Top 10 Mobile Risks from 【Hacking Android】
阅读书籍Hacking Android里面介绍的10大移动安全风险,虽然是两年前的总结,如今亦大致如是。
The following diagram shows the OWASP Top 10 Mobile Risks, which is a listof top 10 mobile app vulnerabilities.
The following are the top 10 vulnerabilities and we will have a deeper look into eachof these vulnerabilities in the following sections:
• M1: Weak Server-Side Controls
脆弱的服务端控制力
• M2: Insecure Data Storage
不安全的数据存储
• M3: Insufficient Transport Layer Protection
数据传输防护不充分
• M4: Unintended Data Leakage
无意间的信息泄露,
• Leaking content providers
• Copy/paste buffer caching
• Logging
• URL caching
• Browser cookie objects
• Analytics data sent to third parties
• M5: Poor Authorization and Authentication
简陋的授权和认证
• M6: Broken Cryptography
易攻破的加密方式
• M7: Client-Side Injection
注入问题
• M8: Security Decisions via Untrusted Inputs
使用不可信的数据来源
• Injection in WebViews
• Traditonal SQL Injection in raw SQL statements used with SQLite databases
• SQL Injection in content providers
• Path traversal in content providers
• M9: Improper Session Handling
不适当的会话机制(Android中常表现为token维护)
• M10: Lack of Binary Protections
缺乏二进制保护(混淆、加固)
以上十大问题,除了第1需要借由系统性解决外,其它9项基本上都是应该由移动开发者重视和防护的,安全问题没有最终解决方案,需要全行业努力发掘和积累经验,一些主要的最佳实践请参考: