Mobile Web App vs. Native App

Design For specific devices No device-optimized Good for the device it is running in
Graphics Native APIs HTML, Canvas, SVG HTML, Canvas, SVG
Performance Fast, reliable, responsive design Slow Slow
Native Look and Fell Native Emulated Emulated
Distribution AppStore Distribution Web AppStore Distribution
Experience Consistent with the platform look and fell Browser based user experience UI browser elements might not be aligned to native UI elements
Camera Yes No Yes
Notifications Yes – Push Notification No Yes
Contact, calendars Yes No Yes
Offline storage Secure file storage Shared SQL Secure file storage, Shared SQL
Geolocation Yes No Yes
Swipe Yes Yes Yes
Pinch, spread Yes No Yes
Connectivity Online and Offline Mostly Online Online and offline
Development Skills C, Java, .Net HTML 5, CSS, Java Scripts HTML 5, CSS, Java Scripts
Launch Slow time to market Fast to market Mediun time to market
Update Mediun time to market Instant Update Mediun time to market

Mobile CyberSecurity: Quick Access sheet

This post is created to provide a concise collection of resources on specific web application security topics.

OWASP Mobile Top 10 2016 Proposed List

M1 – Improper Platform Usage This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of Touch-ID, the Key-chain, or some other security control that is part of the mobile operating system.
M2 – Insecure Data Storage This new category is a combination of M2 + M4 from Mobile top 10 2014. This covers insecure data storage and unintended data leakage.
M3 – Insecure Communications This covers poor handshaking, incorrect SSL versions, weak negotiation, clear-text communication of sensitive assets, etc…
M4 – Insecure Authentication This category captures notions of authenticating the end user or bad session management. This can include: (1) Failing to identify the user at all when that should be required. (2) Failure to maintain the user’s identity when it is required. (3) Weakness in session management.
M5 – Insufficient Cryptography The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way.
M6 – Insecure Authorization This is a category to capture any failures in authorization (e.g. authorization decision in the client side, forces browsing, etc…). It is distinct from authentication issue (e.g. device enrollment, user identification, etc…). If the app does not authenticate the users at all in a situation where it should (e.g. granting anonymous access to some resources or services when authenticated and authored access is required) then that should be authenticated failure not authorization failure.
M7 – Client Code Quality This was the “the security decision via the untrusted inputs”, one of OWASP lesser used category. This would be the catch-all for code-level implementation problems in the mobile clients.
M8 – Code Tampering This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.
M9 – Reverse Engineering This category includes analysis of the final code binary to determine its source code, libraries, algorithms, and other assets.
M10 – Extraneous Functionality Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment.

Top Mobile Scanning tools

Portswigger – Burp





Additional resources


ENISA – European Union Agency for Network and Information Security – IoT and smart infrastructures.



HTTP Status Code


Android N – pre-release notes

A short list of noticeable Google/Android enhancements to be released this fall.

Android Instant Apps

A deep linking functionality that allows the user to access the content within an app, without downloading the app on the user device. Will be available from KitKat to Android N.


Split-Screen multi-window mode

Two Apps can be snapped to occupy halves of the screen


Bundled Notifications & Direct Reply

Notifications cards will be grouped together if they are from the same app.

Doze Mode 2.0

Background tasks will be limited when the phone is on stand-by to saving battery life.

Google Machine Learning Integration

Google Assistant (Google Home) – based on voice search technology to produce a more natural contextualized two way conversation.

ALLO – New Communication Messaging app, based on Rich Communication Services, Google Assistant support, Smart Unique Ambient reply. Works also in Incognito Mode (e2e encryption).

DUO – New Communication Video Calling App: based on Rich Communication Services and Google instant knot-knot technology.

Available on all Android versions, from KitKat to Android N, and iOS

Android Wear 2.o

A new rich platform supporting wearable technology.

Personalized Watch Faces from all available Apps.

Standalone technology – won’t need to take the phone with you.

Also sync with iPhone.

Google Virtual Reality Daydream

A smartphone platform to provide high quality virtual reality.

To be used with headset and Controller

Partner: The New York Times, WSJ, CNN and USA Today.