|Design||For specific devices||No device-optimized||Good for the device it is running in|
|Graphics||Native APIs||HTML, Canvas, SVG||HTML, Canvas, SVG|
|Performance||Fast, reliable, responsive design||Slow||Slow|
|Native Look and Fell||Native||Emulated||Emulated|
|Distribution||AppStore Distribution||Web||AppStore Distribution|
|Experience||Consistent with the platform look and fell||Browser based user experience||UI browser elements might not be aligned to native UI elements|
|DEVICE BUILD-IN COMPONENTS|
|Notifications||Yes – Push Notification||No||Yes|
|Offline storage||Secure file storage||Shared SQL||Secure file storage, Shared SQL|
|Connectivity||Online and Offline||Mostly Online||Online and offline|
|Development Skills||C, Java, .Net||HTML 5, CSS, Java Scripts||HTML 5, CSS, Java Scripts|
|GO TO MARKET|
|Launch||Slow time to market||Fast to market||Mediun time to market|
|Update||Mediun time to market||Instant Update||Mediun time to market|
This post is created to provide a concise collection of resources on specific web application security topics.
|M1 – Improper Platform Usage||This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of Touch-ID, the Key-chain, or some other security control that is part of the mobile operating system.|
|M2 – Insecure Data Storage||This new category is a combination of M2 + M4 from Mobile top 10 2014. This covers insecure data storage and unintended data leakage.|
|M3 – Insecure Communications||This covers poor handshaking, incorrect SSL versions, weak negotiation, clear-text communication of sensitive assets, etc…|
|M4 – Insecure Authentication||This category captures notions of authenticating the end user or bad session management. This can include: (1) Failing to identify the user at all when that should be required. (2) Failure to maintain the user’s identity when it is required. (3) Weakness in session management.|
|M5 – Insufficient Cryptography||The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way.|
|M6 – Insecure Authorization||This is a category to capture any failures in authorization (e.g. authorization decision in the client side, forces browsing, etc…). It is distinct from authentication issue (e.g. device enrollment, user identification, etc…). If the app does not authenticate the users at all in a situation where it should (e.g. granting anonymous access to some resources or services when authenticated and authored access is required) then that should be authenticated failure not authorization failure.|
|M7 – Client Code Quality||This was the “the security decision via the untrusted inputs”, one of OWASP lesser used category. This would be the catch-all for code-level implementation problems in the mobile clients.|
|M8 – Code Tampering||This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.|
|M9 – Reverse Engineering||This category includes analysis of the final code binary to determine its source code, libraries, algorithms, and other assets.|
|M10 – Extraneous Functionality||Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment.|
Top Mobile Scanning tools
A short list of noticeable Google/Android enhancements to be released this fall.
Android Instant Apps
A deep linking functionality that allows the user to access the content within an app, without downloading the app on the user device. Will be available from KitKat to Android N.
Split-Screen multi-window mode
Two Apps can be snapped to occupy halves of the screen
Bundled Notifications & Direct Reply
Notifications cards will be grouped together if they are from the same app.
Doze Mode 2.0
Background tasks will be limited when the phone is on stand-by to saving battery life.
Google Machine Learning Integration
Google Assistant (Google Home) – based on voice search technology to produce a more natural contextualized two way conversation.
ALLO – New Communication Messaging app, based on Rich Communication Services, Google Assistant support, Smart Unique Ambient reply. Works also in Incognito Mode (e2e encryption).
DUO – New Communication Video Calling App: based on Rich Communication Services and Google instant knot-knot technology.
Available on all Android versions, from KitKat to Android N, and iOS
Android Wear 2.o
A new rich platform supporting wearable technology.
Personalized Watch Faces from all available Apps.
Standalone technology – won’t need to take the phone with you.
Also sync with iPhone.
Google Virtual Reality Daydream
A smartphone platform to provide high quality virtual reality.
To be used with headset and Controller
Partner: The New York Times, WSJ, CNN and USA Today.