The document discusses the evolution of mobile technology and the increasing threats associated with mobile applications, highlighting common security vulnerabilities such as ID theft, DDoS attacks, and SQL injection. It outlines best practices for mobile app security, including thorough code review, static analysis, and the use of encryption algorithms to safeguard data. Additionally, it introduces Mobile Threat Modeling as a Service (MT-MaaS), detailing its development lifecycle, internal processes, and deliverables for managing security risks in mobile applications.

1. Security Threat Modeling –
Mobile Threat Modeling As A Service
(MT-MAAS)

2. Background:
---“Necessity is the mother of invention” – English Proverb
1844 1876 1920 1939
First digital
computer
First IC based
computer
1965
Invention of
Fiber Optics
1970
Evolution of High Speed data transferEvolution of High Speed data transfer
1990 – 2010
GSM/GPRS/ EDGE
-0.2 MB/S
FULLY FUNCTIONAL WEB
BROWSING (WAP 2.0) WITH
INCREASED DEMANDS FOR:
•CLOUD SERVICES
•ANALYTICS
•MOBILITY, IOT & M2M
•SOCIAL & MEDIA SERVICES
•SECURITY
UTMS/ WCDMA/ HSDPA –
3.6/7.2/14.4 MB/S
HSPA/HSPA+
21 ~ 42 MB/S
HSPA+/ LTE -
50 ~ 300 MB/S
• WAP
• WML
• J2ME & Only
Native Apps
2011 – 2020 +++
Advanced LTE
> 1 GB/S
Necessity
4G4G
3G
Need for
faster digital
information
exchange
•1G
•2G
•2.5G
5G5G
Necessity for
Speed, Content,
Concurrency,
Connected World
& Reach ocean of
Information
We started with our basic needs, our needs got transformed into our
necessities, our necessities are now getting endless and we are exposing
information knowingly or un-knowingly more and more to an un-known
world called CLOUD
5G

3. Cloud
behind ISP
The transformation:
Trend and Communication Eco-system:
Graphical Data Numeric Count
Android Market 13, 00, 000
Apple Store 12, 00, 000
Windows Store 3, 00, 000
Amazon Appstore 2, 40, 000
Blackberry 1, 30, 000
Total number of available apps for mobile devices as of July 2014
“Necessity is the mother of Invention” ----
Other
Smart
Home
appliances
Other
Smart
Home
appliances
 Device lost – leakage of
information through local storage
 Device is not functioning – device
sold as spare but, some data is
still there
 We usually don’t logout from our
social media accounts for small
devices – just to get notifications
 Our smart-sync apps keep running
all the time – CLOUD credentials
exposed
 You kept all your sync-ed mail
accounts on device – you are lazy
enough to set device PIN/
Password – Potential ID theft
Confidential
informationover
network, sometimes
stored locally
Ahha! So huge
pool to swim 

5. Common Security Vulnerabilities
• Weak Cryptographic vulnerabilities.
• Resource and data access roles and vulnerabilities.
• Authentication token hijacking.
• Phishing and Cross-site scripting(XSS) vulnerabilities.
• DoS, DDoS, Buffer Overflow for application crashing.
• MAC spoofing, HTTP request spoofing, DNS spoofing
• Malformed URL and CRLF (%0d%0a) injection
• SQL Injection vulnerabilities.
• Session & SSO Token Hijacking.
Mobile Application Security Vulnerabilities
• ID theft and Device Data Storage vulnerabilities.
• Threats from the usage of unsigned 3rd
party APIs.
• Threats from hardcoded authentication parameters or SIM
card/IMEI number.
• Hardcoded User ID & Password for Wi-Fi or Proxy access.
• Improper IO operations and OS level threats.
• Threats from application re-engineering.
• Hybrid applications threats – most of the threats come from
JS and CSS layer – the UI/UX designs
Common threats and best practices:
Generic Security – Best practices
 Analyze the Data Flow Diagrams(DFD) thoroughly to develop the
threat model.
 Follow the STRIDE(Spoofing, Tampering, Repudiation,
Information disclosure, Denial of Service and Elevation of
privilege) approach thoroughly with the codebase.
 Follow a thorough Static Code Analysis(SCA) for finding hard
coded passwords, cryptographic keys and buffer overflows.
 Follow the standard and globally recognized best encryption
algorithm for securing the tokens from being compromised,
encrypts the session data as well to prevent those from
being hijacked or spoofed.
 Thorough and rigorous Fuzz Testing & Penetration Testing
to mitigate phishing and cross-frame scripting
vulnerabilities.
Mobile App Security – Best practices
 Stringent code review for the encryption of locally stored data as per
AES 256 standards.
 Check for the unsigned 3rd
party APIs in use, which may cause a severe
damage or can show stealthy behavior with malicious codes.
 Follow a thorough Static Code Analysis(SCA) for finding hard
coded passwords, cryptographic keys and buffer overflows.
 Review the code thoroughly that all the IO operations are properly handled
and closed after the result is achieved.
 Review the codebase for hashing, everywhere there is some keypad
inputs.
 Review the codebase for hashing, everywhere there is some
keypad inputs.
 Thoroughly review the application configuration files to check
whether the code is properly obfuscated from being de-compilation
and re-engineering.
Hackers & Intruders
don’t hack your
privacy just to cause
your harm, rather,
they have bigger
intension to hide
themselves behind
you to reach their
‘Final Destination’ –
may be Pentagon or
NASA just keeping
you unaware of all
the evils they are
causing from your
accounts 
Hackers & Intruders
don’t hack your
privacy just to cause
your harm, rather,
they have bigger
intension to hide
themselves behind
you to reach their
‘Final Destination’ –
may be Pentagon or
NASA just keeping
you unaware of all
the evils they are
causing from your
accounts 
Security is your
own
consciousness
that can never be
driven or built by
imposing any
rule.
Security is your
own
consciousness
that can never be
driven or built by
imposing any
rule.

6. Mobile Threat Modeling As A Services(MT-MAAS) - development lifecycle
Development Phase Release PhaseAnalysis & Design
Approximate effort 15% of the overall development
• Identify the design
components that can speed
up –
 Network operations.
 IO operations.
 DB operations.
• Ensure use of Best Performance
code.
• Find code level bottlenecks
• Find unnecessary object
allocation and non-nullification
after use.
• Standard tool based performance
analysis tests at code level.
• Acceptance tests.
• Application profiling.
 Continuous performance
monitoring
 Undergo change management
process for Performance
Optimized builds.
Review Test ResultsArchitecture & Design Review Code review
• Results of Code Review
• Necessary modification
Release & Change Management
1 2 1 2 1 2 1 2

7. MT-MAAS Internals and Deliverables: Final Reporting
7
• Design and Coding best practices.
• Guidelines for Architecture and
Review
• Detailed Analysis Report
• Detailed risk analysis report after
phase-I design and architecture
review.
• Reports on potentially vulnerable
codes identifying the blocks and
methods that are doing the
communication with the external
interfaces.
 Code Review Checklist
 Code Review Report
Reports on –
1. Use of weak cryptography.
2. Non-standard IO handling code.
3. Use of plain-text crypto keys, hardcoded
user credentials etc.
4. Block of code which may cause Buffer
Overflow.
5. Cross-site scripting.
6. Possibility of SQL Injection.
7. Unsafe code which may cause CRLF
injection.
8. Risk of session hijacking.
 Static Analysis Report
 Dynamic Analysis Report
 Risk Mitigation Guidelines
Recommendations identifying the security
vulnerabilities based on the rigorous
Penetration Tests and Fuzz Tests.
Recommendations on –
1. Deprecation of potentially vulnerable
and unsafe functions.
2. Implementation of ACLs for resource
access permissions.
 Security Threat model report
 Attack surface review report
 Application Certification and Release
• STRIDE(Spoofing, Tampering,
Repudiation, Information disclosure,
Denial of Service and Elevation of
privilege) approach to analyze the
DFDs and Designs.
• Identify the codes that communicate
with the external interfaces.
• Identify weak Cryptographic
vulnerabilities.
• Identify the code which handles the IO
operations.
• Identify the Buffer Overruns
• Identify the SQL Injection vulnerabilities.
• Identify chances of Session hijacking.
• Identify cross-site scripting.
• Use approved tools.
• Deprecate potentially vulnerable and
unsafe functions.
• Implement proper ACLs for the app to
access data.
• Static analysis.
• Dynamic analysis
• Fuzz tests and Penetration Testing.
• Attack surface review.
• Issue reporting, tracking and analysis.
• Final security review and rigorous
penetration testing.
Deliverables

8. Thanks to all of You