OWASP Risks and Threat Evolution in the Mobile Industry

Open Web Application Security Project® (OWASP) is a global, non-profit organization seeking to elevate software security through education, events and project development initiated in 2001. [1] The Mobile Application Security (MAS) project, one of over a dozen OWASP flagship projects, seeks to standardize MAS industry testing and evaluation foundations endorsed by the National Institute for Standards and Technology (NIST) and other similar global organizations. [2] The MAS project outlines a top ten list of mobile technology-based threats derived from hundreds of respondents to a 2015 survey. [3] The three most serious threats listed in the MAS Top 10 Mobile Risks are Insufficient Cryptography (M5), Reverse Engineering (M9), and Extraneous Functionality (M10). This is due to the author’s understanding of real-world threats to national security, commercial and industrial intellectual property.

Insufficient Cryptography (M5) is the most prescient vulnerability related to MAS. Avoiding storing sensitive data as a preventative measure is achievable in high proportion to user endpoints, but as a recommendation may be insufficient in today’s work from anywhere paradigm. Other preventative measures include using industry standardized cryptographic algorithms and largely point back to NIST Special Publication 800–175. M5 has a severe technical impact and is relatively easy to exploit. [4] Recommendations do not adequately address the risk in today’s environment including cryptographic extortion (ransomware) and large-scale data exfiltration through social engineer-enabled attacks. MAS provides limited resources for M5 and should aspire to better address this risk moving forward.

Reverse Engineering (M9) is another area of heightened concern due to the common vulnerability observed in threat actor methods. Listed as a moderate technical impact, M9 preventative measures largely advise in application of various obfuscation techniques to mitigate against threat actors, who themselves can reverse engineer. [5] As supply chain attacks continue to emerge, this will increase the significance of M9 advancement. M9 lists a substantial volume of resources, but lacks clairvoyance for mitigating threats in the interdependent app ecosystem

Extraneous Functionality (M10) is a common exploit with severe technical consequences. M10 provides techniques to better control the vulnerability of backdoors, [6] a common Advanced Persistent Threat (APT) technique for data exfiltration. Using logs and scrubbing test code prior to production can help but detecting this vulnerability can be complicated. M10 has a limited resource volume and would benefit from a more cohesive method for limiting extra functionality.

Mobile technology continues to evolve since the published list in 2016 as have threat actors’ methods. The most dangerous threats to mobile technology should drive revisions ultimately reshuffling the Top 10 [3] and advising new methods for addressing risk in the areas of insider threat (InsT) and hostile foreign government espionage. Each InsT incident accounts for over $4M in lost revenue per year taking over eight months to identify and contain. [7] The severity of impact from InsT will increase as nearly one fifth of all InsT incidents stem from mobile endpoints.[8] Hostile foreign governments will continue to sharpen focus on corporate, industry and state espionage [9] and via proxies targeting mobile app insecurity. [10] Both InsT and hostile espionage demonstrate OWASP’s need to consider looking deeper at the role of adware, spyware, and mobile device telemetry data. Parsing out newer, threat-defined aspects of mobile tech risk into OWASP constructs will better inform an ever-growing ecosystem of web of mobile app dependencies supporting work and personal requirements globally.

References:

[1] “OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation.” https://owasp.org/ (accessed Sep. 24, 2022).

[2] “OWASP Mobile Application Security | OWASP Foundation.” https://owasp.org/www-project-mobile-app-security/ (accessed Sep. 24, 2022).

[3] “OWASP Mobile Top 10 | OWASP Foundation.” https://owasp.org/www-project-mobile-top-10/ (accessed Sep. 24, 2022).

[4] “M5: Insufficient Cryptography | OWASP Foundation.” https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography.html (accessed Sep. 24, 2022).

[5] “M9: Reverse Engineering | OWASP Foundation.” https://owasp.org/www-project-mobile-top-10/2016-risks/m9-reverse-engineering.html (accessed Sep. 24, 2022).

[6] “M10: Extraneous Functionality | OWASP Foundation.” https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality.html (accessed Sep. 24, 2022).

[7] “Insider Threat Mitigation Resources | CISA.” https://www.cisa.gov/insider-threat-mitigation-resources (accessed Sep. 24, 2022).

[8] “Insider Threat Incidents: Most Commonly Affected Devices,” SEI Blog. https://insights.sei.cmu.edu/blog/insider-threat-incidents-most-commonly-affected-devices/ (accessed Sep. 24, 2022).

[9] “2022 Cyber Security Trends: Ransomware, Extortion, and State Espionage,” Dec. 15, 2021. https://www.globalbankingandfinance.com/2022-cyber-security-trends-ransomware-extortion-and-state-espionage/ (accessed Sep. 24, 2022).

[10] M. Miller, “The spy war in your pocket,” POLITICO. https://politi.co/3akAfbR (accessed Sep. 24, 2022).