This post is created to provide a concise collection of resources on specific web application security topics.
OWASP Mobile Top 10 2016 Proposed List
|M1 – Improper Platform Usage||This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of Touch-ID, the Key-chain, or some other security control that is part of the mobile operating system.|
|M2 – Insecure Data Storage||This new category is a combination of M2 + M4 from Mobile top 10 2014. This covers insecure data storage and unintended data leakage.|
|M3 – Insecure Communications||This covers poor handshaking, incorrect SSL versions, weak negotiation, clear-text communication of sensitive assets, etc…|
|M4 – Insecure Authentication||This category captures notions of authenticating the end user or bad session management. This can include: (1) Failing to identify the user at all when that should be required. (2) Failure to maintain the user’s identity when it is required. (3) Weakness in session management.|
|M5 – Insufficient Cryptography||The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way.|
|M6 – Insecure Authorization||This is a category to capture any failures in authorization (e.g. authorization decision in the client side, forces browsing, etc…). It is distinct from authentication issue (e.g. device enrollment, user identification, etc…). If the app does not authenticate the users at all in a situation where it should (e.g. granting anonymous access to some resources or services when authenticated and authored access is required) then that should be authenticated failure not authorization failure.|
|M7 – Client Code Quality||This was the “the security decision via the untrusted inputs”, one of OWASP lesser used category. This would be the catch-all for code-level implementation problems in the mobile clients.|
|M8 – Code Tampering||This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.|
|M9 – Reverse Engineering||This category includes analysis of the final code binary to determine its source code, libraries, algorithms, and other assets.|
|M10 – Extraneous Functionality||Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment.|
Top Mobile Scanning tools
ENISA – European Union Agency for Network and Information Security – IoT and smart infrastructures.
ENISA – ONLINE AND MOBILE DATA PROTECTION