Mobile Security

Mobile Top 10 Risk @2016 From OWASP

@DyanGalih

OWASP?

OWASP (Open Web Application Security Project) is an organization that provides unbiased and practical, cost-effective information about computer and Internet applications.

Improper Platform Usage

  • misuse of a platform feature or failure to use platform security controls
  • Android intents
  • platform permissions
  • misuse of TouchID
  • the Keychain

Insecure Data Storage

  • This covers insecure data storage and unintended data leakage
  • Authentication Issue

Insecure Communication

  • poor handshaking
  • incorrect SSL versions
  • weak negotiation
  • cleartext communication of sensitive assets

Insecure Authentication

  • Failing to identify the user at all when that should be required
  • Failure to maintain the user's identity when it is required
  • Weaknesses in session management

Insufficient Cryptography

  • This category is for issues where cryptography was attempted, but it wasn't done correctly.
  • Crash with community issue
  • Crash with data storage issue

Insecure Authorization

  • Use authentication method for private activity
  • Use authentication method for private data

Client Code Quality

  • Security Decisions Via Untrusted Inputs
  • Buggy Code

Code Tampering

  • Security Decisions Via Untrusted Inputs
  • Buggy Code

Code Tampering

  • binary patching
  • local resource modification
  • method hooking
  • method swizzling
  • dynamic memory modification

Reverse Engineering

  • analysis of the final core binary to determine its source code
  • libraries
  • algorithms

Any Question?

Reverse Engineering

  • analysis of the final core binary to determine its source code
  • libraries
  • algorithms