Mobile CyberSecurity: Quick Access sheet


This post is created to provide a concise collection of resources on specific web application security topics.

OWASP Mobile Top 10 2016 Proposed List

M1 – Improper Platform Usage This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of Touch-ID, the Key-chain, or some other security control that is part of the mobile operating system.
M2 – Insecure Data Storage This new category is a combination of M2 + M4 from Mobile top 10 2014. This covers insecure data storage and unintended data leakage.
M3 – Insecure Communications This covers poor handshaking, incorrect SSL versions, weak negotiation, clear-text communication of sensitive assets, etc…
M4 – Insecure Authentication This category captures notions of authenticating the end user or bad session management. This can include: (1) Failing to identify the user at all when that should be required. (2) Failure to maintain the user’s identity when it is required. (3) Weakness in session management.
M5 – Insufficient Cryptography The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way.
M6 – Insecure Authorization This is a category to capture any failures in authorization (e.g. authorization decision in the client side, forces browsing, etc…). It is distinct from authentication issue (e.g. device enrollment, user identification, etc…). If the app does not authenticate the users at all in a situation where it should (e.g. granting anonymous access to some resources or services when authenticated and authored access is required) then that should be authenticated failure not authorization failure.
M7 – Client Code Quality This was the “the security decision via the untrusted inputs”, one of OWASP lesser used category. This would be the catch-all for code-level implementation problems in the mobile clients.
M8 – Code Tampering This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.
M9 – Reverse Engineering This category includes analysis of the final code binary to determine its source code, libraries, algorithms, and other assets.
M10 – Extraneous Functionality Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment.

Top Mobile Scanning tools

Portswigger – Burp

Appthority

VeracodeVeracode

Pradeo

Checkmarx

Additional resources

OWASP MOBILE SECURITY PROJECT

ENISA – European Union Agency for Network and Information Security – IoT and smart infrastructures.

ENISA – ONLINE AND MOBILE DATA PROTECTION

GOOGLE – APP SECURITY

HTTP Status Code

NowSecure – SECURE MOBILE DEVELOPMENT

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s