate, iBatis most of these use PreparedStatements under the hood. Injection in Java apps is easy to thwart those attacks:

https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java

XSS and CSRF are harder, but can be prevented using a filter. Read down this page, and you'll see where there is another link to the project that describes it.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Sending passwords over an insecure connection. If you send a password over HTTP or non-SSL socket then you're going to be disclosing too much information (using one-way hashes doesn't help because I don't need to know the password. All I need is the hash and that's transmitted in the clear). So make sure you are using SSL for authenticating users. Then we can get into how you are storing those passwords in your database. Are you using a one-way hash? Are you using bcrypt? If not are you using SALTs? Are you iterating on the hash to increase the time it takes to break that hash?

Most break-ins involve getting access to the underlying database through vulns in the OS, database, SQL injection, etc. Grabbing the table storing the user and passwords. Then run a super fast brute force method using simple off the shelf graphics cards to brute force passwords. Most one-way hashes can be broken today using this method if you don't take care to protect your passwords appropriately.

Answer 3

For (Android) Apps, most of the mentioned attacks do not apply regularily.

If you care to let us know who, in your case, is Alice, Bob, or Eve someone may provide a real answer to your question, so:

• Who needs to be protected?
• Who would (want to) attack the security of your App?

The most realistic threat I can come up with spontaneously (for a lack of information I assume a pretty much standalone App on a device) would be a bug in your App which either

• leaks (app-)private information to a non-secure storage, or
• allows injection of malicious data via user input (read: SQL injection; but the general problem is not only related to SQL DBs; think, e.g., about "XML injection").

Edit:

Let's just collect some possible stakeholders in the App's security (without any particular order):

• App user: Does he, his data, his monetary values, or his privacy need to be protected/supported by the App?

• App user: Does he pose a threat to any asset of the application and/or the developer?

• App developer: Does he, or his IP, or other application-related assets, need to be specifically protected by the design of the application?

• App developer: May he or his environment pose a threat to any asset not belonging to him?

• Third party: Is there a third party whose IP or other values need to be protected?

• Third party: Is there a third party which may be interested in compromising security for any of the above assets possibly unter threat?

(add more if you like.)

Answer 4

Many mobile devices allow an app to pop-up a browser, and insert hooks into the browser which allows them to observe key-strokes and the like. This can allow key-logging. The attack occurs as follows:

1. App creates a browser instance.
2. App uses privileged browser APIs to add key-event handlers to pages loaded by the browser.
3. App causes browser to load a URL, for example a bank login form.
4. Use assumes that the browser same-origin policy is protecting the data they enter.
5. App observes and exfiltrates form content possibly including the password.

How can I launch Safari from an iPhone app?

How can I open a URL in Android's web browser from my application?