Mobile Security

Photo by — https://www.pexels.com/

Rise of mobile devices and publishing mobile applications for business or personal use is today’s trend. “Securing a mobile application” is an essential part of mobile application development. But it usually seems to take a setback perhaps due to lack of awareness of basics of mobile security.

Let’s talk about Mobile Security and design secured mobile architecture in this series of posts.

CIA

What is CIA? Confidentiality, Integrity, Availability

• Confidentiality: Protecting secrecy & privacy of information. Taking measures to ensure information does not reach wrong hands or unauthorized entities but reach only to legitimate users who are authorized to view.
• Integrity: Protecting the accuracy, consistency and trustworthiness of the information over its flow. It ensures data is not improperly modified, altered or tampered.
• Availability: Ensure that system and data can be accessed whenever required.

Basic Terms in Security

• Threats: Potential danger to the system
• Vulnerability: flaw or weakness in the system which might lead to security breach
• Risk: Probability of a threat exploiting a particular vulnerability
• Control: Countermeasures that act to prevent or minimize losses associated with occurrences of threats

OWASP Mobile Top 10 2016-Top 10

Below is the Top 10 Potential Threats in Mobile Application Security according to OWASP Mobile Top 10 2016.

• M1: Improper Platform Usage: Misuse of a platform feature or failure to use platform security controls.
• M2: Insecure Data Storage: Insecure data storage and unintended data leakage.
• M3: Insecure Communication: Poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets.
• M4: Insecure Authentication: Failing to identify the user at all when that should be required, failure to maintain the user’s identity when it is required or weaknesses in session management.
• M5: Insufficient Cryptography: Issues where cryptography was attempted, but it wasn’t done correctly.
• M6: Insecure Authorization: Any failures in authorization (eg: authorization decisions in the client side, forced browsing).
• M7: Client Code Quality: Any Code-level problems in the mobile client. (eg: buffer overflows, format string vulnerabilities, code-level mistakes).
• M8: Code Tampering: Attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application’s data and resources. (eg: binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification).
• M9: Reverse Engineering: Analysis of the final core binary to determine its source code, libraries, algorithms, and other assets.
• M10: Extraneous Functionality: Hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. (eg: disabling of 2-factor authentication during testing).

Source: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

Stay Tuned for iOS App Security….