Let me introduce the OWASP (Open Web Application Security Project) — worldwide not-for-profit charitable organization focused on improving the security of software.
These guys are investigating the quality of software, not only web- or mobile-apps, and their site contain tonns of useful info for everyone interested in security testing.
Today I would like to tell about one of their projects — OWASP Mobile Security Project.
As it coming from the name of project — it’s about security of mobile OS (like Android or iOS), applications and devices itself.
OWASP had defined Top 10 Mobile Risks that applicable to any mobile platform:
They’ve also provided comprehensive description per each risk, so if you’re curious about what they mean, click on the image above or per links below:
- M1: Weak Server Side Controls
- M2: Insecure Data Storage
- M3: Insufficient Transport Layer Protection
- M4: Unintended Data Leakage
- M5: Poor Authorization and Authentication
- M6: Broken Cryptography
- M7: Client Side Injection
- M8: Security Decisions Via Untrusted Inputs
- M9: Improper Session Handling
- M10: Lack of Binary Protections
Also, a full Risks description, including examples of vulnerable code, available at this presentation: Owasp_top_10_mobile_risks.pdf
In addition, OWASP maintains and distributes a check list to go through the system under test, it can be used in the work: OWASP Mobile App Checklist v1.0.pdf