M3 M4 M5 M6 M7 M8 M9 M10 불충분한전송계층의보호 (Insufficient Transport Layer Protection) 의도하지않은데이터누출 (Unintended Data Leakage) 충분하지않은인증및권한부여 (Poor Authorization

보안연구부 -2016-035 OWASP Mobile Security Project 의모바일보안동향 ( 보안연구부보안기술팀 / 2016.7.14.) 개요 OWASP 1) Mobile Security Project 2) 는최근모바일보안과관련하여 Mobile Top 10 2016(RC 버전 ) 3) 과 Mobile Application Security(Guide-Client side check) 를제시하였고이에대한주요내용을소개 Mobile Top 10 2016(RC) 소개 Mobile Top 10 2014 이후모바일보안전문가, 개발자등으로부터자료수집, 설문을통해주요변경된사항을도출 - 그결과를 Mobile Top 10 2016(RC) 로공개한후피드백을통해업데이트진행중 (2017년정식버전공개예정 ) - 특이사항은 2014년 취약한서버통제 항목이삭제되고 충분하지않은인증및권한부여 하나의항목을세분화하여인증과권한부여항목으로분리 < 2014 년대비 2016 년 Mobile Top 10 변경사항 > 구분 Mobile Top 10 2014 Mobile Top 10 2016(RC) M1 취약한서버통제부적절한플랫폼의사용 (Weak Server Side Control) (Improper Platform Usage) M2 안전하지않은데이터저장안전하지않은데이터저장 (Insecure Data Storage) (Insecure Data Storage) 1) OWASP(The Open Web Application Security Project) 는국제웹보안표준기구이며, 주요웹에관한정보노출, 악성파일및스크립트, 보안취약점등을연구하며 10 대웹에플리케이션취약점 (OWASP TOP10) 을발표함 2) https://www.owasp.org/index.php/owasp_mobile_security_project#tab=project_overview SW 개발자와보안담당자가모바일애플리케이션, 통신등을안전하게관리할수있도록보안위험분류하고보안가이드등을제공함 3) RC(Release Candidate) 는정식버전이아닌검토 (Draft) 버전이며, 조사 검토과정을거친후확정하며현재진행중임 https://www.owasp.org/index.php/mobile_top_10_2016-top_10-1 -

M3 M4 M5 M6 M7 M8 M9 M10 불충분한전송계층의보호 (Insufficient Transport Layer Protection) 의도하지않은데이터누출 (Unintended Data Leakage) 충분하지않은인증및권한부여 (Poor Authorization and Authentication) 취약한암호화 (Broken Cryptography) 클라이언트측면의인젝션 (Client Side Injection) 신뢰할수없는입력을통한보안결정 (Security Decisions Via Untrusted Inputs) 부적절한세션처리 (Improper Session Handling) 바이너리보호미비 (Lack of Binary Protections) 안전하지않은통신 (Insecure Communication) 안전하지않은인증 (Insecure Authentication) 불충분한암호화 (Insufficient Cryptography) 안전하지않은권한부여 (Insecure Authorization) 이용자코드품질 (Client Code Quality) 코드변조 (Code Tampering) 역공학 (Reverse Engineering) 불필요한기능 (Extraneous Functionality) 영역별상세내용변화의정도및구분은정식버전공개후유의미 - Mobile Top 10 2016(RC) 에선정된각항목에대한설명은다음과같음 구분 Mobile Top 10 2016 내용 플랫폼기능의오용또는보안통제미적용으로인해발생하는문제 M1 부적절한플랫폼의사용 M2 안전하지않은데이터저장 M3 M4 M5 M6 M7 M8 안전하지않은통신 안전하지않은인증 불충분한암호화 안전하지않은권한부여 이용자코드품질 코드변조문제점 < Mobile Top 10 2016(RC) 내용요약 > 안드로이드인텐트 (intent)*, 플랫폼퍼미션, TouchID 의오용, 키체인또는모바일운영체제의일부다른보안제어기능등을포함 * 안드로이드컴포넌트 (Activity, ContentProvider, BroadcastReceiver, Service) 간의호출과메시지전달에이용 Top 10 Mobile Risk 2014 에서 M2와 M4의조합 안전하지않은데이터저장및의도하지않은데이터유출을포함세션성립을위한핸드쉐이킹 (handshaking) 의불충분한수행, 잘못된 SSL 버전, 불완전한연결, 민감한정보의평문통신등을포함최종사용자또는잘못된세션관리인증의개념을포함사용자식별불가, 사용자식별관리실패, 취약한세션관리등암호화여부뿐만아니라올바르지않은암호화중요한정보는암호화적용이필요하며 TLS, SSL관련해서는 M3에서진행모바일애플리케이션에대한암호화미적용은 M2 영역에속함권한부여 ( 예를들어이용자측면에서권한부여의결정, 강제열람등 ) 에대한실패권한부여의문제 ( 예를들어기기등록, 사용자식별등 ) 와는구별됨모바일앱이사용자인증 ( 예를들어인증및접근허가필요시일부자원이나서비스에대한익명의접근권한부여 ) 에실패한경우인증실패의문제이며권한부여의실패는아님모바일이용자코드수준의구현문제모바일기기에서실행중버퍼오버플로우, 포맷스트링취약점, 다양한코드레벨의실수등을포함 ( 서버측코딩실수와는구별 ) 바이너리패치, 로컬리소스수정, 메소드후킹, 메소드스위즐링, 메모리변조등을포함 공격자의코드수정, 메모리변조, 애플리케이션사용자의시스템 - 2 -

M9 M10 역공학 불필요한기능 API 변경및대체등을통해금전적이익또는소프트웨어용도변조에악용가능 소스코드, 라이브러리, 알고리즘및기타자산을결정하는최종핵심바이너리분석을포함 이는응용프로그램에서다른취약점뿐아니라백엔드서버, 암호화상수및암호, 지적재산권에대한정보를폭로하는데악용될수있음 개발자는숨겨진백도어기능이나개발환경에서의도하지않게내부개발보안문제에포함될수있음 예를들어개발자가모바일애플리케이션테스트기간중 2 팩터인증을비활성화하는경우 모바일애플리케이션보안가이드 ( 이용자영역 ) 소개 개발자또는모의침투수행자가고려해야할모바일애플리케이션에대한보안체크리스트를제시 - 취약점명, 적용플랫폼, 정적또는동적체크 * 여부에대해 91개항목의모바일애플리케이션보안체크리스트제시 ** * 정적체크 : 애플리케이션을실행하지않고소스코드등에서결함을찾아내는테스트방법동적체크 : 애플리케이션을실행한상태에서결함을찾아내는테스트방법 ** [ 참고 1] OWASP Mobile Application Security Guide 참조 국내금융권스마트폰관련가이드및대책등과유사한내용으로구성 - 특이사항으로시큐어코딩과모바일하이브리드기반을고려하여체크리스트를구성하였으며통신채널상평문의유무, 암호알고리즘유효성, 비정상인증서사용유무등에대해정적및동적체크가필요함을제시 결론 Mobile Top 10 2016(RC) 를통해모바일보안과관련된최신동향을확인할수있으며국내모바일보안동향과유사한형태인것으로파악 - 2017년정식오픈되는 Mobile Security Project 결과를모니터링할필요 - 3 -

Mobile Application Security Guide를통해모바일앱개발및모의침투테스트수행시보안점검체크리스트로활용가능 - 금융모바일애플리케이션을개발, 이용하는개발업체, 금융회사등에서자체보안성검토시활용하여이를반영할필요 - 4 -

[ 참고 1] Mobile Application Security Guide - Client side check No Vulnerability Name Platform Classification 1 Application is Vulnerable to Reverse Engineering Attack/Lack of Code All Static 2 Account Lockout not Implemented All Dynamic 3 Application is Vulnerable to XSS All 4 Authentication bypassed All Dynamic 5 Hard coded sensitive information in Application Code(including Crypt) All Static 6 Malicious File Upload All Dynamic 7 Session Fixation All Dynamic 8 Application does not Verify MSISDN WAP Unknown 9 Privilege Escalation All Dynamic 10 SQL Injection All 11 Attacker can bypass Second Level Authentication All Dynamic 12 Application is vulnerable to LDAP Injection All Dynamic 13 Application is vulnerable to OS Command Injection All Dynamic 14 ios snapshot/backgrounding Vulnerability ios Dynamic 15 Debug is set to TRUE Android Static 16 Application makes use of Weak Cryptography All Static 17 Cleartext information under SSL Tunnel All Dynamic 18 Client Side Validation can be bypassed All Dynamic 19 Invalid SSL Certificate All Static 20 Sensitive Information is sent as Clear Text over network/lack of Data All Dynamic 21 CAPTCHA is not implemented on Public Pages/Login Pages All Dynamic 22 Improper or NO implementation of Change Password Page All Dynamic 23 Application does not have Logout Functionality All Dynamic 24 Sensitive information in Application Log Files All Dynamic 25 Sensitive information sent as a querystring parameter All Dynamic 26 URL Modification All Dynamic 27 Sensitive information in Memory Dump All Dynamic 28 Weak Password Policy All Dynamic 29 Autocomplete is not set to OFF All Static 30 Application is accessible on Rooted or Jail Broken Device All Dynamic 31 Back-and-Refresh attack All Dynamic 32 Directory Browsing All Chec 33 Usage of Persistent Cookies All Dynamic 34 Open URL Redirects are possible All Dynamic 35 Improper exception Handling: In code All Static 36 Insecure Application Permissions All Static 37 Application build contains Obsolete Files All Static 38 Certificate Chain is not Validated All 39 Last Login information is not displayed All Dynamic 40 Private IP Disclosure All Static 41 UI Impersonation through RMS file modification [1] JAVA Dynamic 42 UI Impersonation through JAR file modification Android Dynamic 43 Operation on a resource after expiration or release All Dynamic 44 No Certificate Pinning All Dynamic 45 Cached Cookies or information not cleaned after application removal All Dynamic - 5 -

46 ASLR Not Used ios Static 47 Clipboard is not disabled All Dynamic 48 Cache smashing protection is not enabled ios Static 49 Android Backup Vulnerability Android Static 50 Unencrypted Credentials in Databases (sqlite db) All Dynamic 51 Store sensitive information outside App Sandbox (on SDCard) All Dynamic 52 Allow Global File Permission on App Data Android Dynamic 53 Store Encryption Key Locally/Store Sensitive Data in ClearText All Dynamic 54 Bypass Certificate Pinning All Dynamic 55 Third-party Data Transit on Unencrypted Channel All Dynamic 56 Failure to Implement Trusted Issuers Android Static 57 Allow All Hostname Verifier Android Static 58 Ignore SSL Certificate Error All Static 59 Weak Custom Hostname Verifier Android Static 60 App/Web Caches Sensitive Data Leak All Dynamic 61 Leaking Content Provider Android Dynamic 62 Redundancy Permission Granted Android Static 63 Use Spoof-able Values for Authenticating User (IMEI, UDID) All Dynamic 64 Use of Insecure and/or Deprecated Algorithms All Static 65 Local File Inclusion (might be through XSS Vulnerability) All 66 Activity Hijacking Android Static 67 Service Hijacking Android Static 68 Broadcast Thief Android Static 69 Malicious Broadcast Injection Android Static 70 Malicious Activity/Service Launch Android Static 71 Using Device Identifier as Session All Dynamic 72 Symbols Remnant ios Static 73 Lack of Check-sum Controls/Altered Detection Android Dynamic 74 Insecure permissions on Unix domain sockets Android Static 75 Insecure use of network sockets Android Static 76 Cleartext password in Response All Dynamic 77 Direct Reference to internal resource without authentication All Dynamic 78 Application has NO or improper Session Management/Failure to Invali All Dynamic 79 Cross Domain Scripting Vulnerability All Dynamic 80 Cross Origin Resource Sharing All Dynamic 81 Improper Input Validation - Server Side All Dynamic 82 Detailed Error page shows internal sensitive information All Dynamic 83 Application allows HTTP Methods besides GET and POST All Dynamic 84 Cross Site Request Forgery (CSRF)/SSRF All Dynamic 85 Cacheable HTTPS Responses All Dynamic 86 Path Attribute not set on a Cookie All Dynamic 87 HttpOnly Attribute not set for a cookie All Dynamic 88 Secure Attribute not set for a cookie All Dynamic 89 Application is Vulnerable to Clickjacking/Tapjacking attack All Dynamic 90 Server/OS fingerprinting is possible All Dynamic 91 Lack of Adequate Timeout Protection All Dynamic - 6 -