The document discusses the critical importance of mobile application security amidst increasing cyber threats, data breaches, and privacy concerns. It outlines common vulnerabilities such as poor authentication, insecure data storage, and insufficient cryptography, while referencing the OWASP Mobile Top 10 list as a guideline for identifying risks. The document further highlights the challenges developers face due to fragmented platforms and the necessity for robust security measures in mobile applications.

1. Mobile Application Security
Subho Halder
CoFounder & CTO
5
Tweet while I’m talking:
@appknox
@sunnyrockzzs
#MobileSecurity

2. Mobile Application Security 2
Introduction
 The Great Mobility Security Debate
!
"
#
x
$

ă
Ć
&
ą
r
5
8
1
ü
Ĉ
É
'
Ġ
Ä
c
h
l
[
j
Å
a
ä
n
‚
Z
:
è
s
o
@
û
ĥ
p
ö
y
Ç
9
é
e
W
e
B
ù
éë
0
01
Fragmented Applications
Multiple Applications for Multiple
Platform and Multiple Architectures
makes it difficult for App Developers
to keep-up with security concerns
03
Personal & Social Information
Mobile Devices holds your personal
and social information, and
applications has access to these
information
02
Fragmented Platforms
With multiple platforms and multiple
versions of Mobile Operating
System, the App Developers faces
challenges to keep up with breaking
changes & Security up-to-date
04
Businesses & Enterprise Data
With mobile getting adopted at
workplaces, sensitive information
are now accessible to applications

3.  While these devices offer us increased internet connectivity and day-to-day convenience,
they also carry considerable security risks
Why mobile security is Important ?

4. Mobile Application Security 4
Why Mobile Security Is Important ?
 More data could be more danger with mobile devices
ì
ì
ì
ì
ì
ì
Data Breaches
With more data accessible to applications, security becomes
more paramount.
Mobile Malwares
Gone are the days of computer malware, mobile malware are
now growing more sophisticated with access to more data
Businesses worry about smartphone risks
While the threat is universal, being protected doesn’t have to be
difficult. If anything, it is becoming increasingly important.
Cyberattacks on mobiles increasing
Cyberattacks on mobile devices, especially smartphones, have
become all too common. And over the last year alone, we’ve
seen cybercriminals deploy all sorts of effective strategies.
Privacy Leakages
Privacy has also been called into question, as so many of these
mobile apps collect huge quantities of data and store them.

5.  The goal of this is to raise awareness about application security by
identifying some of the most critical risks facing organizations.
Securing Your Apps

6. Mobile Application Security 6
Security
 Different Steps towards Mobile Application Security Testing
Average
Coverage
Code configuration issues.
Source code analysis. Insecure
setting analysis
%30

Static Analysis
Average
Coverage
Runtime memory analysis. File-
system layer analysis. Data
flow analysis.
%40

Dynamic Analysis
Average
Coverage
HTTP/HTTPS network analysis.
Data flow analysis. Socket
analysis.
%15

Network Analysis
Average
Coverage
Business logic analysis.
Criticality analysis. Brute force
attack analysis.
%15

Manual Assessment

7.  The goal of this is to raise awareness about application security by
identifying some of the most critical risks facing organizations.
2013 OWASP Mobile top 10

8. Mobile Application Security 8
Top 10 OWASP Mobile Security List
 The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
Poor Authorization and Authentication
Poor or missing authentication schemes allow an adversary to anonymously execute functionality
within the mobile app or backend server used by the mobile app.
ç
Unintended Data Leakage
Unintended data leakage occurs when a developer inadvertently places sensitive information or
data in a location on the mobile device that is easily accessible by other apps on the device.
‚
Insufficient Transport Layer Protection
If the application is coded poorly, threat agents can use techniques to view this sensitive data.
Unfortunately, mobile applications frequently do not protect network traffic
0
Insecure Data Storage
Many developers assume that storing data on client-side will restrict other users from having
access to this data.
:
Weak Server Side Controls
Most security experts might argue that server-side security falls outside of the area of mobile
application security threats. Till last year, it was the second most important mobile security threat.
Z
05
04
03
02
80%
43%
01
64%
72%
19%
Source: https://blog.appknox.com/category/owasp-top-10-mobile/

9. Mobile Application Security 9
Top 10 OWASP Mobile Security List
 The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
06
07
 08
09
 10

Client side injection results in the execution of
malicious code on the client side which is the
mobile device, via the mobile app.
Client Side Injection
As the name suggests, this issue is because session
tokens are not handled in the best way.
Improper Session Handling
Broken Cryptography or insecure usage of
cryptography is mostly common in mobile apps
that leverage encryption.
Broken Cryptography
Developers generally use hidden fields and values
or any hidden functionality to distinguish higher
level users from lower level users.
Security Decisions Via Untrusted Inputs
A lack of binary protections within a mobile app
exposes the application and it’s owner to a large
variety of technical and business risks if the
underlying application is insecure or exposes
sensitive intellectual property.
Lack of Binary Protections

10.  The goal of this is to raise awareness about application security by
identifying some of the most critical risks facing organizations.
2016 OWASP Mobile top 10

11. Mobile Application Security
2016 OWASP Mobile top 10
11
 Mobile Security Landscape
Improper Platform Usage

Insecure Data Storage

Insecure Communication

Insecure Authentication

Insufficient Cryptography

Insecure Authorization

Client Code Quality

Code Tampering

Reverse Engineering

Extraneous Functionality


12.  The goal of this is to raise awareness about application security by
identifying some of the most critical risks facing organizations.
Top 5 Issues from 2016 OWASP Top 10

13. Mobile Application Security
Improper Platform Usage
13
 Misuse of OS Platform Components
This category covers misuse of a platform
feature or failure to use platform security
controls. It might include Android intents,
platform permissions, misuse of TouchID, the
Keychain, or some other security control that is
part of the mobile operating system. There are
several ways that mobile apps can experience
this risk.
Source: Appmon Demo https://www.youtube.com/watch?v=ECnkgz3jnPM

14. Mobile Application Security
Insecure Data Storage
14
 Insecure way storing private data
This new category is a combination of M2 + M4
from Mobile Top Ten 2014. This covers insecure
data storage and unintended data leakage
Source: ITSELECT LAB on DVIA App https://www.youtube.com/watch?v=GAFxWnU1b4w

15. Mobile Application Security
Insecure Communication
15
 Communicating over insecure SSL or without HTTPS
This covers poor handshaking, incorrect SSL
versions, weak negotiation, cleartext
communication of sensitive assets, etc.

16. Mobile Application Security
Insufficient Cryptography
16
 Communicating over insecure SSL or without HTTPS
The code applies cryptography to a sensitive
information asset. However, the cryptography is
insufficient in some way. Note that anything
and everything related to TLS or SSL goes in M3.
Also, if the app fails to use cryptography at all
when it should, that probably belongs in M2.
This category is for issues where cryptography
was attempted, but it wasn't done correctly
Source: Fireeye Research https://www.fireeye.com/blog/threat-research/2015/01/cryptographic_vulner.html

17. Mobile Application Security
Extraneous Functionality
17
 Communicating over insecure SSL or without HTTPS
Often, developers include hidden backdoor
functionality or other internal development
security controls that are not intended to be
released into a production environment. For
example, a developer may accidentally include a
password as a comment in a hybrid app.
Another example includes disabling of 2-factor
authentication during testing
Source: OWASP Day https://www.slideshare.net/pprathan/owasp-day-owasp-day-lets-secure

18. Mobile Application Security 18
Android vs iOS
 With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace,
the security of these devices is a growing concern and focus for smartphone users.
IMAGE
0
25
50
75
100
Vulnerable Apps Malwares Device Vulnerability
Fragmentation
0
25
50
75
100
Vulnerable Apps Malwares Device Vulnerabilities
Fragmentation
Despite iOS being traditionally regarded as the safest
platform, there are a number of reasons why that
assumption may be becoming outdated. Firstly,
occurrences of ransomware, malware, rotten apps on
the iTunes store, and social engineering have been
coming into the news far more often in recent times.
The iOS Device Google’s Android platform has become a larger target
for mobile malware writers than Apple iOS. This could
be a result of Android’s popularity—with more than
1 million activations per day, Android smartphones
command a 59% market share worldwide.
The Android Device

19. Mobile App Security Testing Techniques and Tools - Subho Halder 19
4 Myths About Mobile Security
 “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner
ĉ Ą
7 Ĉ
Public app stores are safe because they
have security filters
Data encryption is not required for mobile
devices
PCs are more secure than mobile phones
Two-factor authentication can be neglected
for mobile security

20. Mobile Application Security 20
Cyber Resilience - “Survival of the smartest”
 Ashutosh Jain | CISO - AXIS Bank
Can’t detect breaches
Can detect breaches but don’t remediate fast
Swift detection & remedial action there-of
Predict cyber threats and hence create future

21. Thank You
@sunnyrockzzs
@appknox