This document discusses mobile security and vulnerabilities. It begins with definitions of security concepts like assets, vulnerabilities, threats, and risks. It then covers why mobile security is important and provides an overview of common mobile security issues like malware, insecure data storage, data leakage, and insecure communication channels. Specific vulnerabilities discussed include SQL injection, cross-site scripting, insecure authentication, cryptographic weaknesses, and insecure permissions. The document emphasizes that mobile apps must not store sensitive data locally and must implement secure protocols like HTTPS. It also notes that mobile devices are susceptible to malware and reverse engineering attacks.

1. By Ahmed Samara
Information Security Engineer
Security-Meter

2. • Definitions
• Why Mobile Security important ?
• How Secure Are You ?
• Mobile Malware History
• Mobile Security Components
• OWASP Overview
• OWASP Mobile Top 10 Risks
• Live Demo on Most Dangerous Vulnerabilities

3. • Security-Meter company started at 2009 it was established to
help organizations to secure their journey, All our concern is
your security & Cyber security attacks prevention.

4. • Asset [People, property, information, source code, DB]
• Vulnerability
• SQL Injection [embedding untrusted input into raw SQL statements]
• XSS [inject Java Script to untrusted input ]
• Exploit
• Threat [Anything that can exploit a vulnerability, intentionally or
accidentally, and obtain, damage, or destroy an asset]
• Risk = Asset * Threat * Vulnerability

6. • [BYOD] Bring Your Own Device
• Refers to the policy of permitting employees to bring personally
owned mobile devices (laptops, tablets, and smart phones) to
their workplace

12. • The main Mobile components are:
• Device Hardware: smart phones, tablets, and set-top-boxes.
• Operating System: component that make use of All device
resources, like camera functions, GPS data, Bluetooth
functions, telephony functions, network connections, etc. are
accessed through the operating system.
• Mobile Application

13. • The OWASP Foundation came online on December 1st 2001 it
was established as a not-for-profit organization in the United
States

15. • Insecure coding practices
• Attack vectors generally leading to traditional OWASP Top-10
• Poor Web Services Hardening: Weak Authentication, Weak or no
session management, Default content
• SQL Injection, CSRF, XSS etc.
• Use the mobile APP to attack the server

16. • Main Rule of Mobile Apps
• Not to store Data
• Local files on device :
• SQLite DB files
• Plist files – iOS
• XML files
• Log files

17. • Insecure data permissions :
• Example: Skype Contact data permissions

18. • “10% of apps fail doing SSL cert validation” - CERT HTTPS (TLS
or SSL),

19. • Unintended data leakage occurs when a developer accidentally
places sensitive data in a location on the mobile device that can
be accessed by other apps or physical access

20. • Example - Insecure Log : Some apps store their own logs inside
the local folder Logs can contain info such as Important events
(user login details, credit cards, passwords)

21. • The server code does not verify that the incoming request is
associated with a known user so Anonymously Attacker execute
requests.
• Strong passwords are hard to enter on a mobile device Short
passwords (4-digit PINs) are often used

22. • Usage of a broken or risky cryptographic algorithm (RC2, MD4,
SHA1, Base64)
• Encoding != Encryption

23. • what’s wrong with this code?

24. • Mobile malware or other malicious apps may perform a binary
attack
• SQL Injection, XSS

25. • Inter Process Communication (IPC) mechanism: A unique
aspect of the Android system design is that any application can
start another application’s component Apps

26. • IOS – bypass URL Schemes
• Example: Skype IOS Schema Handling Issue:

27. • Ensure that all session invalidation events are executed on the
server side.
• Any mobile app you create must have timeout protection on the
backend components.

28. • Any mobile app can be analyzed, reverse-engineered, and
modified It is extremely common for apps to be deployed
without binary protection.

29. • Example of APK Manipulation (APK Icon Editor- APK Editor- APK
Studio)

32. Realizing Business
Value
From Security
Investment